Built in Python, OSXCollector’s script running on the infected machine and it generated the output in a JSON file which contains the description of the target machine. It gathers its information from different sources such as SQLite databases, local file systems, plists, etc. Using OSXCollector, a forensic investigator/analyst can shed light on the following questions:
Is the machine infected? How did the malware get there? How can this be presented and detect further infection?
To begin, let’s start by cloning the project on our local machine: $ git clone https://github.com/Yelp/osxcollector.git
A file named osxcllector.py can be found at osxcollector > osxcollector.py. It is a single Python file can run without any dependencies on a standard OSX machine. To run this file simply type: $ sudo osxcollector/osxcollector.py It will take a couple of minutes to run the file and once done, this the output you might come across:
This shows us the file has done its work and an output file by the name of osxcollect-2017_05_03-18_06_35.tar.gz is available with our output. Once extracted the contents, this is what it looks like:
As we can see various logs are present in the output folder along with the JSON file:
Note: It is important to note that Python command uses the default Python interpreter on the OSX machine and is not overridden by Python version installed via brew. OSXCollector relies on a few native Python bindings for OSX libraries which might not be available in other Python versions. To specify a specific Python version, you can use the following command: $ /usr/bin/python2.7 osxcollector/osxcollector.py Additional parameters can be used with osxcollector.py:
-i INCIDENT_PREFIC/–id=INCIDENT_PREFIX: This sets an identifier which is used as the prefix of the output file. The default value is osxcollect:
$ sudo osxcollector/osxcollector.py -I ChiraghDewan The output folder created would be named: ChiraghDewan-2017_05_03-18_06_35
-p ROOTPATH/–path=ROOTPATH: This sets the path to the root of the filesystem to run collection on. The default value is /. This is helpful when running collection on the image of a disk: $ sudo osxcollector/osxcollector.py -p ‘/mnt/pawned’
-s SECTION/–section=SECTION: This parameter is used to run only a portion of the full collection:
$ sudo osxcollector/osxcollector.py -s ‘safari’ -s ‘downloads’ Following is a list of all the sections and sub-sections:
version
system_info
kext
startup
launch_agents
scripting_additions
startup_items
login_items
applications
applications
install_history
quarantines
downloads
downloads
email_downloads
old_email_downloads
chrome
history
archived_history
cookies
login_data
top_sites
web_data
databases
local_storage
preferences
firefox
cookies
downloads
formhistory
history
signons
permissions
addons
extension
content_prefs
health_report
webapps_store
json_files
safari
downloads
history
extensions
databases
local storage
extension_files
accounts
system_admins
system_users
social_accounts
recent_items
full_hash
-c/–collect-cookies: This parameter collects cookies value. By default, it does not dump the value of a cookie as it may contain sensitive information.
-l/–collect-local-storage: This parameter collects the value stored in the web browser’s local storage. By default, they are not collected as the values may contain sensitive information.
-d/–debug: The parameter enables verbose output and Python breakpoints.
Common Keys
Every line of the JSON file records one piece if information. Some common keys are:
osxcollector_incident_id: A unique ID shared by every record
osxcollector_section: The section or type of data the record holds
osxcollector_subsection: The subsection of the type of data the record hold
File Records
ctime: The file creation time
mtime: The file modified time
file_path: The absolute path to the file
md5: MD5 hash of the file contents
sha1: SHA1 hash of the file contents
sha2: SHA2 hash of the file contents
signature_chain: The common names of the certs in the files signing chain
Downloaded File
xattr-wherefrom: A list containing the source and referrer URLs for the downloaded file
xattr-quarantines: A string describing which application downloaded the file
The keys mentioned above are a few that OSXCollector uses. Few more that are used are for:
SQLite Records
Timestamps
Version section
System_info section
Kext section
Startup section
Applications section
Quarantines section
Downloads Section
Chrome section
Firefox section
Safari section
Accounts section
Mail section
Full Hash section
The detailed keys of the section mentioned above can be found in the README.MD file of the project which can be read after cloning it or on its GitHub repository. Forensic analysis is not an exact science. Some may argue that it may fall somewhere between art and science and because of that, every person that reads the story, sees something different. Going through the entire JSON can be overwhelming to many. However, we can use few commands to narrow down our search:
Timestamps
$ cat osxcollect-2017_05_03-18_06_35.json | grep ‘2017-05-03’
Browser History
$ cat osxcollect-2017_05_03-18_06_35.json | grep ‘2017-05-03’ | jq ‘select(has(“url”)) | .url’
Note: The above command also requires jq to be installed. Jq is an open-source JSON processor which is available at: https://github.com/stedolan/jq
Single User
$ cat osxcollect-2017_05_03-18_06_35.json | jq ‘select(.osxcollector_username==”Chiragh”)|.’ Using a combination of sections and subsections, more useful commands can be created and used to simplify the process. OSXCollector helps us by automating the task of analyzing the output by using various filters. A package called osxcollector.output_filters. Its repository can be found at https://github.com/Yelp/osxcollector_output_filters Unlike osxcollector.py, the filters have dependencies do not come pre-installed on a MacOS. The best solution proposed by Yelp is to use Virtualenv. Run the following commands to install virtualenv: $ sudo pip install tox virtualenv $ make venv $ source virtualenv_run/bin/activate
Find Domains Filter
Find Blacklisted Filter
Related Files Filter
Chrome History Filter
Firefox History Filter
Chrome Extensions Filter
Firefox Extensions Filter
OpenDNS Related Domains Filter
OpenDNS Lookup Domains Filter
Virus Total Lookup Domains Filter
Virus Total Lookup Hashes Filter
Virus Total Lookup URLs Filter
Shadow Server Lookup Hashes Filter
More details, along with how to use them, can be found at the repository link. The biggest downside is that it is only for MacOS. During recent times, the development for OSXCollector has been slow. However, Yelp encourages developers to contribute. All-in-all OSXCollector is a powerful tool that can make any forensic analyst’s life easier.
