Mac OS X Live Forensics 102
Hey All! Continuing from the last OS X Live Forensics post, I want to talk about some more Mac specific tricks for when you are performing incident response on a potentially compromised system. Again, these aren't forensically robust techniques, as one of our assumptions is that the machine could be compromised. Also, I won't be covering the basic theory of live response or malware analysis, as there are a lot of great tutorials on that, but rather I will be covering the basic techniques of live response in regards to a Mac OS X operating system.
As we discussed last time, Mac executables are called Mach-O binaries, which can actually hold multi-architecture binaries. For the Mach-O binary analysis, my go-to tool is nm. nm will list all of the symbols for the objects in a binary. For a beautified version of nm, you can use the graphic tool MachOView. Using these tools, you can see all of the functions that the binary imports, and where it pulls them from. Another useful tool is ClassDump, which will generate your header files and display tons of useful information. Sometimes you will see a Mac binary load it's own kernel extension, and reference those functions in it's symbols. Here's a really good overview of reversing Mach-O binaries, which also references tons of tools depending what your trying to accomplish with the binary:
If you want the EZ button, there is the epic tool of MachoViz! This is a web application that does automated analysis and visualization of the binary. If some of the previous stuff was too complicated, this could be a great place to get your feet wet while learning more about Mach-O binaries. The automated security analysis is a good way to get a feeling for which API calls could be malicious. MachoViz will also show you which files are touched / created, as well as network connections. Bottom line is this is a fantastic learning tool!
A good tool for observing file system changes or the actions of a specific process is fseventer. fseventer has a really cool graphical file tree, which is great for tracking and visualizing changes to the file system. This is an invaluable tool for getting a holistic view of the system changes caused during a specific time frame or by a specific process.
Taking a live memory dump can also be extremely useful. Mac OS X has a number of options for this, such as Mac OS X Memory Reader, for versions 10.4 through 10.8, and Mandiant's Mac Memoryze, for versions 10.6 through 10.8. You can then analyze these memory dumps using volatility.
As we discussed last time, Mac executables are called Mach-O binaries, which can actually hold multi-architecture binaries. For the Mach-O binary analysis, my go-to tool is nm. nm will list all of the symbols for the objects in a binary. For a beautified version of nm, you can use the graphic tool MachOView. Using these tools, you can see all of the functions that the binary imports, and where it pulls them from. Another useful tool is ClassDump, which will generate your header files and display tons of useful information. Sometimes you will see a Mac binary load it's own kernel extension, and reference those functions in it's symbols. Here's a really good overview of reversing Mach-O binaries, which also references tons of tools depending what your trying to accomplish with the binary:
If you want the EZ button, there is the epic tool of MachoViz! This is a web application that does automated analysis and visualization of the binary. If some of the previous stuff was too complicated, this could be a great place to get your feet wet while learning more about Mach-O binaries. The automated security analysis is a good way to get a feeling for which API calls could be malicious. MachoViz will also show you which files are touched / created, as well as network connections. Bottom line is this is a fantastic learning tool!
A good tool for observing file system changes or the actions of a specific process is fseventer. fseventer has a really cool graphical file tree, which is great for tracking and visualizing changes to the file system. This is an invaluable tool for getting a holistic view of the system changes caused during a specific time frame or by a specific process.
Taking a live memory dump can also be extremely useful. Mac OS X has a number of options for this, such as Mac OS X Memory Reader, for versions 10.4 through 10.8, and Mandiant's Mac Memoryze, for versions 10.6 through 10.8. You can then analyze these memory dumps using volatility.
