BSidesSF 2015 - OSXCollector: Forensic Collection and Automated Analysis for OS X (Ivan Leichtling)

I'll try right here right in my face all right let's do it so OSX collector is an automated forensics evidence and collection and Analysis uh toolkit for OSX um so brief synopsis what we're talked about who am I what was the problem I was solving details on forensics collection and Analysis and then the part where you all applaud wildly um early Applause on love it um so yeah this is me uh my job I work at Yelp managing our security team so it's a mix of application security security infrastructure incident detection and response in the past I've worked you know managing yelp's mobile applications development team and our internationalization team and in the way back past I wrote stuff like RDP and

Xbox 360 and stuff at Microsoft that you know I haven't seen a Windows machine in years so it must be in use somewhere but not here but really my job is protect ing this uh yelp's a pretty big Corporation nowadays we have employees in 29 countries we have millions and millions of people using our web apps our mobile apps you know my my PR team they tell me I have to show this slide so that you understand that you should go apply for a job there that's not what I'm really here to tell you if you look at that and say okay how do I want to defend that how do I want to defend all

of those employees that make that happen that's a little bit about what we're talking about and kind of sets the scale for like when we say hey let's not have malware we're saying let's not have malware in 29 countries with all the employees it takes to do millions of clicks and things so it's an interesting challenge there's a bunch of other people here from the Yelp team who are uh working with me and have done work on this project so yeah the problem defending against malware so this is your typical diagram of a corporate Network as far as I'm concerned you know it's like cool corporate Network look at it do you know what's going on me

neither cool um you know and then there like like the security view of your corporate Network it's like pew pew pew everywhere there's fires burning up like what's that DNS thing going on and why do they have that Colonel extension and [ __ ] there's malware again and look at that new account like what's going on why are they calling out great cool swell and it's like now our job to say like don't worry about it we got it handled it's cool we we'll take care of it um so this is our sort of view of the world and we came from this view of the world and we said like hey I notice a

lot of malware you know seems like OSX has got some malware uh you know not everybody's convinced OSX has malware last time I gave this talk some guy was like cool you're going to talk about OSX and malware I wonder if there's malware on OSX you think so OSX has [ __ ] tons of malware if you haven't seen it yet that's because it's on your machine and you're not looking it's there so we definitely saw it as soon as we started looking and um we were like wow look tons of malware um and we were like hey let's prevent this malware malware in our Corporation bad [ __ ] we don't want it let's prevent it and so LSX collector

is sort of the first tool we came up with for how are we keeping malware out of our corporate environment um it works just as well if you have some non-corporate environment I recommend you do um we couldn't really figure out where the malware came from and so we weren't really successful at preventing it and so OSX collector was about like prevent the malware hypothetically if Iran had malware we would want to know about it and say hey let's take action to stop Iran from spreading malware turns out they don't um so we got some people together we built this tool it's kind of cool that's what we're here to talk about um along the way I'll give

you some free malware prevention tips these actually work I actually took thousands and thousands of Max and charted like how did malware go it goes poorly but if you start to follow some of these things they actually work most of these are not new people have been saying these for a while now they actually work so click to play for Flash and Java it just stops tons and tons of malware tons and tons of malware that we saw in the past before we did this we coming in these ways um but so now let's really get down to the heart of what we're talking about so forensics collection um we use OSX collector a tool we built we looked around and we

said oh what can we use for forensic collection and so like we went on to Windows and we were like oh red line from cool we ran that and like it it runs and then you get all this data and then you read the data and their cool analyst tool and you scratch your head a bunch and eventually you're like oh I think I might know what happened then you feel better about the whole incident um and we wanted to feel that way about OSX but we weren't getting there so we were like oh we don't feel good yet um so OSX collector was an attempt to do that um there were some great tools already

there um and we sort of uh went and kind of built something that kind of looked like some other tools that were out there but worked very much for what we wanted to do on the collection side um it's all open source it's been up there for a while I'm really vain even if you don't like to talk just star the GitHub page it makes me feel better please um yeah so one of our first goals was we need to make collection really really easy so a lot of times like you know I buy these books like these cool security books and it's like do analysis and it's like step one get an image of the entire

