macOS-ir

Prototype tool to assist with Incident Response on macOS. Currently supports 10.15.

Please only use the latest release if you really want to give it a shot. Currenlty in alpha. I would also recommend using the -s flag if you do give it a shot. This skips collecting hashes for all files and reduces the runtime a lot. Gotta flip the logic to make this default but time is short right now.

Usage

usage: ./macos-ir.sh [-h | collect | analysis] [-options]

	-h    - Show this message

collect:
	-s    - Skip reading permissions of files and generating hashes.
		  Reduces overall execution time.
		    
	-u    - Copy extracted data to provided USB drive. 
		  Provided USB will be erased.

	-d    - Copy extracted data to a disk image. 
		  Disk image generated and encrypted using APFS

	-n    - Transfer collected data to another device using nc. 
		  Takes IP and port in format IP Address:Port

analysis:
	-u    - Analyse data stored on an external drive. 
		  Provide only USB name.

	-d    - Analyse data stored on a disk image.
		  Provide only disk image path.

	-n    - Receive collected data from nc. 
		  Takes only listening port.

	-i    - Install analysis tools. 
		  Installs XCode Tools and a range of other tools that are
		  required for analysis (using Homebrew).

Example:
	Collect and transmit using nc to localhost port 5555:
		./macos-ir collect -n 127.0.0.1:5555
	Receive data using nc:
		./macos-ir analysis -n 5555

	Collect, skipping file hashes, and store on usb:
		./macos-ir collect -s -u myUSB
		
	Analyse data that was saved to a disk image:
		./macos-ir analysis -d ~/Path to folder/output.dmg

Full Disk Access (FDA) should be granted to Terminal.app on the compromised device before collection is started. This is to allow for collecting some data such as Safari browser history and downloads.

Collection

This tool will collect data from a compromised device. This data includes:

To collect the data, there is no requirement for any tools to be installed. If Xcode CLI Tools are installed, then stapler can be used to check notarization. If these tools aren't installed, it's all good, it just won't do that which isn't the end of the world.

Extraction

Data can be saved in one of the following methods:

• Save to local disk image (-d)
• Save to USB drive (-u)
• Transfer over the network using netcat (-n)

It should be noted that when transferring over the network, the other device should execute the script with analysis -n and this will receive and handle the data

Analysis

Before analysis begins, tools need to be installed. These are installed using Homebrew with the Brewfile in this repository. Xcode Tools is also installed using xcode-select.

The aim of the analysis is to handle all of the data and analyse it. The data is then output to PDF files using wkhtmltopdf.

These files aren't aimed to give the answer as to what the incident is, i.e it is this malware. It is merely meant to be used as an aid to narrow it down. This is still under development, and at a later date ideally it can be used to go into further detail and attempt to specify the malware.

Feedback

Feedback is certainly welcome. If you have any issues or suggestions, feel free to let me know. I kinda suck at bash and this definitely isn't as efficient as it could be (working on it), but yeah. If you have any issues then please feel free to create one, a template has been created.

Work In Progress

During development, the wip branch is used. The current build status for this branch is reflected in the badge above.

Things I Wanna Add

Check this issue #1 for a list of things I'm wanting to work on/add