lundi 24 octobre 2016

New version of Checkout4Mac (0.2)


Checkout4Mac for what ?

How to quickly detect recent physical activities on your Mac OS X system? How to detect if someone attempted or succeeded to get an access to your Mac let in your hotel room during your dinner or party ? 


Just in analysing the system logs and files access dates with bash commands (like grep, find, ls, stat, awk, etc.) ...


Proof of Concept in Python, CheckOut4Mac, has been developed in order to automate the search and identify malicious activities from 3 questions:

  • When did you leave your hotel room ? eg.: 22/6 
  • At what time did you leave your hotel room ? eg: 22 
  • How long time did you leave your hotel room ? eg: 2 


Several artefacts are exploited to answer to the question and you can check that manually:  http://sud0man.blogspot.fr/2015/05/artefacts-for-mac-os-x.html#2 


or automatically with a POC: https://github.com/sud0man/checkout4mac



HOME MENU



INTERACTIVE MENU





NON-INTERACTIVE MENU


EXTRACTED ACTIVITIES in normal mode


EXTRACTED ACTIVITIES in verbose mode



WHICH ACTIVITIES ARE EXTRACTED ?

[]STARTUP ACTIVITIES

[]SESSION ACTIVITIES

[]PHYSICAL CONNECTION ACTIVITIES

[]ESCALATION PRIVILEGES ACTIVITIES

[]APPLICATIONS ACTIVITIES





[]PERSISTENCE ACTIVITIES

[]NETWORK ACTIVITIES


samedi 23 mai 2015

Artefacts and tricks for Mac OS X

...

 FORENSICS - SYSTEM INFO AND LEAK INFO 

 PROOF OF CONCEPT

 SYSTEM INFO

General information
$ system_profiler
Owner (name, address, tel, etc.)
/Users/USERNAME/Library/Preferences/com.apple.AddressBook.plist
/Users/USERNAME/Library/Preferences/AddressBookMe.plist
/Library/Preferences/AddressBookMe.plist
/private/var/db/.AppleSetupDone
Kernel Version and state
/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
$ sysctl -A
OS version
/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
/System/Library/CoreServices/SystemVersion.plist
/System/Library/CoreServices/ServerVersion.plist (if server)
$ uname -an
Timezone
/Library/Preferences/.GlobalPreferences.plist/etc/localtime

 AUTHENTICATION DATA

Usernames and password hashes
/Users/USERNAME
[10.6]/var/db/shadow/hash/
[10.7]/private/var/db/dslocal/nodes/Default/users/USERNAME.plist
[10.8]/private/var/db/dslocal/nodes/Default/users/USERNAME.plist
Administrators
/var/db/dslocal/nodes/Default/groups/admin.plist
Autologin password (XOR)
/private/etc/kcpassword
Last connected user
/Library/Preferences/com.apple.loginwindow.plist
Last Login Info + Hint master password + autologin user
/Library/Preferences/com.apple.loginwindow.plist
Deleted Users
/Library/Preferences/com.apple.preferences.accounts.plist
User Keychain (contains a lot of passwords :))
/Users/USERNAME/Library/Keychains/login.keychain
System Keychain
/Library/Keychains/FileVaultMaster.keychain => contains the FileVault Recovery Key to use master password
/Library/Keychains/System.keychain
/Library/Keychains/applepushserviced.keychain
/var/db/SystemKey => contains key to decrpyt System.Keychain

 ALL LOGS

/var/log/system.log*
/var/log/windowserver.log*
/var/log/secure.log*
/var/log/kernel.log*
/private/var/log/install.log*
/private/var/log/appfirewall.log*
/var/audit/
/.fseventsd/* => FSEventsParser (tool to parse)

 LOGS 3rd App

/Users/USERNAME/Library/Logs/

 PERSISTENCE

XPC Services
$ find /Applications/ -name XPCServices -exec ls -lsct {} \;
Launched XPC System
/System/Library/XPCServices/
Launched Agents System
/System/Library/LaunchAgents/
Launched Agents Library
/Library/LaunchAgents/
/Users/USERNAME/Library/LaunchAgents/
Launched Daemons System
/System/Library/LaunchDaemons/
Launched Daemons Library
/Library/LaunchDaemons/
Launched LoginItems > User
/Users/USERNAME/Library/Preferences/com.apple.loginitems.plist
Launched LoginItems > Application
$ find /Applications/ -name LoginItems -exec ls -lsct {} \;
Launched ScriptingAdditions
/System/Library/ScriptingAdditions/
/Library/ScriptingAdditions/
Launchd DB
/private/var/db/launchd.db/
$ find /private/var/db/launchd.db/ -name com.apple.launchd.peruser.* -exec ls -lsct {} \;/com.apple.launchd.peruser.*
Loaded_Drivers
$ kextstat
All Extensions
/System/Library/Extensions/
Extra Extensions
/Extra/Extensions/
Crontab
$ crontab -u root -l , crontab -u USERNAME -l
Kernel Cache installed Extensions 
/System/Library/Extensions/Extensions.kexstat/
/System/Library/Extensions/Extensions.mkext
Rc.common
/etc/rc.common
Login hook
/Users/USERNAME/Library/Preferences/com.apple.loginwindow.plist
Startup Items
/System/Library/StartupItems/
/Library/StartupItems/
Launchd.conf
/etc/launchd.conf