machine and start playing with it except we're in 30 countries we have all these different people we don't have all the time in the world to take machines and put them on racks for months at a time while we do slow analysis I so you know we needed something fast something easy something that an untrained technician could effectively bring onto a box and immediately start doing collection so OSX collector is pretty easy it's one python file for collection that was a rule a single file it has no dependencies to be installed everything you need is in the operating system out of the box that was important too so basically you could try to figure out

how will I get OSX collector onto a box and if you can do that through Network through USB without spreading the out where it's already on the box then you win because you can basically just run it and go so that was a big win so we basically see in the output here a basic run sudu OSX collector. you can pass in an ID so it tags all the data with some you know incident ID and that's about it in this case it wrote you know 35,000 lines of output and we get it all in a nice tar gzip and we're like cool we're cool we're moving forward um so all of the output of OSX collector when you

untar e ziping whatever right it's all just Json and I actually and truly believe that Json is kind of beautiful like if you go to json.org on the on the right side there's this like beautiful drawing of how Json works and you're like oh I can understand that as opposed to most things that I read so I thought it was beautiful um and it's really easy to manipulate and for us it made good sense um it integrates with our tools so this is sample output sort of showing us a single kernel extension um and we'll dive into what kind of stuff we collect in examples and how we sort of use that data but remember easy beautiful Json

we're going to keep using the tool chain to manipulate it um so let's talk about OSX a little but OSX stores lots of its data in sqlite DBS python is really good at dealing with sqlite DBS so this was a win for us um I'm kind of ambivalent about sqlite but whatever one thing I found out this is cool researching the talk I found out that the tagline for SQL light is small fast reliable choose any three kind of a huous thing I'm not sure they got there but you know it's cool um but this is it this is like the code you would need if you were writing python or something to basically dump a table a

sqlite table sorry take a sqlite DB file dump all of the tables in it and sort of get all the data this is about it so it's pretty damn simple which was good um I liked it um the other thing OSX loves when we're storing data and fres collection is all about find all the data on the machine OSX loves pists so pists are basically XML files you see on the right hand side there's this XML file s. pist and it's just kind of describing data cool um sometimes they're plain text sometimes they're binary if they're binary there's a command line tool pist buddy it will like print out uh a pist as a sort of

Json like thing not the XML not real Json something else anyway it's cool it's a free tool it works so we use Python code to read through all these pists and kind of see what's going on um one thing I want to point out is a lot of this forensics collection stuff not everybody knows about it there's some really great places to learn more um Sarah Edwards is a researcher I am evil twin on Twitter I'd say 95% of what this tool does is coming directly out of reading her presentations and pestering her at events like this and then figuring out how can we automate this stuff so we automated reading a lot of pists because they had a lot of data um

which made sense to us uh so OSX collector uses this python python class Foundation to read pists um this package actually and all it is is a nice wrapper around Objective C uh that the operating system is exposing to us so the operating system exposes all these nice system calls if you're an Objective C developer like go buck wild go just start calling all them if you're on python you like start scratching your head then you stumble on Foundation if you've written Objective C you will immediately notice oh damn if you you will immediately notice how everything that you do in Foundation looks a lot like Objective C no python developer in their right mind would make a function

name that long but Objective C that's like Primo how to do it um so it's really useful it just gets you at the system so we're not writing compiled code it's easy for us to do this but we have a lot of power anything Foundation can get at we can get at and then it gets One Step better so it turns out like yeah some stuff's not in foundation and that was problematic because there was stuff we wanted to know so we said okay stuff's not in Foundation we can't get at it [ __ ] it we'll figure it out um and so it turns out that you know in a in Python you can just basically

load libraries and you know python comes with this OB C and ctype uh you know most uh on OSX at least you know you have OB C and C type packages which let you basically just call native code whatever native code you want if you can figure it out you can call it this is an example of calling um NS string string with utf8 which is like a Constructor for an Objective C string it's it's kind of messy if you understand Objective C it's not so messy but this basically meant at this point with this single file we could call anything on the system which was kind of the goal of the whole thing so now we can collect sqlite

