Workshop: An Introduction to macOS Forensics with Open Source Software
Common Information
| Type | Value |
|---|---|
| UUID | 2bfc2dcc-2396-48bf-8801-12308207728e |
| Fingerprint | 3d41f3b0609ac3fa13d2f8a0a2f6fc38c1f25653e1acd099f7996d9e3eaf5435 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 20, 2022, 4:51 p.m. |
| Added to db | March 12, 2024, 7:57 p.m. |
| Last updated | Aug. 31, 2024, 5:38 a.m. |
| Headline | Workshop: An Introduction to macOS Forensics with Open Source Software |
| Title | Workshop: An Introduction to macOS Forensics with Open Source Software |
| Detected Hints/Tags/Attributes | 129/4/204 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 14 | cve-2021-30657 |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 36 | www.volexity.com |
|
| Details | Domain | 3 | desktop.app |
|
| Details | Domain | 5 | helper.app |
|
| Details | Domain | 5 | firefox.app |
|
| Details | Domain | 1 | container.app |
|
| Details | Domain | 2 | themittenmac.com |
|
| Details | Domain | 8 | chrome.app |
|
| Details | Domain | 359 | com.apple |
|
| Details | Domain | 2 | com.apple.xpc.launchd.oneshot.0x10000004.google |
|
| Details | Domain | 30 | objective-see.com |
|
| Details | Domain | 2 | netiquette.app |
|
| Details | Domain | 2 | 239.237.117.34.bc.googleusercontent.com |
|
| Details | Domain | 172 | www.crowdstrike.com |
|
| Details | Domain | 46 | jsac.jpcert.or.jp |
|
| Details | Domain | 281 | docs.microsoft.com |
|
| Details | Domain | 3 | knockknock.app |
|
| Details | Domain | 4 | lulu.app |
|
| Details | Domain | 1 | see.lulu.app |
|
| Details | Domain | 6 | com.apple.developer.team |
|
| Details | Domain | 2 | vbg97ub4ta.com |
|
| Details | Domain | 33 | com.apple.security |
|
| Details | Domain | 1373 | twitter.com |
|
| Details | Domain | 2 | aff4containers.cc |
|
| Details | Domain | 8 | autogen.sh |
|
| Details | Domain | 2 | 6hopperscript.tt |
|
| Details | Domain | 2 | script.tt |
|
| Details | Domain | 4 | siri.app |
|
| Details | Domain | 4 | sqlitebrowser.org |
|
| Details | Domain | 7 | stedolan.github.io |
|
| Details | Domain | 16 | process.pid |
|
| Details | Domain | 27 | com.microsoft |
|
| Details | Domain | 3 | autoupdate.app |
|
| Details | Domain | 7 | assistant.app |
|
| Details | Domain | 2 | kkfilter.sh |
|
| Details | Domain | 3 | padawan-4n6.hatenablog.com |
|
| Details | Domain | 16 | installer.app |
|
| Details | Domain | 5 | tinkaotp.app |
|
| Details | Domain | 20 | processmonitor.app |
|
| Details | Domain | 21 | filemonitor.app |
|
| Details | Domain | 55 | process.name |
|
| Details | Domain | 2 | file.process.name |
|
| Details | Domain | 3 | assets.car |
|
| Details | Domain | 1 | mina.it |
|
| Details | Domain | 1 | tinkaotpinstaller.app |
|
| Details | Domain | 4 | cedowens.medium.com |
|
| Details | Domain | 14 | installer.sh |
|
| Details | Domain | 2 | z4so.py |
|
| Details | Domain | 604 | www.trendmicro.com |
|
| Details | Domain | 81 | blog.malwarebytes.com |
|
| Details | Domain | 1 | demo.dmgcom.apple |
|
| Details | Domain | 4 | www.mac4n6.com |
|
| Details | Domain | 3 | blockblock.app |
|
| Details | Domain | 26 | posts.specterops.io |
|
| Details | Domain | 2 | rmdir.sh |
|
| Details | Domain | 1 | 0x220220com.apple |
|
| Details | Domain | 1 | 0x241241com.apple |
|
| Details | Domain | 77 | amazonaws.com |
|
| Details | Domain | 1 | datadisk1s5s1com.apple |
|
| Details | Domain | 5 | eclecticlight.co |
|
| Details | File | 2 | netiquette.html |
|
| Details | File | 2 | jsac2020_7_kobayashi_jp.pdf |
