mardi 9 juillet 2013

CheckOut4Mac - v0.1

How to quickly detect recent activities on your Mac OS X system? How to detect if someone attempted or succeeded to get an access to your Mac let in your hotel room during your dinner or party?

Just by analysing the system logs and files access dates with bash commands 
(like grep, find, ls, stat, awk, etc.)


For example, to identify opened emails on July 8 from 8 am to 8:59 am:
grep /Users/sudoman/Library/Mail/V2/IMAP-yyyy\@xxxx.domain.fr/INBOX.mbox/ -type f -name *.emlx -exec stat -f '%Sa %N' '{}' + |grep -i 'Jul  8 08:'|grep 2013

Or to identify attempts to unlock session without success on July 8:
grep -i -B 9 'The authtok is incorrect.' /var/log/system.log|grep-i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'

You can find a lot of others fun tricks commands here:
[https://code.google.com/p/mac-security-tips/wiki/ALL_THE_TIPS]

Proof of Concept in Python, CheckOut4Mac [https://code.google.com/p/checkout4mac], uses these commands and has been developed in order to automate the search and identify malicious activities from 3 questions:
[1] When did you leave your hotel room? eg: 22/6
[2] At what time did you leave your hotel room? eg: 22
[3] How long did you leave your hotel room? eg: 2



You can download readme here : README

CheckOut4Mac checks the following events for a specific date and/or specific hour:

[1]STARTUP ACTIVITIES
  [a]Startup dates
  [b]Stopping dates
  [c]Hibernation dates
  [d]Out of hibernation dates

[2]SESSION ACTIVITIES
  [a]Locked session dates
  [b]Attempt to unlock session without success
  [c]Unlocked session with success

[3]PHYSICAL CONNECTION ACTIVITIES
  [a]USB connections
  [b]USB plugged devices
  [c]File system events
  [d]Firewire connections with another machine or storage media
  [e]Firewire connections with another machine or storage media
  [f]Firewire connections to dump RAM (just a  supposition)

[4]ESCALATION PRIVILEGES ACTIVITIES
  [a]Opened/Closed TTY terminals
  [b]ROOT commands executed with success
  [c]Attempt to execute commands with SUDO without success
  [d]User, password modification and creation

[5]APPLICATIONS ACTIVITIES
  [a]Opened applications => not always with success (I search another solution)

[6]FILES ACTIVITIES
  [a]Modified files (like autorun App, LaunchAgents or LaunchDaemons)
  [b]Added files (like trojan or malware App)
  [c]Accessed files (like your secret files)
  [d]Accessed Mails (last access dates)

[7]NETWORK ACTIVITIES
  [a] Ethernet/WiFI connections (activation of 'enX' interface)
  [b] WiFI access points (last connection dates)