DBS we can collect pist we can call any system API that we want um that's kind of cool we can start collecting lots of information at this point um so what do we collect that's a pretty good question um and we kind of have this tradeoff like we could go across the whole file system collect everything it would take forever then in the case where it's like a false positive alert we'd like have someone's machine in collection for three days and they'd be real pissed off and then we'd be like sorry yeah man your machine's fine it was just a mistake um so we're kind of careful about what do we collect what do we not

collect and how much time we spend on that so common thing that we look at is different kinds of files applications kernel extensions downloads um when you're trying to figure out how did an infection happen these are probably things you're going to be looking at so back to our original example here of a kernel extension um we basically collect a bunch of stuff for all these files right we don't to know the path of the file we hash the hell out of the file get a bunch of hashes for it get the collection uh the creation time the modified time um we just kindy of get a bunch of information that we're going to want to look at later um and it's common

across all these different kinds of files extended attributes we get the signature chain who signed this binary um one thing we do for times uh is we normalize them all to human readable times so on OSX in general I'd say there's about five different ways that timestamps represent real times and you sort of if you're doing forensic collection have no idea like what timestamp format is this pis going to use so OSX collector does a decent job of figuring out out like I figured it out for you here's the time stamp don't sweat it uh it basically works if it doesn't work open an issue on the GitHub that'll help us out so time stamps are

normalized time stamps are incredibly important in establishing timelines when you're looking at a box um yeah we grab hashes hashes are still useful um antivirus is not completely uh we actually normalize them to the time zone of where the collection is happening I think I mean it couldn't be normalized to UTC it's like a oneline change I mean so we we could fix something I don't know yeah it may be UTC I can't remember um but yeah they all get normalized the same way through the same one line of normalization so if you're not into it totally change it um so hashes still valuable still find [ __ ] um lots of people say oh that's not real that

doesn't exist uh you can't find problems with hashes if you have hashes for stuff that you couldn't find before now you can use those hashes to go find things if you have 5,000 Max and one of them gets infected with something you've never seen before maybe some of the other ones are going to have the same hash um so hashes we collect those I think it's defense in depth um yeah all right so what else do we collect quarantines so quarantines are really cool in looking at how to infections happen on a machine um quarantines are basically that thing that gives the OS enough information to be like you downloaded Firefox from the internet are you sure that's okay um

it's like yeah I get it I downloaded stuff from the internet but it turns out these are useful because they they're basically tracking all of the downloads you made from the internet that resulted in someone trying to launch a program and so you know this is a simple example it says like Google Chrome downloaded Alfred you know and and I know about it it happened at this timestamp cool so if you're trying to figure out like how did this weird DMG get onto the machine okay cool it's in the quarantines probably and that's just some pist and we just converted it to some Json and the whole world gets a little happier um we collect startup items so when you boot

lots of [ __ ] happens um all that [ __ ] that's happening while you boot is generally running in a highly privileged context like root so bad guys they like to be there because then they're running as rout they're running every time you launch a box they're running before you get a shell after you reboot the box so all that together means like yeah startup items good [ __ ] to invade um yeah so I basically just said whatever this thing says but this is basically you know uh some details about an sshp list that has to do with key Generation Um which is cool cuz you know let's look at that um one one interesting thing with OSX is

it does not care if your startups are signed so signed startups if a binary is signed then cryptographically we're saying somebody is kind of looked at this and said it was cool so in OSX if something is signed the operating system will verify it and be like yo this is good because it's signed this is bad because it's signed but doesn't match um what it doesn't care about is is if things are unsigned then it'll just say like cool it's unsigned it definitely didn't fail a signature check let's keep going um we kind of do care so we collect that information if you're interested in like could someone change the entropy and SSH key generation on your box and would you

notice it probably because there's no signature on the binaries helping you do that oh well um so on to another section malware prevention technique number two use an ad blocker can't stress this enough it actually works yes I'm from Yelp yes this is how we get our Revenue what I suggest is ADD block Pro and then you add add us to your white list and then that allows everyone in the room to keep winning take it for what you will um yeah so forensics collection we've basically now got this big hunking bunch of Json describing a bunch of things going on on the box great that's cool we have this data it's not really fun to

