Finding Waldo: Leveraging the Apple Unified Log for Incident Response

Presented at Objective by the Sea version 3.0 (2020), March 13, 2020, 10:10 a.m. (50 minutes)

As of macOS 10.12 Sierra, incident responders can turn to a new endpoint log source for answers: the Apple Unified Log (AUL). This new log format, standardized across the Apple ecosystem, is both a blessing and a curse for responders. While it boasts longer retention times and contains a tremendous amount of data, the volume and level of granularity can quickly become overwhelming. Hunting for useful entries in the AUL is like scouring the pages of a children's book, trying to find Waldo in crowds of similar faces. In this talk, we will teach you how to capture the AUL from macOS forensic images and live systems, briefly compare the AUL to older logging formats, and highlight key artifacts that can provide answers, leads, and quick wins. You'll learn how we leverage the AUL for our incident response investigations, based on real cases we've worked where it's been essential for our analysis. By the end, you'll come away with the skills you need to dive into the Apple Unified Log efficiently in your own environment - and find Waldo faster.

Presenters:

• Jai Musunuri - Principal Consultant at CrowdStrike Services
  Jai is a Principal Consultant at CrowdStrike Services, investigating complex intrusions at Fortune 500 companies and providing proactive services to stop the next breach from happening. He primarily examines Mac and mobile devices, but is still fond of his Linux and Windows investigations. Jai applies his background in systems engineering to help organizations develop better security postures and recover from security crises more efficiently. When he’s not dismantling the phones and laptops he uses for forensics research, you can find Jai traveling the world looking for the best kale smoothie.
• Erik Martin - Associate Consultant at CrowdStrike Services
  Erik Martin is an Associate Consultant with CrowdStrike Services, who focuses on incident response, while also assisting with proactive work. He has performed a variety of incident response investigations focused on Windows and Mac environments. When he is not engaged with client work, Erik, helps maintain and develop CrowdStrike’s open source Mac triage tool -- AutoMacTC. Erik often finds his background in computer engineering helpful, especially when deep-diving into disk forensics or developing software tools. Erik is based in southern California and enjoys spending time hiking in the mountains, tinkering with electronics, and playing Call of Duty.

Links:

• https://objectivebythesea.org/v3/content.html#eMartin
• https://objectivebythesea.org/v3/talks/OBTS_v3_jMusunuri_eMartin.pdf

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Garbage in, garbage out: generating useful log data in complex environments
• DEF CON 31 (2023) / Analysis 101 for Incident Responders Workshop
• DEF CON 14 (2006) / Visual Log Analysis - The Beauty of Graphs