Note : if "$ xxx" => command xxx to launch, else => file or directory to dump.
SUMMARY
FORENSICS - SYSTEM INFO AND LEAK INFO
PROOF OF CONCEPT
- Pac4Mac > https://github.com/sud0man/pac4mac
SYSTEM INFO
General information
$ system_profiler
Owner (name, address, tel, etc.)
/Users/USERNAME/Library/Preferences/com.apple.AddressBook.plist
/Users/USERNAME/Library/Preferences/AddressBookMe.plist
/Library/Preferences/AddressBookMe.plist
/private/var/db/.AppleSetupDone
Kernel Version and state
/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
$ sysctl -A
OS version
/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
/System/Library/CoreServices/SystemVersion.plist
/System/Library/CoreServices/ServerVersion.plist (if server)
$ uname -an
Timezone
/Library/Preferences/.GlobalPreferences.plist
/etc/localtime
AUTHENTICATION DATA
Usernames and password hashes
/Users/USERNAME
[10.6]/var/db/shadow/hash/
[10.7]/private/var/db/dslocal/nodes/Default/users/USERNAME.plist
[10.8]/private/var/db/dslocal/nodes/Default/users/USERNAME.plist
Administrators
/var/db/dslocal/nodes/Default/groups/admin.plist
Autologin password (XOR)
/private/etc/kcpassword
Last connected user
/Library/Preferences/com.apple.loginwindow.plist
Last Login Info + Hint master password + autologin user
/Library/Preferences/com.apple.loginwindow.plist
Deleted Users
/Library/Preferences/com.apple.preferences.accounts.plist
User Keychain (contains a lot of passwords :))
/Users/USERNAME/Library/Keychains/login.keychain
System Keychain
/Library/Keychains/FileVaultMaster.keychain => contains the FileVault Recovery Key to use master password
/Library/Keychains/System.keychain
/Library/Keychains/applepushserviced.keychain
/var/db/SystemKey => contains key to decrpyt System.Keychain
ALL LOGS
/var/log/system.log*
/var/log/windowserver.log*
/var/log/secure.log*
/var/log/kernel.log*
/private/var/log/install.log*
/private/var/log/appfirewall.log*
/var/audit/
/.fseventsd/* => FSEventsParser (tool to parse)
LOGS 3rd App
/Users/USERNAME/Library/Logs/
PERSISTENCE
XPC Services
$ find /Applications/ -name XPCServices -exec ls -lsct {} \;
Launched XPC System
/System/Library/XPCServices/
Launched Agents System
/System/Library/LaunchAgents/
Launched Agents Library
/Library/LaunchAgents/
/Users/USERNAME/Library/LaunchAgents/
Launched Daemons System
/System/Library/LaunchDaemons/
Launched Daemons Library
/Library/LaunchDaemons/
Launched LoginItems > User
/Users/USERNAME/Library/Preferences/com.apple.loginitems.plist
Launched LoginItems > Application
$ find /Applications/ -name LoginItems -exec ls -lsct {} \;
Launched ScriptingAdditions
/System/Library/ScriptingAdditions/
/Library/ScriptingAdditions/
Launchd DB
/private/var/db/launchd.db/
$ find /private/var/db/launchd.db/ -name com.apple.launchd.peruser.* -exec ls -lsct {} \;/com.apple.launchd.peruser.*
Loaded_Drivers
$ kextstat
All Extensions
/System/Library/Extensions/
Extra Extensions
/Extra/Extensions/
Crontab
$ crontab -u root -l , crontab -u USERNAME -l
Kernel Cache installed Extensions
/System/Library/Extensions/Extensions.kexstat/
/System/Library/Extensions/Extensions.mkext
Rc.common
/etc/rc.common
Login hook
/Users/USERNAME/Library/Preferences/com.apple.loginwindow.plist
Startup Items
/System/Library/StartupItems/
/Library/StartupItems/
Launchd.conf
/etc/launchd.conf
Re-Open Application (when shutdown)
/Users/USERNAME/Library/Preferences/ByHost/com.apple.loginwindow..plist
Spotlight Importation
/Library/Spotlight/
Re-Open Application (when shutdown)
/Users/USERNAME/Library/Preferences/ByHost/com.apple.loginwindow..plist
Spotlight Importation
/Library/Spotlight/
Plugins
/Library/Security/SecurityAgentPlugins/
/Library/Internet\ Plug-Ins/
/Users/USERNAME/Library/Safari/Extensions/Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/External Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/Default/Extensions/
/Users/USERNAME/Library/Application Support/Mozilla/Extensions/
Plugins
/Library/Security/SecurityAgentPlugins/
/Library/Internet\ Plug-Ins/
/Users/USERNAME/Library/Safari/Extensions/Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/External Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/Default/Extensions/
/Users/USERNAME/Library/Application Support/Mozilla/Extensions/
APPLICATIONS
Installation History
/Library/Receipts/InstallHistory.plist
Uninstallation History
sudo egrep --colour=auto -Ri 'uninstalld|removing Application' /var/log/*
sample :
/var/log/commerce.log:Nov 26 15:42:35 amalard-3.mrc.cossi.internet storeassetd[413]: SoftwareMapSpotlightSource: removing Application : (com.tastycocoabytes.CocoaPacketAnalyzer.mas, 1.31, 418357707:660823895 VPP:NO source:Spotlight /Applications/CocoaPacketAnalyzer.app)
/var/log/system.log:Nov 26 15:42:30 amalard-3.mrc.cossi.internet uninstalld[2105]: Could not get Info.plist for /Applications/CocoaPacketAnalyzer.app
Updates History
/Library/Preferences/com.apple.SoftwareUpdate.plist
Metadata of all installed pkg (.bom and .plist)
/var/db/receipts/
Last launched applicationsls -lshtr /Library/Caches
ls -lshtr /Users/USERNAME/Library/Caches
All installed Application and association files
#All bundle .app, mounted volume(containing .app) and association files (recorded by Launch Service)
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep --after-context 5 "^volume"
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep --after-context 40 --before-context 1 "^bundle"
Sandboxed Applications
/Users/USERNAME/Library/Containers/
Sandboxed Applications
/Users/USERNAME/Library/Containers/
Crash et Logs Applications
/Users/USERNAME/Library/Application Support/CrashReporter/
/Users/USERNAME/Library/Logs/
/var/log/install.log
Crash et Logs Applications
/Users/USERNAME/Library/Application Support/CrashReporter/
/Users/USERNAME/Library/Logs/
/var/log/install.log
Environment Variables
/Users/USERNAME/.MacOSX/environment.plist
/etc/launchd.conf
/Users/USERNAME/Library/LaunchAgents/
Environment Variables
/Users/USERNAME/.MacOSX/environment.plist
/etc/launchd.conf
/Users/USERNAME/Library/LaunchAgents/
Execution artefacts : com.apple.sharedfilelist : ApplicationRecentDocuments
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/BUNDLEID.sfl
Execution artefacts : com.apple.sharedfilelist : ApplicationRecentDocuments
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/BUNDLEID.sfl
Execution artefacts : com.apple.sharedfilelist : RecentApplications
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications.sfl
Execution artefacts : com.apple.sharedfilelist : RecentApplications
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications.sfl
USER ARTEFACTS
Recent searches, Trash setting, view settings, recent folders
/Users/USERNAME/Library/Preferences/com.apple.finder.plist
Applications in the Dock
/Users/USERNAME/Library/Preferences/com.apple.dock.plist
Folders and network shares in the Dock
/Users/USERNAME/Library/Preferences/com.apple.dock.plist
Desktop picture
/Users/USERNAME/Library/Preferences/com.apple.desktop.plist
Recent documents, applications, and network connections
/Users/USERNAME/Library/Preferences/com.apple.recentitems.plist
Preview files cache plist
/Users/USERNAME/Library/Preferences/com.apple.Preview.LSSharedFileList
Preview files cache sqlite
/private/var/folders/xx/wxyxyxyxyxy/X/com.apple.QuickLook.thumbnailcache/index.sqlite
/Users/USERNAME/Library/Preferences/com.apple.Preview.LSSharedFileList
Preview files cache sqlite
/private/var/folders/xx/wxyxyxyxyxy/X/com.apple.QuickLook.thumbnailcache/index.sqlite
Recent files : com.apple.sharedfilelist : RecentDocument
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentDocuments.sfl
Recent files : com.apple.sharedfilelist : RecentDocument
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentDocuments.sfl
USER SYSTEM HISTORY
Concole Search History
/Users/USERNAME/Library/Preferences/com.apple.Console.plist
SQLite History
/Users/USERNAME/.sqlite_history
BASH History
/Users/USERNAME/.bash_history
/Users/USERNAME/.bash_sessions/*
SH History
/Users/USERNAME/.sh_history
Last logged users
$ last
Connected media history
/Users/USERNAME/Library/Preferences/com.apple.sidebarlists.plist
TOOL EVERYDAY INFO
Address Book
/Users/USERNAME/Library/Application Support/AddressBook/MailRecents-v4.abcdmr
Calendar (through Spotlight)
/Users/USERNAME/Library/Calendars/Calendar\ Cache
User emails, only text (through Spotlight)
/Users/USERNAME/Library/Mail/V2/MailData/Envelope\ Index
User emails, full (through mBox files)
/Users/USERNAME/Library/Mail/V2/IMAP-username@mail.test.com/xxxx.mbox
Office documents restored by AutoRecovery? service