|
| Details | File | 5 | knockknock.html |
|
| Details | File | 2 | kkresults_sample.txt |
|
| Details | File | 5 | com.obj |
|
| Details | File | 2 | developer.sys |
|
| Details | File | 1 | -mus2020.pdf |
|
| Details | File | 2 | revisiond.pl |
|
| Details | File | 2 | evidence.dmg |
|
| Details | File | 1 | nomountevidence.dmg |
|
| Details | File | 2 | mac_apt.py |
|
| Details | File | 2 | data.dmg |
|
| Details | File | 10 | apple.doc |
|
| Details | File | 2 | k.pl |
|
| Details | File | 7 | cache.db |
|
| Details | File | 4 | mac_apt.db |
|
| Details | File | 4 | unifiedlogs.db |
|
| Details | File | 2 | fakeapp.dmg |
|
| Details | File | 2 | procmon_simple.json |
|
| Details | File | 17 | agent.pl |
|
| Details | File | 24 | apple.log |
|
| Details | File | 6 | initems.pl |
|
| Details | File | 5 | store.db |
|
| Details | File | 1 | e.db |
|
| Details | File | 4 | apfs_volumes_xxxx.db |
|
| Details | File | 2 | kkresults.txt |
|
| Details | File | 2 | nsec_conv.py |
|
| Details | File | 36 | datetime.dat |
|
| Details | File | 3 | recentitems.pl |
|
| Details | File | 2 | globalpreferences.pl |
|
| Details | File | 6 | finder.pl |
|
| Details | File | 2 | spotlight.pl |
|
| Details | File | 2 | installhistory.pl |
|
| Details | File | 3 | system_logs.log |
|
| Details | File | 6 | installer.dmg |
|
| Details | File | 6 | tinkaotp.dmg |
|
| Details | File | 2 | tinkaopt.dmg |
|
| Details | File | 2 | mina_procmon.json |
|
| Details | File | 2 | mina_filemon.json |
|
| Details | File | 3 | appstore.db |
|
| Details | File | 52 | hash.txt |
|
| Details | File | 130 | info.pl |
|
| Details | File | 2 | tinkaotp_procmon.json |
|
| Details | File | 2 | tinkaotp_filemon.json |
|
| Details | File | 2 | tinkaotp.png |
|
| Details | File | 11 | history.db |
|
| Details | File | 7 | downloads.pl |
|
| Details | File | 5 | lastsession.pl |
|
| Details | File | 2 | safaritabs.db |
|
| Details | File | 6 | bookmarks.pl |
|
| Details | File | 4 | extensions.pl |
|
| Details | File | 3 | safari.pl |
|
| Details | File | 3 | blog_0x64.html |
|
| Details | File | 2 | z4so.py |
|
| Details | File | 1 | capability.html |
|
| Details | File | 1 | demo.dmg |
|
| Details | File | 1 | amavisd.pl |
|
| Details | File | 1 | devicemgr.pl |
|
| Details | File | 1 | krb_krbtgt.pl |
|
| Details | File | 1 | scsd.pl |
|
| Details | File | 1 | analyticsd.pl |
|
| Details | File | 1 | diskimagesiod.pl |
|
| Details | File | 2 | macforensics.pl |
|
| Details | File | 10 | inwindow.pl |
|
| Details | File | 2 | accounts.pl |
|
| Details | File | 2 | accountsx.sql |
|
| Details | File | 2 | accounts4.sql |
|
| Details | File | 24 | tcc.db |
|
| Details | File | 2 | blockblock.pl |
|
| Details | File | 2 | atrun.pl |
|
| Details | File | 1 | ensions.pl |
|
| Details | File | 1 | afari.pl |
|
| Details | File | 28 | apple.sys |
|
| Details | File | 9 | system.key |
|
| Details | File | 13 | login.key |
|
| Details | File | 4 | netusage.sql |
|
| Details | File | 5 | knowledgec.db |
|
| Details | File | 4 | currentpowerlog.pls |
|
| Details | File | 2 | dd_xxxxxxxx.pl |
|
| Details | File | 2 | qsql.gz |
|
| Details | File | 1 | 8a32.dmg |
|
| Details | File | 28 | 0.tar |
|
| Details | File | 1 | monitor.zip |
|
| Details | File | 1 | book.pdf |
|
| Details | File | 2 | 12.dmg |
|
| Details | File | 1 | 64_langpack_ja.dmg |
|
| Details | File | 1 | 477832_1920.jpg |
|
| Details | File | 1 | 7a112.dmg |
|
| Details | File | 2 | 43_v2.zip |
|