Re-Open Application (when shutdown)
/Users/USERNAME/Library/Preferences/ByHost/com.apple.loginwindow..plist
Spotlight Importation
/Library/Spotlight/

Plugins
/Library/Security/SecurityAgentPlugins/
/Library/Internet\ Plug-Ins/
/Users/USERNAME/Library/Safari/Extensions/Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/External Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/Default/Extensions/
/Users/USERNAME/Library/Application Support/Mozilla/Extensions/

 APPLICATIONS

Installation History
/Library/Receipts/InstallHistory.plist
Uninstallation History
sudo egrep --colour=auto -Ri 'uninstalld|removing Application' /var/log/*
sample : 
/var/log/commerce.log:Nov 26 15:42:35 amalard-3.mrc.cossi.internet storeassetd[413]: SoftwareMapSpotlightSource: removing Application : (com.tastycocoabytes.CocoaPacketAnalyzer.mas, 1.31, 418357707:660823895 VPP:NO source:Spotlight /Applications/CocoaPacketAnalyzer.app) 
/var/log/system.log:Nov 26 15:42:30 amalard-3.mrc.cossi.internet uninstalld[2105]: Could not get Info.plist for /Applications/CocoaPacketAnalyzer.app
Updates History
/Library/Preferences/com.apple.SoftwareUpdate.plist

Metadata of all installed pkg (.bom and .plist)

/var/db/receipts/
Last launched applications
ls -lshtr /Library/Caches
ls -lshtr /Users/USERNAME/Library/Caches
All installed Application and association files
#All bundle .app, mounted volume(containing .app) and association files (recorded by Launch Service)
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep --after-context 5 "^volume"
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep --after-context 40 --before-context 1 "^bundle"

Sandboxed Applications
/Users/USERNAME/Library/Containers/

Crash et Logs Applications
/Users/USERNAME/Library/Application Support/CrashReporter/
/Users/USERNAME/Library/Logs/
/var/log/install.log

Environment Variables
/Users/USERNAME/.MacOSX/environment.plist
/etc/launchd.conf
/Users/USERNAME/Library/LaunchAgents/

Execution artefacts : com.apple.sharedfilelist : ApplicationRecentDocuments
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/BUNDLEID.sfl

Execution artefacts : com.apple.sharedfilelist : RecentApplications
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications.sfl

 USER ARTEFACTS

Recent searches, Trash setting, view settings, recent folders
/Users/USERNAME/Library/Preferences/com.apple.finder.plist
Applications in the Dock
/Users/USERNAME/Library/Preferences/com.apple.dock.plist
Folders and network shares in the Dock
/Users/USERNAME/Library/Preferences/com.apple.dock.plist
Desktop picture
/Users/USERNAME/Library/Preferences/com.apple.desktop.plist
Recent documents, applications, and network connections
/Users/USERNAME/Library/Preferences/com.apple.recentitems.plist 
Preview files cache plist

/Users/USERNAME/Library/Preferences/com.apple.Preview.LSSharedFileList
Preview files cache sqlite 
/private/var/folders/xx/wxyxyxyxyxy/X/com.apple.QuickLook.thumbnailcache/index.sqlite

Recent files  : com.apple.sharedfilelist : RecentDocument 
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentDocuments.sfl


 USER SYSTEM HISTORY

Concole Search History
/Users/USERNAME/Library/Preferences/com.apple.Console.plist
SQLite History
/Users/USERNAME/.sqlite_history
BASH History
/Users/USERNAME/.bash_history
SH History
/Users/USERNAME/.sh_history
Last logged users
$ last
Connected media history
/Users/USERNAME/Library/Preferences/com.apple.sidebarlists.plist

