MacOS DFIR Commands

Dumping Memory

​OSXPMem​
​MacPmem​
1
sudo kextload MacPmem.kext
2
sudo dd if=/dev/pmem of=memorydump.raw
Copied!

Live Mac IR / Triage

System Information

1
date
2
sw_vers
3
uname –a
4
hostname
5
cat /System/Library/CoreServices/SystemVersion.plist
6
cat /private/var/log/daily.out
7
cat /Library/preferences/.Globalpreferences.plist
Copied!

Network Connections

1
netstat –an
2
netstat –anf
3
lsof -i
Copied!

Routing Table

1
netstat –rn
Copied!

Network Information

1
arp –an
2
ndp -an
3
ifconfig
Copied!

Open Files

1
lsof
Copied!

File System Usage

1
sudo fs_usage
2
sudo fs_usage [process]
3
sudo fs_usage -f network
4
sudo fs_usage pid [PID]
Copied!

Bash History

1
cat ~/.bash_history
2
history
Copied!

User Logins

1
who -a
2
w
3
last
Copied!

Running Processes

1
ps aux
Copied!

System Profiler

1
system_profiler -xml -detaillevel full > systemprofiler.spx
Copied!

Persistent Locations

1
./KnockKnock.app/Contents/MacOS/KnockKnock -whosthere > /path/to/some/file.json
Copied!
XPC Services
1
ls Applications/<application>.app/Contents/XPCServices/
2
cat Applications/<application>.app/Contents/XPCServices/*.xpc/Contents/Info.plist
3
ls ~/System/Library/XPCServices/
Copied!
Launch Agents & Launch Daemons
1
ls /Library/LaunchAgents/
2
ls /System/Library/LaunchAgents/
3
ls /System/Library/LaunchDaemons/
4
ls /Library/LaunchDaemons/
5
ls /users/*/Library/LaunchAgents/
6
ls /users/*/Library/LaunchDaemons/
Copied!
LoginItems
1
cat ~/Library/Preferences/com.apple.loginitems.plist
2
ls <application>.app/Contents/Library/LoginItems/
Copied!

Disable Persistent Launch Daemon

1
sudo launchctl unload -w /Library/LaunchDaemons/<name>.plist
2
sudo launchctl stop /Library/LaunchDaemons/<name>.plist
Copied!

Web Browsing Preferences

1
cat ~/Library/Preferences/com.apple.Safari.plist
2
ls ~/Library/Application Support/Google/Chrome/Default/Preferences
3
ls ~/Library/Application Support/Firefox/Profiles/********.default/prefs.js
Copied!

Safari Internet History

1
cat ~/Library/Safari/Downloads.plist
2
cat ~/Library/Safari/History.plist
3
cat ~/Library/Safari/LastSession.plist
4
ls ~/Library/Caches/com.apple.Safari/Webpage Previews/
5
sqlite3 ~/Library/Caches/com.apple.Safari/Cache.db
Copied!

Chrome Internet History

1
ls ~/Library/Application Support/Google/Chrome/Default/History
2
ls ~/Library/Caches/Google/Chrome/Default/Cache/
3
ls ~/Library/Caches/Google/Chrome/Default/Media Cache/
Copied!

Firefox Internet History

1
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/places.sqlite
2
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/downloads.sqlite
3
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/formhistory.sqlite
4
ls ~/Library/Caches/Firefox/Profiles/********.default/Cache
Copied!

Apple Email

1
cat ~/Library/Mail/V2/MailData/Accounts.plist
2
ls ~/Library/Mail/V2/
3
ls ~/Library/Mail Downloads/
4
ls ~/Downloads
5
cat ~/Library/Mail/V2/MailData/OpenAttachments.plist
Copied!

Temporary / Cached

1
ls /tmp
2
ls /var/tmp
3
ls /Users/<user>/Library/Caches/Java/tmp
4
ls /Users/<user>/Library/Caches/Java/cache
5
/Applications/Utilities/Java Preferences.app
Copied!

System and Audit Logs

1
ls /private/var/log/asl/
2
ls /private/var/audit/
3
cat /private/var/log/appfirewall.log
4
ls ~/Library/Logs
5
ls /Library/Application Support/<app>
6
ls /Applications/
7
ls /Library/Logs/
Copied!

Specific Log Analysis

1
bzcat system.log.1.bz2
2
system.log.0.bz2 >> system_all.log
3
cat system.log >> system_all.log
4
syslog -f <file>
5
syslog –T utc –F raw –d /asl
6
syslog -d /asl
7
praudit –xn /var/audit/*
8
sudo log collect
9
log show
10
log stream
Copied!

Files Quarantined

1
ls ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents.V2
2
ls ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
Copied!

User Accounts / Password Shadows

1
ls /private/var/db/dslocal/nodes/Default/users/
2
ls /private/var/db/shadow/<User GUID>
Copied!

Pluggable Authentication Modules (PAM)

1
cat /etc/pam.d/sudo
2
cat /etc/pam.conf
3
ls /etc/pam.d/
Copied!

File Fingerprinting/Reversing

1
file <filename>
2
xxd <filename>
3
nm -arch x86_64 <filename>
4
otool -L <filename>
5
sudo vmmap <pid>
6
sudo lsof -p <pid>
7
xattr –xl <file>
Copied!

Connected Disks and Partitions

1
diskutil list
2
diskutil info <disk>
3
diskutil cs
4
ap list
5
gpt –r show
6
gpt -r show -l
Copied!

Disk File Image Information

1
hdiutil imageinfo *.dmg
Copied!

User Keychain Information

1
security list-keychains
2
security dump-keychains -d <keychain>
Copied!

Spotlight Metadata

1
mdimport –X | -A
2
mdls <file>
Copied!