| Details | File | 2 | 4_build_18e226.dmg |
|
| Details | File | 1 | 64.dmg |
|
| Details | File | 1 | 1869398_1920.jpg |
|
| Details | Github username | 9 | velocidex |
|
| Details | Github username | 5 | mnrkbys |
|
| Details | Github username | 2 | sleuthkit |
|
| Details | Github username | 2 | aff4 |
|
| Details | Github username | 6 | ydkhatri |
|
| Details | Github username | 5 | crowdstrike |
|
| Details | Github username | 3 | mac4n6 |
|
| Details | Github username | 4 | n0fate |
|
| Details | md5 | 2 | E140C97A5D60B342D466BBE813971A06 |
|
| Details | md5 | 2 | F05437D510287448325BAC98A1378DE1 |
|
| Details | sha1 | 2 | 8d489231a242131974a307abd5188a3614d265a7 |
|
| Details | sha1 | 3 | fa3deb60b8a2eaa29a7dccf14bee6adae81f442f |
|
| Details | IPv4 | 2 | 239.237.117.34 |
|
| Details | IPv4 | 4 | 192.168.11.2 |
|
| Details | IPv4 | 3 | 34.117.237.239 |
|
| Details | IPv4 | 2 | 0.0.29.3 |
|
| Details | Url | 2 | https://github.com/velocidex/c-aff4/releases/tag/1.0.rc2 |
|
| Details | Url | 2 | https://github.com/velocidex/c-aff4/releases/tag/3.2 |
|
| Details | Url | 2 | https://www.volexity.com/products-overview/surge |
|
| Details | Url | 2 | https://themittenmac.com/the-truetree-concept |
|
| Details | Url | 2 | https://objective-see.com/products/netiquette.html |
|
| Details | Url | 1 | https://www.crowdstrike.com/blog/how-to-leverage-apple-unified- |
|
| Details | Url | 3 | https://github.com/mnrkbys/macosac |
|
| Details | Url | 2 | https://jsac.jpcert.or.jp/archive/2020/pdf/jsac2020_7_kobayashi_jp.pdf |
|
| Details | Url | 5 | https://objective-see.com/products/knockknock.html |
|
| Details | Url | 2 | https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns |
|
| Details | Url | 2 | https://twitter.com/unkn0wnbit/status/1254971428606107648 |
|
| Details | Url | 2 | https://github.com/sleuthkit/sleuthkit/pull/1272 |
|
| Details | Url | 2 | https://github.com/aff4/pyaff4 |
|
| Details | Url | 2 | https://github.com/aff4/aff4-cpp-lite |
|
| Details | Url | 60 | https://github.com |
|
| Details | Url | 1 | https://github.com/ydkhatri/presentations/blob/master/macos%20forensics |
|
| Details | Url | 1 | https://github.com/ydkhatri/macos_fe/tree/master/nomou |
|
| Details | Url | 6 | https://github.com/ydkhatri/mac_apt |
|
| Details | Url | 4 | https://github.com/crowdstrike/automactc |
|
| Details | Url | 2 | https://github.com/mac4n6/apollo |
|
| Details | Url | 2 | https://github.com/mnrkbys/dsstoreparser/tree/fix_bug_non-ascii |
|
| Details | Url | 4 | https://github.com/n0fate/chainbreaker |
|
| Details | Url | 1 | https://malware.example/download/fakeapp.dmg2021 |
|
| Details | Url | 3 | https://sqlitebrowser.org |
|
| Details | Url | 6 | https://stedolan.github.io/jq |
|
| Details | Url | 2 | https://padawan-4n6.hatenablog.com/entry/2020/03/15/052607 |
|
| Details | Url | 2 | http://www.2fa.test/download/installer.dmg |
|
| Details | Url | 1 | http://www.2fa.test/download |
|
| Details | Url | 1 | https://cedowens.medium.com/macos-gatekeeper-bypass- |
|
| Details | Url | 3 | https://objective-see.com/blog/blog_0x64.html |
|
| Details | Url | 1 | https://www.trendmicro.com/en_us/research/20/e/new-macos- |
|
| Details | Url | 2 | https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac- |
|
| Details | Url | 1 | https://www.mac4n6.com/blog/2020/6/1/analysis-of-apple-unified-logs- |
|
| Details | Url | 2 | https://posts.specterops.io/are-you-docking-kidding-me-9aa79c24bdc1 |
|
| Details | Url | 2 | https://eclecticlight.co/lockrattler-systhist |