 TOOL EVERYDAY INFO

Address Book
/Users/USERNAME/Library/Application Support/AddressBook/MailRecents-v4.abcdmr
Calendar (through Spotlight)
/Users/USERNAME/Library/Calendars/Calendar\ Cache
User emails, only text (through Spotlight)
/Users/USERNAME/Library/Mail/V2/MailData/Envelope\ Index
User emails, full (through mBox files)
/Users/USERNAME/Library/Mail/V2/IMAP-username@mail.test.com/xxxx.mbox
Office documents restored by AutoRecovery? service
/Users/USERNAME/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery
Recent printed documents
var/spool/cups/
[http://sud0man.blogspot.fr http://sud0man.blogspot.fr/2013/01/american-series-are-usefull-in.html]
Text notes taken with Stickies Widget (Widget available natively)
/Users/USERNAME/Library/Preferences/widget-com.apple.widget.stickies.plist
/Users/USERNAME/Library/StickiesDatabase
/Users/USERNAME/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV1.storedata-wal 
Evernotes text notes
/Users/USERNAME/Library/Application Support/Evernote/accounts/Evernote/xxxxxxxx/content/

 CHAT

Skype messages history (stores conversations)
/Users/USERNAME/Library/Application\ Support/Skype/xxxxxxxx/main.db
Message history or new iChat (stores conversations)
/Users/USERNAME/Library/Messages/
iChat history (stores conversations)
/Users/USERNAME/Documents/iChats/
Adium history (stores conversations)
/Users/USERNAME/Library/Application\ Support/Adium\ 2.0/Users/Default/Logs/

 iDEVICES

iDevice SMS (through iTunes backup)
/Users/USERNAME/Library/Application\ Support/MobileSync/Backup/<UUID>/3d0d7e5fb2ce288813306e4d4636395e047a3d28
iDevice Calendar (through iTunes backup)
/Users/USERNAME/Library/Application\ Support/MobileSync/Backup/<UUID>/2041457d5fe04d39d0ab481178355df6781e6858
iDevice Call history (through iTunes backup)
/Users/USERNAME/Library/Application Support/MobileSync/Backup/<UUID>/ff1324e6b949111b2fb449ecddb50c89c3699a78
iDevice SMS (through iTunes backup)
/Users/USERNAME/Library/Application Support/MobileSync/Backup/<UUID>/31bb7ba8914766d4ba40d6dfb6113c8b614be442

 WEB BROWSING

Safari Browsing
[HISTORY]/Users/USERNAME/Library/Safari/History.plist]
[COOKIES]/Users/USERNAME/Library/Cookies/Cookies.plist
[COOKIES]/users/USERNAME/Library/Cookies/Cookies.binarycookies
[DOWNLOADS]/Users/USERNAME/Library/Safari/Downloads.plist
Safari Webpage Preview (stored Screenshot of your navigation):
/Users/USERNAME/Library/Caches/com.apple.Safari/Webpage Previews/
Firefox Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/places.sqlite
[COOKIES]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/cookies.sqlite
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/downloads.sqlite
Chrome Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/History
[COOKIES]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/Cookies
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/History
Opera Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/History
[HISTORY]/Users/USERNAME/Library/Opera/global_history.dat
[COOKIES]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/Cookies
[COOKIES]/Users/USERNAME/Library/Opera/cookies4.dat
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/History
[DOWNLOADS]/Users/USERNAME/Library/Opera/download.dat
QuarantineEventsV (can contain Browser history and iChat)
/Users/USERNAME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*

 DELETED/RECOVERED DATA

Trashes
/Users/USERNAME/.Trash
/.Trashes
Recovery Office Files
/Users/USERNAME/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery

 NETWORK HISTORY

Bluetooth History
/Library/Preferences/com.apple.Bluetooth.plist
Network History
/Library/Preferences/SystemConfiguration/com.apple.network.identification.plist
WiFI AP History
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences|sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3
Remote Desktop History
/Library/Preferences/com.apple.RemoteDesktop.plist

 NETWORK CONFIGURATION

Firewall
/Library/Preferences/com.apple.alf.plist
Wireless
/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
NAT
/Library/Preferences/SystemConfiguration/com.apple.nat.plist
SMB Server
/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
Interfaces (10.8)
/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
Interfaces
/Library/Preferences/SystemConfiguration/com.apple.NetworkInterfaces.plist
/Library/Preferences/SystemConfiguration/com.apple.preferences.plist
/Library/Preferences/SystemConfiguration/preferences.plist

 MEMORY

Hibernate file
/private/var/vm/sleepimage
Swap file
/private/var/vm/swapfile0

...

