dfm covers
 
 

Operational Forensics and the Mac

Operational Forensics and the Mac 

Anthony Kokocinski writes


Mac OS X Network Primer

With the constant changes in network security design and analysis, it is often important to know what is normal traffic and what is malicious lateral movement.  Here, we will visit some of the more common Mac OS X networking technologies that can be seen on a local subnet.


The news media provides a constant stream of data breaches, network compromises, information leaks, and malicious code outbreaks.  To make sense of it all, company officers and shareholders are looking to outside computer specialists and internal IT staff. No company wants to be the one to find out about their internal affairs through outside news sources.  Corporate leaders feel that their internal IT groups should be able to provide proper network security services.  When they can't, the money to pay for outside services is rarely available.  This situation creates a murky field for those who practice in any network security capacity.  Some of the biggest issues arise from lateral movement on the network computers gaining access to other computers for purposes of data gathering before exfiltration from a network.  This movement eludes some sensors and confuses some analysts.


Apple's OS X often provides challenges to even seasoned computer forensic analysts. Many of these analysts can glean data that is readily provided by the tool that they are using, #mce_temp_url#but they cannot go beyond the limits of their tool. When faced with an OS X device on a network, many analysts shy away completely.  The reason for this could be unfamiliarity of network protocols, or dismissal based upon target volume versus level of effort.  Macintosh computers are being encountered more often in enterprise networks and cannot be dismissed as easily as they were five years ago.


About the same time that widespread automated attacks became rampant through Windows™ centric networks, OS X’s stability and popularity caused a shift that pushed people toward diversifying their network with a few Apple machines here and there. This creates a varied network footprint, which is by nature more resilient to automated attacks, but it becomes a small headache for network administrators.  This headache is passed along to forensic analysts trying to determine malevolent traffic on a network consisting of thousands of nodes decentralized against multiple geographic locations, often with their own point of egress outside of the network.


Read more on this subject - and more on Apple forensics within Issue 6 of DFM - out now - subscribe today!


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Noemi Kuncik

Noemi Kuncik is an IT Forensics Specialist at Grant Thornton

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 38 on sale from February 2019:


Crowd Sourcing Digital Evidence The Risk v The Reward

All digital devices used today can be considered as a potential source for digital evidence. Andrew Ryan investigates the current state in the art of crowd sourced digital evidence. Read More »

Recovery of Forensic Artifacts from Deleted Jump-List in Windows 10

Jump-Lists are widely discussed in forensics community since the release of Windows 7 and are having more capabilities to reveal forensics artifacts in Windows 10. Read More »

Subscribe today


Operacion Bitcoin

The article is an actual case study of an Interpol investigation carried out in association with CertUY that has been ongoing for some months. It is written by the first hacker sent to prison in Uruguay who is currently out on bail pending sentencing. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue