Security Ripcord

Cutaway Security Blog and Projects

Monitor Changes in OS X Using Fslogger-yaml

For the “TL;DR crowd,”: fslogger-yaml project page.

The release of EmPyre caused me to start thinking about the Indicators of Compromise (IOC) associated with it being used to interact with a system. The network artifacts, while they do need to be investigated, seem fairly straight forward to me. I am more interested in the system-based IOCs.

Since I’ve been out of the forensic arena for a while, I quickly realized that I have no idea how to track changes to system running OSX. There are, of course, system logs and Apple System Log (ASL) files. These do provide valuable information but they do not track everything. I wanted something that would provide me with enough detail that would assist in the generation of consistent IOCs.

Volatility OSX 10.8.5_12f37 Analysis Attempt

For the “TL;DR crowd,” there is nothing ground-breaking here. This is just a post to document some of the steps that I took to get back up to speed with memory analysis, a how-to.

The other day I was involved with a situation that involved collecting and analyzing the memory of an Apple system. I have to admit, it has been awhile since I’ve collected and analyzed the memory of any system. I was eager to get the memory dump and do a little checking of my own to get back up to speed with the capabilities of tools like Memoryze and Volatility.

The system was a Mac OS X Mountain Lion (10.8) 64-bit system and therefore memory was collected and analyzed with Memoryze for Mac. It was an easy process and produced the results required to gain an understanding of the system at that moment. A quick check of the system call list, using Memoryze, confirmed the OS version.

Test Post0

This is a test post. We will test links and pictures later.

Go forth and do good things, cutaway