 FORENSICS - EVENTS 

 PROOF OF CONCEPT

[]STARTUP ACTIVITIES ...
[][]BOOT dates/hours
zegrep 'BOOT_TIME' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3,$6}'|cut -d : -f 2-

[][]SHUTDOWN dates/hours
zegrep 'SHUTDOWN_TIME' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3,$6}'|cut -d : -f 2-

[][]REBOOT dates/hours (reboot => wih button, rebooted => with terminal)
zegrep 'reboot by|rebooted by' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3,$6}'|sort -u|cut -d : -f 2-
[][]Hibernation dates/hours
zegrep 'hibernate_setup(0) took|PMScheduleWakeEventChooseBest|sleep images' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-| sed 's/$/ : Hibernation/'|sort -u

[][]Out of hibernation dates/hours
zegrep 'full wake promotion|Previous sleep|Wake reason' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-| sed 's/$/ : Out of hibernation/'|sort -u
zegrep 'Wake reason' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-| sed 's/$/ : Out of hibernation/'
syslog -T UTC -F raw -f /var/log/asl/2016.10.24.*|grep 'Message Wake'|grep -i 'Oct 24 09:'|cut -d ] -f 2|sed -e 's/\ \[Time//g'


[]SESSION ACTIVITIES ...
[][]Attempting to unlock session next to a boot
zegrep -B 9 'The authtok is incorrect.' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
praudit -l /var/audit/current|egrep 'Login Window login proceeding' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-
zegrep 'Login Window login proceeding' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-|sort -u| sed 's/$/ : Attempting to unlock session after the boot/'

[][]Attempting to unlock session without success
      Authentication without success by su or sudo commands are also notified ...
zegrep -B 9 'The authtok is incorrect.' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
praudit -l /var/audit/current|egrep 'user authentication'|grep -v '_securityagent' | grep -i 'failure' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-

[][]Unlocked session with success
      Authentication with su or sudo commands are also notified ...
zegrep -A 1 'Establishing credentials' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
praudit -l /var/audit/current|egrep 'user authentication'|grep -i 'success' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-

[][]Locked session dates/hours
zegrep 'Application App:"loginwindow"' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-|sort -u| sed 's/$/ : Locked Session/'

[][]Attempting to unlock session (Yes : if two occurence with the same time, No: if just one occurence)
      WARNING 1 : there are several occurences when an user account is created
      WARNING 2 : there is always one occurence for each user account just after the boot
zegrep 'AuthenticationAllowed' /var/log/accountpolicy.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-


[]PHYSICAL CONNECTION ACTIVITIES ...
[][]USB plugged devices
zegrep 'USBMSC' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$9", "$10"(vendor), "$11"(Device) - To identify the plugged device : external_bin/usb.ids or http://www.linux-usb.org/usb.ids"}'|cut -d : -f 2-

[][]File system events(USB, mounting, etc.)
zegrep 'fsevents' /var/log/system.log*|grep -i 'Oct 24 09:'|grep Volumes|cut -d : -f 2-

[][]Firewire connections with another machine or storage media (activation of 'fw' interface)
zegrep 'fw' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'network changed'|cut -d : -f 2-


[]ESCALATION PRIVILEGES ACTIVITIES ...
[][]Opened/Closed TTY terminals
zegrep 'ttys' /var/log/system.log*|grep -i 'Oct 24 09:'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g' |sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}'|cut -d : -f 2-

[][]ROOT commands executed with success
zegrep 'sudo\[' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
syslog -T UTC -F raw -f /var/log/asl/2016.10.24.*|grep 'USER=root'|grep -i 'Oct 24 09:'|cut -d ] -f 2|sed -e 's/\ \[Time//g'

[][]Attempting to execute commands with SUDO without success
zegrep 'incorrect password attempts' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-

[][]User, password modification and creation
praudit -l /var/audit/current|egrep 'create user|modify password|delete user' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-

[][]System Privileges asking
zegrep -A 1 'authenticated as user' /var/log/authd.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-


[]APPLICATIONS ACTIVITIES ...
[][]Executed applications
[Recent App - last modif]
      WARNING : date files can be updated during the boot
stat -q -f '%Sm %N' '/Users/amalard/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/'*|grep -i 'Oct 24 09:'|grep 2016| awk -F"/" '{print $1 $NF}'|sed 's/$/ : Executed App/'|sort
[Recent App - last access]
      WARNING : date files can be updated during the boot
stat -q -f '%Sa %N' '/Users/amalard/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/'*|grep -i 'Oct 24 09:'|grep 2016| awk -F"/" '{print $1 $NF}'|sed 's/$/ : Executed App/'|sort
[Caches]
stat -q -f '%Sa %N' '/Users/amalard/Library/Caches/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Executed App/'|sort