/Users/USERNAME/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery
Recent printed documents
var/spool/cups/
[http://sud0man.blogspot.fr http://sud0man.blogspot.fr/2013/01/american-series-are-usefull-in.html]
Text notes taken with Stickies Widget (Widget available natively)
/Users/USERNAME/Library/Preferences/widget-com.apple.widget.stickies.plist
/Users/USERNAME/Library/StickiesDatabase
/Users/USERNAME/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV1.storedata-wal
Evernotes text notes
/Users/USERNAME/Library/Application Support/Evernote/accounts/Evernote/xxxxxxxx/content/
CHAT
Skype messages history (stores conversations)
/Users/USERNAME/Library/Application\ Support/Skype/xxxxxxxx/main.db
Message history or new iChat (stores conversations)
/Users/USERNAME/Library/Messages/
iChat history (stores conversations)
/Users/USERNAME/Documents/iChats/
Adium history (stores conversations)
/Users/USERNAME/Library/Application\ Support/Adium\ 2.0/Users/Default/Logs/
iDEVICES
iDevice SMS (through iTunes backup)
/Users/USERNAME/Library/Application\ Support/MobileSync/Backup/<UUID>/3d0d7e5fb2ce288813306e4d4636395e047a3d28
iDevice Calendar (through iTunes backup)
/Users/USERNAME/Library/Application\ Support/MobileSync/Backup/<UUID>/2041457d5fe04d39d0ab481178355df6781e6858
iDevice Call history (through iTunes backup)
/Users/USERNAME/Library/Application Support/MobileSync/Backup/<UUID>/ff1324e6b949111b2fb449ecddb50c89c3699a78
iDevice SMS (through iTunes backup)
/Users/USERNAME/Library/Application Support/MobileSync/Backup/<UUID>/31bb7ba8914766d4ba40d6dfb6113c8b614be442
WEB BROWSING
Safari Browsing
[HISTORY]/Users/USERNAME/Library/Safari/History.plist]
[COOKIES]/Users/USERNAME/Library/Cookies/Cookies.plist
[COOKIES]/users/USERNAME/Library/Cookies/Cookies.binarycookies
[DOWNLOADS]/Users/USERNAME/Library/Safari/Downloads.plist
Safari Webpage Preview (stored Screenshot of your navigation):
/Users/USERNAME/Library/Caches/com.apple.Safari/Webpage Previews/
Firefox Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/places.sqlite
[COOKIES]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/cookies.sqlite
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/downloads.sqlite
Chrome Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/History
[COOKIES]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/Cookies
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/History
Opera Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/History
[HISTORY]/Users/USERNAME/Library/Opera/global_history.dat
[COOKIES]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/Cookies
[COOKIES]/Users/USERNAME/Library/Opera/cookies4.dat
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/History
[DOWNLOADS]/Users/USERNAME/Library/Opera/download.dat
QuarantineEventsV (can contain Browser history and iChat)
/Users/USERNAME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*
DELETED/RECOVERED DATA
Trashes
/Users/USERNAME/.Trash
/.Trashes
Recovery Office Files
/Users/USERNAME/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery
NETWORK HISTORY
Bluetooth History
/Library/Preferences/com.apple.Bluetooth.plist
Network History
/Library/Preferences/SystemConfiguration/com.apple.network.identification.plist
WiFI AP History
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences|sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3
Remote Desktop History
/Library/Preferences/com.apple.RemoteDesktop.plist
NETWORK CONFIGURATION
Firewall
/Library/Preferences/com.apple.alf.plist
Wireless
/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
NAT
/Library/Preferences/SystemConfiguration/com.apple.nat.plist
SMB Server
/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
Interfaces (10.8)
/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
Interfaces
/Library/Preferences/SystemConfiguration/com.apple.NetworkInterfaces.plist
/Library/Preferences/SystemConfiguration/com.apple.preferences.plist
/Library/Preferences/SystemConfiguration/preferences.plist
MEMORY
Hibernate file
/private/var/vm/sleepimage
Swap file
/private/var/vm/swapfile0
...
FORENSICS - EVENTS
PROOF OF CONCEPT
- CheckOut4Mac > https://github.com/sud0man/checkout4mac // http://sud0man.blogspot.fr/2016/10/new-version-of-checkout4mac-02.html
[]STARTUP ACTIVITIES ...
