OSXCollector: Automated forensic evidence collection & analysis for OS X

Presented at BruCON 0x07 (2015), Oct. 8, 2015, noon (60 minutes).

We use Macs a lot at Yelp, which means that we see our fair share of Mac-specific security alerts. Host based detectors will tell us about known malware infestations or weird new startup items. Network based detectors see potential C2 callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, “I think I have like Stuxnet or conficker or something on my laptop.” When alerts fire, our incident response team’s first goal is to “stop the bleeding” – to contain and then eradicate the threat. Next, we move to “root cause the alert” – figuring out exactly what happened and how we’ll prevent it in the future. One of our primary tools for root causing OS X alerts is OSXCollector. OSXCollector (https://github.com/Yelp/OSXCollector) is an open source forensic evidence collection and analysis toolkit for OS X. It was developed in-house at Yelp to automate the digital forensics and incident response (DFIR) our crack team of responders had been doing manually.

Presenters:

  • Kuba Sendor - Yelp
    Kuba Sendor (@jsendor) is working at Yelp security team where he automates malware incident response and together with his teammates makes sure that Yelp's infrastructure stays secure. Previously he worked at SAP in the Security and Trust research group where he participated in the initiatives related to access control and privacy in the digital world. He holds double MSc degree in Computer Science from AGH University of Science and Technology in Krakow, Poland and Telecom ParisTech/Institut Eurecom in Sophia Antipolis, France. In his free time he likes to cycle uphill and travel around the world or just back home, to Poland.

Links:

Similar Presentations: