Skip to content

Home

Jump to bottom
Fulco edited this page Sep 13, 2024 · 2 revisions

BlueMacTriage Wiki

Welcome to the BlueMacTriage wiki! This project contains a comprehensive Mac forensics triage bash script, macTriage.sh, designed for Intel-based Macs. The script helps gather essential forensic data from a suspect system, aiding in initial forensic investigations.

Table of Contents

Introduction

In the realm of incident response and digital forensics, timely and comprehensive data collection is crucial. This script automates the process of gathering essential forensic data from macOS systems, aiding investigators in analyzing system states, user activities, network configurations, and more.

Features

  • Collects detailed system, hardware, and network information.
  • Gathers user and group details, including per-user information.
  • Retrieves running processes and open network connections.
  • Captures installed applications and system logs.
  • Collects browser history from Safari, Chrome, and Firefox for all users.
  • Gathers persistence mechanisms like launch agents and cron jobs.
  • Retrieves detailed network configurations, including DNS and proxy settings.
  • Collects disk usage and disk information.
  • Captures security settings like SIP, FileVault, and Gatekeeper statuses.
  • Captures clipboard data (if available).
  • Hashes important binaries and system files for integrity verification.
  • Implements robust error handling and logs any issues encountered.
  • Compresses collected data into a zip archive for easy transfer.

Prerequisites

  • Root Privileges: The script must be run as the root user to access all necessary files and commands.
  • Bash Shell: The script is written in Bash and requires a Bash-compatible shell.
  • Required Commands: The script uses several built-in macOS commands. While most are standard, ensure the following are available:
    • system_profiler
    • dscl
    • ps
    • lsof (optional)
    • netstat
    • ifconfig
    • scutil
    • diskutil
    • csrutil
    • fdesetup
    • spctl
    • pbpaste (optional)
    • md5
    • zip

Usage

  1. Download the Script:

    Clone the repository or download the script directly.

    git clone https://github.com/your-repo/mac-forensic-triage.git

  2. Navigate to the Script Directory:

    cd mac-forensic-triage

  3. Make the Script Executable:

    chmod +x mac_forensic_triage.sh

  4. Run the Script as Root:

    sudo ./mac_forensic_triage.sh

  5. Monitor Execution:

    • The script outputs progress to the console.
    • Errors are logged to an error.log file in the output directory.

  6. Retrieve Collected Data:

    • Upon completion, the script saves all collected data in a timestamped directory under /tmp and creates a zip archive in the user's home directory.

Script Overview

System Information Collection

  • System Profiler Data: Collects software, hardware, and network data using system_profiler.
  • Kernel Information: Captures kernel details with uname -a.

User Information Collection

  • User List: Retrieves a list of all users using dscl.
  • Group List: Retrieves all groups.
  • Per-User Details: Reads detailed information for each user.

Process and Network Information Collection

  • Running Processes: Captures all running processes with ps aux.
  • Open Files: Lists open files using lsof (if available).
  • Network Connections: Captures active network connections with netstat -an.

Installed Applications Collection

  • Applications Directory: Lists all applications in /Applications.

System Logs Collection

  • Critical Logs: Copies important system logs, including system, kernel, install, firewall, and secure logs.

Browser History Collection

  • All Users: Loops over all user accounts to collect browser history.
  • Safari, Chrome, Firefox: Copies relevant directories from user libraries.

Persistence Mechanisms Collection

  • Launch Daemons and Agents: Lists contents of /Library/LaunchDaemons and /Library/LaunchAgents.
  • Cron Jobs: Retrieves user crontab entries and lists cron directories.

Network Configurations Collection

  • Interface Configurations: Captures network interface details with ifconfig -a.
  • DNS and Proxy Settings: Retrieves DNS and proxy configurations using scutil.

Disk and File System Information Collection

  • Disk Usage: Captures disk usage statistics with df -h.
  • Disk List and Info: Lists all disks and detailed information using diskutil.

Security Settings Collection

  • System Integrity Protection (SIP): Checks SIP status with csrutil status.
  • FileVault: Checks FileVault encryption status with fdesetup status.
  • Gatekeeper: Retrieves Gatekeeper status with spctl --status.

Clipboard Data Capture

  • Clipboard Content: Captures current clipboard data using pbpaste (if available).

Binary Hashing

  • Hashing System Binaries: Computes MD5 hashes for binaries in /bin, /sbin, /usr/bin, and /usr/sbin.

Error Handling

  • Error Log: All errors encountered during execution are recorded in an error.log file within the output directory.
  • Command Availability Checks: The script checks if critical commands are available before executing them.
  • File and Directory Checks: Verifies the existence of files and directories before attempting to access them.
  • User Existence Checks: Confirms user home directories exist before collecting user-specific data.
  • Final Error Notification: Informs the user if any errors were encountered during execution.

Output

  • Output Directory: All collected data is stored in a timestamped directory under /tmp, e.g., /tmp/mac_forensics_YYYYMMDD_HHMMSS.
  • Error Log: An error.log file in the output directory contains any errors that occurred.
  • Compressed Archive: A zip archive of the output directory is saved in the user's home directory, e.g., ~/mac_forensics_YYYYMMDD_HHMMSS.zip.

Cleanup

  • Automatic Cleanup: After successful zipping, the script removes the temporary output directory to save space.
  • Failure Handling: If the zip archive creation fails, the script retains the output directory for inspection.

Changes and Optimizations

  1. Error Handling Enhancements:

    • Implemented an ERROR_LOG to capture all errors.
    • Introduced a log_error function for consistent error reporting.
    • Redirected command errors to the error log.

  2. User Data Collection Improvements:

    • Modified the script to collect data for all users, not just the current user.
    • Excluded system users by filtering out usernames starting with an underscore.

  3. Command Availability Checks:

    • Added checks to ensure commands like lsof and pbpaste are available.
    • Logged appropriate error messages if commands are missing.

  4. File and Directory Validation:

    • Checked for the existence of files and directories before accessing them.
    • Logged errors when expected files or directories are not found.

  5. Optimized Hashing Process:

    • Combined hashing of binaries into a single command for efficiency.
    • Suppressed errors during hashing to avoid cluttering logs.

  6. Logging Enhancements:

    • Used tee -a in the log_error function to display errors on the console and write them to the log.
    • Suppressed unnecessary output from the zip command.

  7. Script Maintenance:

    • Improved code readability with consistent formatting.
    • Updated the script version to reflect changes.

Contributing

Contributions are welcome! Please follow these steps:

  1. Fork the Repository: Click on the 'Fork' button to create your own copy.

  2. Clone the Fork:

    git clone https://github.com/your-username/mac-forensic-triage.git

  3. Create a New Branch:

    git checkout -b feature/your-feature-name

  4. Make Changes: Implement your enhancements or fixes.

  5. Commit Changes:

    git commit -am 'Add new feature'

  6. Push to the Branch:

    git push origin feature/your-feature-name

  7. Submit a Pull Request: Open a pull request to merge your changes into the main repository.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Clone this wiki locally