Osxcollector - A Forensic Bear Witness Collection & Analysis Toolkit For Bone X

OSXCollector is a forensic bear witness collection & analysis toolkit for OSX.

Forensic Collection
The collection script runs on a potentially infected machine together with outputs a JSON file that describes the target machine. OSXCollector gathers information from plists, SQLite databases together with the local file system.

Forensic Analysis
Armed alongside the forensic collection, an analyst tin response the query like:

• Is this machine infected?
• How'd that malware acquire there?
• How tin I preclude together with let on farther infection?

Yelp automates the analysis of most OSXCollector runs converting its output into an easily readable together with actionable summary of just the suspicious stuff. Check out OSXCollector Output Filters project to acquire how to brand the most of the automated OSXCollector output analysis.

Performing Collection
osxcollector.py is a unmarried Python file that runs without whatever dependencies on a measure OSX machine. This makes it actually slowly to run collection on whatever machine - no fussing alongside brew, pip, config files, or surround variables. Just re-create the unmarried file onto the machine together with run it:
sudo osxcollector.py is all it takes.

$ sudo osxcollector.py Wrote 35394 lines. Output inwards osxcollect-2014_12_21-08_49_39.tar.gz

If you lot receive got but cloned the GitHub repository, osxcollector.py is within osxcollector/ directory, together with hence you lot remove to run it as:

$ sudo osxcollector/osxcollector.py

IMPORTANT: delight brand certain that python ascendance on your Mac OS X machine uses the default Python interpreter shipped alongside the arrangement together with is non overridden, e.g. past times the Python version installed through brew. OSXCollector relies on a couplet of native Python bindings for OS X libraries, which mightiness hold out non available inwards other Python versions than the i originally installed on your system. Alternatively, you lot tin run osxcollector.py explicitly specifying the Python version you lot would similar to use:

$ sudo /usr/bin/python2.7 osxcollector/osxcollector.py

The JSON output of the collector, along alongside to a greater extent than or less helpful files similar arrangement logs, has been bundled into a .tar.gz for hand-off to an analyst.
osxcollector.py also has a lot of useful options to alter how collection works:

• -i INCIDENT_PREFIX/--id=INCIDENT_PREFIX: Sets an identifier which is used every bit the prefix of the output file. The default value is osxcollect.
  

  $ sudo osxcollector.py -i IncontinentSealord Wrote 35394 lines. Output inwards IncontinentSealord-2014_12_21-08_49_39.tar.gz

  Get creative alongside incident names, it makes it easier to express mirth through the pain.
  
• -p ROOTPATH/--path=ROOTPATH: Sets the path to the root of the filesystem to run collection on. The default value is /. This is corking for running collection on the picture of a disk.
  

  $ sudo osxcollector.py -p '/mnt/powned'

• -s SECTION/--section=SECTION: Runs alone a portion of the total collection. Can hold out specified to a greater extent than than once. The total listing of sections together with subsections is:
  
  • version
  • system_info
  • kext
  • startup
    • launch_agents
    • scripting_additions
    • startup_items
    • login_items
  • applications
    • applications
    • install_history
  • quarantines
  • downloads
    • downloads
    • email_downloads
    • old_email_downloads
  • chrome
    • history
    • archived_history
    • cookies
    • login_data
    • top_sites
    • web_data
    • databases
    • local_storage
    • preferences
  • firefox
    • cookies
    • downloads
    • formhistory
    • history
    • signons
    • permissions
    • addons
    • extension
    • content_prefs
    • health_report
    • webapps_store
    • json_files
  • safari
    • downloads
    • history
    • extensions
    • databases
    • localstorage
    • extension_files
  • accounts
    • system_admins
    • system_users
    • social_accounts
    • recent_items
  • mail
  • full_hash

  $ sudo osxcollector.py -s 'startup' -s 'downloads'

• -c/--collect-cookies: Collect cookies' value. By default OSXCollector does non dump the value of a cookie, every bit it may comprise sensitive information (e.g. session id).
  
• -l/--collect-local-storage: Collect the values stored inwards spider web browsers' local storage. By default OSXCollector does non dump the values every bit they may comprise sensitive information.
  