collect that data manually but now we have it now sort of we can go on to analysis which might be more interesting it turns out um so forensic collection is hard forensic analysis is fun it's like a little bit of science a little bit of art you're like telling a story oh I get it the user did this and then that and then this and then they were [ __ ] it's like okay cool I can get it um so I enjoy this part a lot but the truth of the matter is like it takes hours and hours to do analysis and that's how we started we built OSX collector because there was no good collection tool for us

and and then we started doing analysis by hand and we were so pleased with ourselves we went from like 5 days to figure out what happened to four hours to figure out what happened by doing manual analysis down to like just run some tools and let them tell you what happened so we'll kind of walk you through that kind of chain of events here and some of the automated analysis but first manual analysis like manual analysis works pretty good on this output like you splat out the Json you GP a Time WI window it turns out like if you have some alert that fired right like hey I noticed at this time this box did something really arbitrarily weird I

don't like it so then we go grab that box we do a little forensics on it we go OSX collector to grab up the data and we're like yeah now we can do some analysis grip in that time window for the events that happened often it's pretty explainable you see like in the list of every application install that ever happen ever happened an application installed that you've never heard of in that time frame it's kind of like oh I get it that application's bad um sometimes right we can look at URLs in a Time window so this this tool we use all the time JQ it's sort of hidden in the middle of one of these lines here JQ is

really awesome it just GPS and parses and transforms um Json data and so we use it all the time to sort of explore and be like what's in this data what should we do data from OSX collector data from elastic search whatever data you have that's in Json format you can use it if your data is not in Json format I recommend thinking about that and then changing it and then using these tools um so we can basically GP out whatever we want out of this data and we often find like what's going on you have a keyword go grap it see what happened cool but it's slow it's still like four or five hours to root cause

things mostly at this point so then we went for like let's just automate the whole [ __ ] thing we kind of knew what we were doing we've been doing it for a while so we automated it it's a little hard to see but basically we now run generally one command and then it prints out some very readable output this is just a small snippet of it but this is just saying like yo here's some like activity going on quarantines and [ __ ] from domains that open DNS said were bad like why did you go there they're bad um so like cool if you see that you get an immediate sense of like a quarantine

they downloaded something from a domain that somebody already knew was bad it's probably [ __ ] um it's not always so simple but getting this really sort of easily readable summary of analysis was what we were looking for um some stuff points out in the analysis like okay bad thing happened I know about it we're done other stuff points out like hey fishy thing happened I don't know you think about it more and figure out what the answer is um so we built this tool chain for OSX collector analysis um and it's all with the collector open- sourced um and basically we have this pipe and filter model where we can chain up all these

different filters together and each filter sort of does one thing with the data and we say okay cool we have some data hey filter do one thing so like this first filter that we're talking about it finds domains it's like is there a domain in this data yes no cool whatever and if it finds a domain in the data it just adds another key to the Json saying like yo here's the domains I found cool cool um so we'll walk through sort of like what is the flow or roughly the flow that we do in this simple analysis um that we chain together all this crap for like amazing automated results woo um yeah so the find domains

filter is sort of the first one and uh yeah I already kind of blew it because I told you basically if it sees a domain it adds it to this output key OSX collector domains doesn't really matter where the domain is that it sees it right if it's in like the key of some Json if it's in the if it's in the value if you know there's some string and it's like an Earl and that Earl has a query param that's another Earl or whatever it does a pretty good job of finding all of it um and that's all we're trying to do like yo could you tell me the domains that are involved and whenever we see

subdomains we add those and then we also stem them down to the base domain because when we look up domains later maybe was it's a new subdomain nobody knows about it better just to say like oh yeah biz.yelp.com that's also like yelp.com sometimes that's helpful um yeah and so then the next thing we talk about like blacklists blacklists are super important Whit lists work the same way Whit lists are super important what's the stuff you already know is shitty just give up be like yep that's bad thing that happened we know about it we're done um or I don't care about this data so let's not look at it anymore as we start doing more expensive looks so

