AUTOMACTC
Abstract
The recent rise of macOS in enterprise environments has not gone unnoticed by adversaries, who often take advantage of unmanaged and unsupervised Mac assets for their misdeeds.
A traditional forensic approach can no longer support enterprise investigations – they require rapid triage and response, often due to resource constraints and a pressing need for answers and remediation. Performing forensic imaging and deep-dive analysis can be incredibly time-consuming and induce data fatigue in analysts, who may only need a select number of artifacts to identify leads and start finding answers. The resources-to-payoff ratio is impractical.
In this presentation, we will discuss AutoMacTC: an open-source Python framework that can be quickly deployed to gather forensic data on macOS devices, from the artifacts that matter most to you and your investigation. Incident response in the macOS world requires that analysts know where to look for evil, gather the relevant data quickly, and know how to discern the malicious from the innocuous. AutoMacTC captures sufficient data into a singular location, equipping responders with all of the above.