[][]Creation of reporter crash plist
stat -q -f '%SB %N' '/Users/amalard/Library/Application Support/CrashReporter/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Executed App/'|sort
[][]Recording App in csstore : lsregister
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | egrep -i 'reg date' -B 25 -A 4 | grep -B 25 -A 4 '10/24/2016 09:' |sed 's/$/ : Recorded App/'
[][]Logging app 3rd party
stat -q -f '%Sm %N' '/Users/amalard/Library/Logs/'*|grep -i 'Oct 24 09:'|grep 2016|sort

[][]Installed applications
[Installation pkg : Install.log]
zegrep -A 1 'Installation' /var/log/install.log|grep -i 'Oct 24 09:'|sed 's/$/ : Installed pkg/'
[Installation pkg : InstallHistory.plist]
cat /Library/Receipts/InstallHistory.plist | grep -A 7 '2016-10-24T09:'|sed 's/$/ : Installed pkg/'
[Installation (or new) pkg : /var/db/receipts]
stat -q -f '%Sm %N' '/var/db/receipts/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Installed pkg/'|sort
[Creation of Sandbox directory for App]
stat -q -f '%Sm %N' '/Users/amalard/Library/Containers/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Installed App/'|sort


[]PERSISTENCE ACTIVITIES ...
[][]Added or modified files (like trojan or malware App)
[Modified directories for persistence (birth date)]
stat -q -f '%SB %N' '/System/Library/LaunchAgents/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/LaunchAgents/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Users/amalard/Library/LaunchAgents/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/System/Library/LaunchDaemons/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/LaunchDaemons/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/private/var/db/launchd.db/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/System/Library/Extensions/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/Extensions/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/System/Library/StartupItems/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/StartupItems/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/Spotlight/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/Internet Plug-Ins/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
[Files for persistence (modif date)]
stat -q -f '%Sm %N' '/Users/amalard/Library/Preferences/com.apple.loginitems.plist'|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : File creation or modification/'
stat -q -f '%Sm %N' '/etc/rc.common'|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : File creation or modification/'
stat -q -f '%Sm %N' '/Users/amalard/Library/Preferences/com.apple.loginwindow.plist'|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : File creation or modification/'


[]NETWORK ACTIVITIES ...
[][]Ethernet/WiFI connections (activation of 'enX' interface)
[Activation of enX]
zegrep 'network changed' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[Link Down and Up]
zegrep 'Link up|Link down' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-

[][]WiFI access points (last connection dates) / warning to the time zone
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'| grep 'LastConnected' -A 9 | grep -A 9 2016-10-24


 WIFI 

 My WiFI Scripts

 WiFI tricks

How to display available WiFI networks:
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -s

                 FreeWifi_secure 16:10:18:47:f2:4d -83  5       Y  -- WPA(802.1x/AES/AES) 
                    Livebox-eaXX 00:1d:6a:45:06:eb -79  6       Y  FR WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP) 
                  Freebox-4862XX f4:ca:e5:e1:ec:ac -88  8       Y  -- WPA(PSK/AES/AES) 
                        FreeWifi 22:48:94:aa:8d:e2 -84  11      Y  -- NONE
                        FreeWifi f4:ca:e5:8b:46:91 -85  11      Y  -- NONE
           Réseau Wi-Fi de toto 5c:96:9d:69:36:92 -85  60,+1   Y  FR WPA2(PSK/AES/AES) 
           Réseau Wi-Fi de toto 5c:96:9d:69:36:91 -66  11      Y  FR WPA2(PSK/AES/AES) 
                        FreeWifi f4:ca:e5:e1:ec:ad -86  8       Y  -- NONE
                 FreeWifi_secure 00:24:d4:ca:02:5e -85  7       Y  -- WPA2(802.1x/AES,TKIP/TKIP) 
 2 IBSS networks found:
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                        HP01C65B f6:3f:43:f9:3f:92 -85  1       N  EU NONE
                        HP0142F9 02:2d:8d:e6:9f:e0 -65  10      N  EU NONE
How to join WiFI networks (or test pre-shared key) :
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword8888" => good pre-shared key (no error message)
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword12345" Failed to join network yellowstay => bad pre-shared key (error message)
How to disassociate you of a WiFI network :
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -z
WiFI history (last connection, date, SSID, etc.):
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3
...

 MISC 

How to take a screenshot every second and store images (during 30s in this example):
for i in $(seq 1 30);  do sleep 1 && /usr/sbin/screencapture /tmp/screen$i.png;done > /dev/null 2&>1