OSX collector has a blacklist filter um it can basically match whatever you want file hashes parts of file names domain names it has some special smart s if you tell it hey this is a black list of domain names it kind of turns them into Rex's so it really finds domain names um which is cool um it also sort of has an idea where you can tell it hey um these are bits of you know terms or fields and you can basically match whatever you want you can do rexes you can do exact matches um and so that's great so this simple example right evo.com is here we go and ask what domains are there it

says evo.com we pass that on to The Blacklist filter and it's like oh evil.com is in our domain Blacklist evil.com I wish I owned that that would be a fun domain more likely I would get streaming hockey.com turns out everybody wants to stream hockey and it's all malware um yeah any domain at all with like free or download or Sports bet in it is is malware that domain host malware uh canonical example being downloads. cet.com it's all malware so so this heris has proven very very effective um I would recommend not going to those domains so we can do a bunch of more stuff with this data and we want to because what we've done so far wouldn't

tell you that much um one thing we do is um we'll talk about what we do with some open DNS stuff because you know they were really gracious to host us all here and thank you open DNS um yeah so we ask Open DNS hey what are their domains related to the domains in this output um so open DNS is cool they kind of know that they know like not just like hey tell me about this domain but they observe in time and space sort of what's going on with your DNS traffic or other people's and tell you like this domain is related to that domain um and so it's like you know you're judged by The

Company You Keep we see a lot of times some event hey this machine called out to this IP did something weird looks [ __ ] up we don't like that so then we say oh bad and then we go and look and we say what's that IP and we have no idea at all what that IP is which is basically how malware Works they don't want you to know too much about what they're doing um they go and switch domains a lot they go and switch IPS a lot they try to you know shake [ __ ] up so you don't find them too quick um but so with open dns's data we look at like

okay what are the domains related to this IP and sometimes we get a hit and then we look at what are the domains related to the domains that are related to this IP and like we have a commandline flag you can like have as many generations as you want but it actually turns out really surprisingly to me to tell you the truth that like second generation related domains and IPS to some random C2 IP that no one's ever heard of often like we find them in the output and then we're like oh I get it here's the related domain where the infection started or here's part of you know the ioc kill chain that we should

be chasing down it does work and so this is really cool um yeah it works and so we've got a bunch of uh um you know apis and intelligence lookups that we do we look up stuff with virus total and we kind of try to grade like you know if virus total says something maybe we trust it maybe we don't um Shadow server is another service where we can go send hashes and things and say like hey what's with this Shadow server is cool right they have a list of hashes that aren't bad so they're like yeah I know that file it's uh some operating system file here's the path of it here's the name of it this shit's not

bad this is really good as we start to do more and more expensive operations on the data because we can just quickly filter those out and be like yeah not bad like it's cool we don't need to worry about it um so we like that a lot and we use that we look at you know domain reputation and virus total and domain reputation and open DNS and all sorts of good stuff to try to figure out in this data with this intelligence feeds what can we get Cyber threat intelligence is like the big buzzword of 2015 Obama saw my presentation gave his presentation this is very important stuff um yeah so open DNS domain reputation

filter kind of the same thing uh you can ask Open DNS yo what do you know about evil.com they have these categories for example where they say like this is the category of this domain one of them is nuclear attack which has never been in any of my data but I like it a lot as a category um but then they can also give you all sorts of statistical scores which you're free to interpret any way you want um and you can take some of those statistics and kind of build a model of like give what Open DNS saw like do you care that someone went here or did something about this who knows um

virus total hash lookup kind of the same thing again right uh we have a base class for API lookups and so it takes all the heavy lifting out it basically does rate limiting does caching um does parallel issuing of requests to try to speed things up so it's really easy to add new apis if you get really excited and go home and start hacking on this right away go contribute new apis use the Base Class it'll be really easy I'll appreciate it um yeah now prevention technique number four there is no free app to stream sports ball um everyone who tries to stream NASCAR and hockey for free is getting malware um yeah it's just a given um all

right so let's talk a little more about analysis because I think I've blown through my time really fast yeah um so a few more things that we do right so browser history is pretty important uh most of your infections in a large corporation are coming in straight from browsing activities or from email which is usually done in the browser nowadays so osex collector goes through and it's like yeah I'll look at all the browser history I'll sort it I'll coate it basically it's able to give you a view that looks a whole lot like the history tab in Chrome or Firefox the cool thing is in the sqlite D BS that are associated with browser history