• -d/--debug: Enables verbose output together with python breakpoints. If something is incorrect alongside OSXCollector, attempt this.
  

  $ sudo osxcollector.py -d

Details of Collection
The collector outputs a .tar.gz containing all the collected artifacts. The archive contains a JSON file alongside the bulk of information. Additionally, a laid of useful logs from the target arrangement logs are included.

Common Keys

Every Record
Each describe of piece of job of the JSON file records 1 piece of information. There are to a greater extent than or less mutual keys that look inwards every JSON record:

• osxcollector_incident_id: Influenza A virus subtype H5N1 unique ID shared past times every record.
• osxcollector_section: The section or type of information this tape holds.
• osxcollector_subsection: The subsection or to a greater extent than detailed descriptor of the type of information this tape holds.

File Records
For records representing files at that topographic point are a bunch of useful keys:

• atime: The file accessed time.
• ctime: The file creation time.
• mtime: The file modified time.
• file_path: The absolute path to the file.
• md5: MD5 hash of the file contents.
• sha1: SHA1 hash of the file contents.
• sha2: SHA2 hash of the file contents.

For records representing downloaded files:

• xattr-wherefrom: Influenza A virus subtype H5N1 listing containing the source together with referrer URLs for the downloaded file.
• xattr-quarantines: Influenza A virus subtype H5N1 string describing which application downloaded the file.

SQLite Records
For records representing a row of a SQLite database:

• osxcollector_table_name: The tabular array get upwardly the row comes from.
• osxcollector_db_path: The absolute path to the SQLite file.

For records that stand upwardly for information associated alongside a specific user:

• osxcollector_username: The get upwardly of the user

Timestamps
OSXCollector attempts to convert timestamps to human readable date/time strings inwards the format YYYY-mm-dd hh:MM:ss. It uses heuristics to automatically position diverse timestamps:

• seconds since epoch
• milliseconds since epoch
• seconds since 2001-01-01
• seconds since 1601-01-01

Sections

version section
The electrical flow version of OSXCollector.

system_info section
Collects basic information near the system:

• system name
• node name
• release
• version
• machine

kext section
Collects the Kernel extensions from:

• /System/Library/Extensions
• /Library/Extensions

startup section
Collects information near the LaunchAgents, LaunchDaemons, ScriptingAdditions, StartupItems together with other login items from:

• /System/Library/LaunchAgents
• /System/Library/LaunchDaemons
• /Library/LaunchAgents
• /Library/LaunchAgents
• /Library/LaunchDaemons
• /System/Library/ScriptingAdditions
• /Library/ScriptingAdditions
• /System/Library/StartupItems
• /Library/StartupItems
• /Library/Preferences/com.apple.loginitems.plist

More information near the Max OS X startup tin hold out constitute here: http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf

applications section
Hashes installed applications together with gathers install history from:

• /Applications
• /Applications
• /Library/Receipts/InstallHistory.plist

quarantines section
Quarantines are basically the information necessary to demo the 'Are you lot certain you lot wanna run this?' when a user is trying to opened upwardly a file downloaded from the Internet. For to a greater extent than or less to a greater extent than details, checkout the Apple Support explanation of Quarantines: http://support.apple.com/kb/HT3662
This department collects also information from XProtect hash-based malware depository fiscal establishment jibe for quarantines files. The plist is at: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
XProtect also add together minimum versions for Internet Plugins. That plist is at: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

downloads section
Hashes all users' downloaded files from:

• /Downloads
• /Library/Mail Downloads
• /Library/Containers/com.apple.mail/Data/Library/Mail Downloads

chrome section
Collects next information from Google Chrome spider web browser:

• History
• Archived History
• Cookies
• Extensions
• Login Data
• Top Sites
• Web Data

This information is extracted from /Library/Application Support/Google/Chrome/Default

firefox section
Collects information from the dissimilar SQLite databases inwards a Firefox profile:

• Cookies
• Downloads
• Form History
• History
• Signons
• Permissions
• Addons
• Extensions
• Content Preferences
• Health Report
• Webapps Store

This information is extracted from /Library/Application Support/Firefox/Profiles
For to a greater extent than details near Firefox profile folder run across http://kb.mozillazine.org/Profile_folder_-_Firefox

safari section
Collects information from the dissimilar plists together with SQLite databases inwards a Safari profile:

• Downloads
• History
• Extensions
• Databases
• Local Storage

accounts section
Collects information near users' accounts:

• system admins: /private/var/db/dslocal/nodes/Default/groups/admin.plist
• system users: /private/var/db/dslocal/nodes/Default/users
• social accounts: /Library/Accounts/Accounts3.sqlite
• users' recent items: /Library/Preferences/com.apple.recentitems.plist

mail section
Hashes files inwards the post service app directories:

• /Library/Mail
• /Library/Mail Downloads

full_hash section
Hashes all the files on disk. All of 'em. This does non run past times default. It must hold out triggered with:

$ sudo osxcollector.py -s full_hash

Basic Manual Analysis
Forensic analysis is a flake of fine art together with a flake of science. Every analyst volition run across a flake of a dissimilar flush when reading the output from OSXCollector. That's component subdivision of what makes analysis fun.
Generally, collection is performed on a target machine because something is hinky: anti-virus constitute a file it doesn't like, deep packet inspect observed a callout, endpoint monitoring noticed a novel startup item. The details of this initial warning - a file path, a timestamp, a hash, a domain, an IP, etc. - that's plenty to acquire going.

Timestamps
Simply greping a few minutes earlier together with later a timestamp plant great:

$ truthful cat INCIDENT32.json | grep '2014-01-01 11:3[2-8]'

Browser History
It's inwards there. Influenza A virus subtype H5N1 tool similar jq tin hold out really helpful to exercise to a greater extent than or less fancy output:

$ truthful cat INCIDENT32.json | grep '2014-01-01 11:3[2-8]' | jq 'select(has("url"))|.url'

A Single User

$ truthful cat INCIDENT32.json | jq 'select(.osxcollector_username=="ivanlei")|.'

Automated Analysis
The OSXCollector Output Filters project contains filters that procedure together with transform the output of OSXCollector. The destination of filters is to arrive slowly to analyze OSXCollector output.

Development Tips
The functionality of OSXCollector is stored inwards a unmarried file: osxcollector.py. The collector should run on a naked install of OS X without whatever additional packages or dependencies.
Ensure that all of the OSXCollector tests exceed earlier editing the source code. You tin run the tests using: make test
After making changes to the source code, run make test over again to verify that your changes did non intermission whatever of the tests.

License
This piece of job is licensed nether the GNU General Public License together with a derivation of https://github.com/jipegit/OSXAuditor

Blog post

• OSXCollector: Forensic Collection together with Automated Analysis for OS X past times Ivan Leichtling

Presentations

• OSXCollector: Automated forensic bear witness collection & analysis for OS X past times Kuba Sendor @ BruCON 0x07
• Squashing Rotten Apples: Automated forensics & analysis for Mac OS X alongside OSXCollector past times Kuba Sendor @ BSides Manchester 2015
• OSXCollector past times Ivan Leichtling @ Macbrained's August Meet-Up
• OSXCollector - Automated Forensic Evidence Collection & Analysis for OS X past times Ivan Leichtling @ OpenNSM
• OSXCollector - Automated Forensic Evidence Collection & Analysis for OS X past times Ivan Leichtling @ Duo Tech Talk (blog post)

External Presentations

• OSX Archaeology: Becoming Indiana Jones alongside OSXCollector together with Strata past times Chris Henderson & Justin Larson @ SAINTCon 2015

Resources
Want to acquire to a greater extent than near OS X forensics?

• Sarah Edward's mac4n6.com - The best presentations on Mac forensics.

Influenza A virus subtype H5N1 couplet of other interesting tools:

• KnockKnock - KnockKnock is a command line python script that displays persistent OS X binaries that are laid to execute automatically at each boot.
• Grr - Google Rapid Response: remote alive forensics for incident response
• osquery - SQL powered operating arrangement instrumentation, monitoring, together with analytics

Download Osxcollector