Incident Response

Our first entry in this section is about “Trusted Utilities”. Let’s begin by talking about a scenario. Imagine you are responding to a Macintosh based system that has been corrupted with malware or compromised by an outsider. This situation means that tools you might normally use on the system are now, not trustworthy. A malicious intruder can sometimes leave behind not only the intrusion itself, but also the changed system executables that he/she believes a responder will use to discover his/her identity. A “Trusted Utilities” disk is a way to begin to minimize the effect of a corrupted system by bringing in a set of known tools with a known execution path as well as a known result. In cases of compromised systems, we sometimes have to make the choice of immediate shutdown or leaving it online and gather volatile data that can and will be lost by powering off. Shutting down a system certainly offers us the ability to examine it with another system entirely, which is safe, secure, and will generate well known results. Choosing the shutdown route will also cause the system to purge live, volatile data that simply cannot be gathered at a later point in time.
Sponsored Advertisement

As the first step of this section, please download the Trusted Utilities Disk image I have supplied in my Files section. This Disk Image contains a skeleton of what your Trusted Utilities Disk should look like. It also contains an Applescript to get you started at collecting volatile information on a running Macintosh system when you first arrive. I recommend you read the Read Me file to understand how the script works and how you can easily tailor it to your needs! (and you will want to customize it!)

Creating the Trusted Utilities Disk
  1. Disk: The creation of the Trusted Utilities Disk does not begin and end with the download of my Disk image file. In fact, you actually have not created your disk yet. You need a physical disk of your own for starters. I suggest at least a 4GB flash drive as a minimum starting point for a Trusted Utilities Disk. This will give you some room to play. Your best bet is a USB connected hard drive, you choose the size you like. This gives you not only a nice size storage medium for your utilities, but also adequate room for live evidence collection as well.
  2. Format: Once you have the USB flash or hard drive of choice, you need to format it. Use Disk Utility and format the drive as MacOS Extended. I chose No Journaling on purpose for this drive as I usually do not enabling journaling for my evidence collection drives.
  3. Structure: After the format has completed, we need a folder structure to save our tools, as well as our collected information into. This is where my sample Trusted Utilities Disk comes in handy. Copy the contents of this Disk Image to your Trusted Utilities Disk and you are now well on your way!
  4. Tools: Now, we need to populate the Trusted Utilities Disk with tools that will be run at the scene of the incident! Do you think you will want to get the system Date & Time? If so, you want to copy system executable /bin/date to the folder Trusted_BIN for instance. Maybe you would like to run the command line ‘system_profiler’ as seen in the supplied Applescript. If so, you should copy /usr/sbin/system_profiler to the Trusted_SBIN folder. Maybe you are asking yourself at this point, why don’t we just copy the entire /bin, /sbin, /usr/sbin, etc. You can! It’s your Trusted Utilities Disk. Build it the way you want. Copy Utilities from the /Applications/Utilities folder to the GUI Utilities folder as well. These are just suggestions for you to build upon and make your response environment.
  5. Reporting: Collection of the volatile information needs to be done with order, organization, and well named files. You will see the start of this with the folder named ‘Collected_Reports’. In here, output from the Applescript should be directed, as well as other scripts you might execute at the command line. Screen captures you take during your data gathering should be saved here also. Remember, order and organization are important, but poorly named files are going to lead to data captures that can become meaningless when you walk away as well! I suggest being verbose in your file names. Something like ‘Screen Capture 1.tiff’ will not help you decipher what you were taking a picture of later that day. Naming that same picture ‘Username_BadGuy_OpenFinderWindow_1.tiff’ begins to better describe why you took that screen shot.

Using the Trusted Utilities Disk