there's more information than what you actually see in the history tab in Chrome for example so like Chrome knows how did you get to this URL did you click a link was there a hidden popup were you in some sort of refer chain of 301s to some Final Destination so there's cool stuff there like basically when you see hidden popup it's always bad why did someone make a hidden popup what a jerk so you basically know like oh that's the bad one um which is really kind of cool uh a lot of these filters we try to figure out sort of like some filters are winnowing down information sort of like the shadow server filter for good hashes

we get rid of a lot of information and others are sort of trying to increase what we can look at so we have a filter for finding files related excuse me sorry stuff related to files so if you start out with a file you know there's a bad file on the disc like hey I didn't want that file to be there then we want to kind of look and say like like given this file name can I find anything else related to this other files downloads domains query strings activity on the device you know what what's related to that file um and that basically helps us identify like more suspicious [ __ ] [ __ ] that initially

did not look suspicious but once we sort of already knew a hint like hey anything related to invoice 337 that's already bad then it kind of gives us a better hint so the filters are really plugable they're easy to sort of move between you can call pass data to them you know individually or chain them up in big chains it has support for cool chaining things you know and in our case we sort of run one giant filter that chains most of the filters we have and print out recommended next steps so it says stuff like hey why don't we go Blacklist this domain and hey pretty sure this file is like not good let's look for it from now

on when we're looking for stuff and then we the humans get to go take actions that them the robots told us to do which I don't know why I like but it's fun um so yeah sorry I'm not good with time but uh we went real fast hopefully you compelling questions so this is the wow it's wonderful part but a few more things before that um yeah I do work for big company and they do make me put slides in my presentations this one's kind of cool though we have a lot of data if you do any kind of data science stuff and you're interested in data science stuff we publish these data sets you can grab them um we have prizes for

academics if you you know publish something using our data set we give you money if you present something using our data set we give you money um we have big prizes see terms and conditions I did not just promise you any money at all but we have this data set go check out the data set challenge if you want to know more um so I would love to know if people use this tool so 500 some OD people have started like four of them have reached out to me I love them um so if you use it let me know let me know about it um if you're looking to learn more these are I put hashtags in here

these are hashtags where like I use to go learn more because I want to learn more um and that's that's that's my dog Molly um yeah and then that's case and what questions could I answer for you hi uh the question was so hey you rely on Shadow server to try to know what's an OSX versions of patches yeah we use it as a guide um it's helpful I wouldn't say everything's there and I wouldn't say it's always correct but it's helpful um we explored quickly a nist database that sort of has the hashes for every file they can find I couldn't really figure out how to use that thing because it literally had the hashes for every

file so it was like no no quality judgment being made it was just like yeah that file exists too what do we do about virtual machines running on the Mac yeah we we basically go like yeah virtual machines [ __ ] um so you know honestly though like your virtual machine it calls out generally through your network adapter and the network stack is shared so we can see some activity but it's pretty confusing um if you really try to do forensics uh from the base from the host and try to figure out what happened in the virtual machine you will not figure it out um that's not our user model too much uh I'm sure there's

better Solutions if you know let me know

hey so are you collecting host names as they're resolved during the runtime I I didn't know if I caught that like

so I do you want this one for right now

or yeah while he's working on this one hey so the question was um do we collect host names as their H as resolutions are happening so this tool is purely for forensics after something else has alerted so we're definitely looking at Network streams and creating alerts and then saying now that we have an alert what should we do about it that's when we go to forensics hi so what causes you start running tool so what causes us to start running this tool it's sort of the uh the the death star view of the network it's like whatever uh alerting systems we have in place so host endpoint monitoring network monitoring um log analysis whatever we've got in place and we're

sort of always trying to add more things as sort of Ingress into our alerting pipeline alerts come in we evaluate them at the point we be that we're like yo that box is bad something is weird I can't explain it I feel funny then we want to go do this analysis in our case we actually try to automate most all of that decision- making so we aggregate all the alerts from different sources that we can we put them all together we have some smarts to try to analyze those things on a case-by Case basis and make decisions then usually automated tools go and cut tickets for us and email users and alert the help desk and call

out the dogs and all whatever um if you check out yelp's uh GitHub we have this other project from our security team called elast alert it's an alerting system we built out of elastic search so we shove everything we configure out into elastic search and alert out of it it has nothing to do with this talk but I love to talk about that so glad I got an

opportunity do we do any live domain lookup in the analysis the question was do we do any live domain look up or is it all passive right now is that during analysis um so during analysis it's actually kind of it's way more close to live than I would like um when we do lookups of domains and when we try to say like hey in this forensic capture there's this domain what do we think about it all of the most all of the data sources we use will tell us what they think right now so if we're fast we can learn what they think right now sometimes what they think right now is helpful because an

attack started 12 hours ago and now they know about it and sometimes we're effectively looking at old [ __ ] and our sources are like nah I don't care about that domain but realistically 3 months ago when this thing started that domain would have been more interesting to them um anybody who's got like you know threat information if I can pass you a timestamp when I go and ask you about threat information I want to do that so then I could really say what do you think right now what do you think 3 months ago what do you think when this [ __ ] actually happened and I really wanted to know the answer um it's kind

of tricky uh I wish there was a slightly better answer are we tunneling that at all or are we going out from our own network um you know as much as I don't want to answer this we're mostly going out from our own network so stop looking at what we're doing um because you would see us yes I guess uh that's kind of the RIS with all these third parties that you go to right you go and ask a third party like yo can you give me some information like why you want to know that it draws conclusions for

people have we found interesting attack vectors that we wouldn't expect I think the answer is probably no uh we haven't found interesting vectors we didn't expect at times it's really interesting how successful some really stupid vectors are so like browser extensions were one where I thought like whatever that's like not that interesting yeah stuff gets in through browser extensions I started reading up there's like really interesting stuff if you read about like who buys old browser extensions with large populations of users cuz you make a decision once when you install an extension like yeah I trust this thing and then it downloads and updates code randomly from some untrusted domain that like they're all started by some kid in his dorm room and

then if they're successful somebody buys them and if you're a bad guy just go buy successful domains or successful extensions and then put your bad [ __ ] out there we have seen that it's real

hi do we collect browser history in OSX collector and do we grab all of the profiles yeah so OSX collector um does collect browser history and more about your browsing experience and it does it for all of the profiles in Chrome Safari and Firefox almost all of the collection we do uh and the way OSX generally works is like a ton of [ __ ] is hey there's a system install of this or a system version of this then there's a bunch of per user or per profile stuff and so we go and collect the system stuff and then we do it per profile all the data gets tagged with like whose profile it was so

you can be like hey let's just go look at what Ivan was doing on this machine big tip if there's a lot of profiles on the machine something bad happened um it's not like 1980 you don't share the computer

yeah uh about how long does the automated analysis take it definitely depends on what's in the data and how much data we have I think today it's an hour to two hours I'm sort of looking at the back at some yelpers to try to see if somebody nods their head I don't it's like an hour to two hours sometimes it's like 5 minutes sometimes it's really long um but I think it's generally probably under an hour sometimes up to two hours for an average sort of like I had this computer for 18 months and kind of deal

hi yeah so the question is hey can I run this against a cold disc image yeah so if you pass dasm and the path to a mounted image um to The Collector it will go run against a mounted image so um yeah totally possible works pretty well um at times we do that um I've got like a a thunderbolt hard drive sled and I will grab discs image them keep the images or just Mount the discs in the sled and go to analysis you miss when you do that how much do you miss when you do that very little so this is m mostly doing dis forensics so you miss very little um even the stuff that's not

directly dis forensics like system calls and stuff are generally getting their information from the disk and so generally it works um I actually don't know what you miss but I bet there's

something this is not doing any sort of memory forensics capture it is not capturing the running processes on the system generally this is being used in a situation where the machine is at least somewhat changed from when the alerts happened if not very changed um it's probably stupid that we're not capturing the running processes anyway might want to do that later today are yeah no there's definitely free memory capture tools and I think memory capture is super awesome um we just don't Target it at all with this but um yeah the volatility book if anyone hasn't read that yet it's like super dope uh the art of memory forensics by Andrew Case at all uh the volatility people

they have so much great stuff on memory forensics other exciting questions thank

you all right just to let everyone know the food