[][]BOOT dates/hours
zegrep 'BOOT_TIME' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3,$6}'|cut -d : -f 2-
syslog -T UTC -f /var/log/asl/BB.* |grep bootlog|awk '{print$1" "$2" "$6" "$4}'| sed 's/Z//g'
[][]SHUTDOWN dates/hours
zegrep 'SHUTDOWN_TIME' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3,$6}'|cut -d : -f 2-
syslog -T UTC -f /var/log/asl/BB.* |grep shutdown|awk '{print$1" "$2" "$6" "$4}'| sed 's/Z//g'
[][]REBOOT dates/hours (reboot => wih button, rebooted => with terminal)
zegrep 'reboot by|rebooted by' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3,$6}'|sort -u|cut -d : -f 2-
syslog -T UTC -f /var/log/asl/BB.* |grep reboot|awk '{print$1" "$2" "$6" "$4}'| sed 's/Z//g'
[][]Hibernation dates/hours
zegrep 'hibernate_setup(0) took|PMScheduleWakeEventChooseBest|sleep images' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-| sed 's/$/ : Hibernation/'|sort -u
[][]Out of hibernation dates/hours
zegrep 'full wake promotion|Previous sleep|Wake reason' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-| sed 's/$/ : Out of hibernation/'|sort -u
zegrep 'Wake reason' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-| sed 's/$/ : Out of hibernation/'
syslog -T UTC -F raw -f /var/log/asl/2016.10.24.*|grep 'Message Wake'|grep -i 'Oct 24 09:'|cut -d ] -f 2|sed -e 's/\ \[Time//g'
[]SESSION ACTIVITIES ...
[][]Attempting to unlock session next to a boot
zegrep -B 9 'The authtok is incorrect.' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
praudit -l /var/audit/current|egrep 'Login Window login proceeding' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-
zegrep 'Login Window login proceeding' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-|sort -u| sed 's/$/ : Attempting to unlock session after the boot/'
[][]Attempting to unlock session without success
Authentication without success by su or sudo commands are also notified ...
zegrep -B 9 'The authtok is incorrect.' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
praudit -l /var/audit/current|egrep 'user authentication'|grep -v '_securityagent' | grep -i 'failure' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-
[][]Unlocked session with success
Authentication with su or sudo commands are also notified ...
zegrep -A 1 'Establishing credentials' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
praudit -l /var/audit/current|egrep 'user authentication'|grep -i 'success' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-
[][]Locked session dates/hours
zegrep 'Application App:"loginwindow"' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-|sort -u| sed 's/$/ : Locked Session/'
[][]Attempting to unlock session (Yes : if two occurence with the same time, No: if just one occurence)
WARNING 1 : there are several occurences when an user account is created
WARNING 2 : there is always one occurence for each user account just after the boot
zegrep 'AuthenticationAllowed' /var/log/accountpolicy.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[]PHYSICAL CONNECTION ACTIVITIES ...
[][]USB plugged devices
zegrep 'USBMSC' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$9", "$10"(vendor), "$11"(Device) - To identify the plugged device : external_bin/usb.ids or http://www.linux-usb.org/usb.ids"}'|cut -d : -f 2-
[][]File system events(USB, mounting, etc.)
zegrep 'fsevents' /var/log/system.log*|grep -i 'Oct 24 09:'|grep Volumes|cut -d : -f 2-
[][]Firewire connections with another machine or storage media (activation of 'fw' interface)
zegrep 'fw' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'network changed'|cut -d : -f 2-
[]ESCALATION PRIVILEGES ACTIVITIES ...
[][]Opened/Closed TTY terminals
zegrep 'ttys' /var/log/system.log*|grep -i 'Oct 24 09:'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g' |sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}'|cut -d : -f 2-
[][]ROOT commands executed with success
zegrep 'sudo\[' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
syslog -T UTC -F raw -f /var/log/asl/2016.10.24.*|grep 'USER=root'|grep -i 'Oct 24 09:'|cut -d ] -f 2|sed -e 's/\ \[Time//g'
[][]Attempting to execute commands with SUDO without success
zegrep 'incorrect password attempts' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[][]User, password modification and creation
praudit -l /var/audit/current|egrep 'create user|modify password|delete user' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-
[][]System Privileges asking
zegrep -A 1 'authenticated as user' /var/log/authd.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[]APPLICATIONS ACTIVITIES ...
[][]Executed applications
[Recent App - last modif]
WARNING : date files can be updated during the boot
stat -q -f '%Sm %N' '/Users/amalard/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/'*|grep -i 'Oct 24 09:'|grep 2016| awk -F"/" '{print $1 $NF}'|sed 's/$/ : Executed App/'|sort
[Recent App - last access]
WARNING : date files can be updated during the boot
stat -q -f '%Sa %N' '/Users/amalard/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/'*|grep -i 'Oct 24 09:'|grep 2016| awk -F"/" '{print $1 $NF}'|sed 's/$/ : Executed App/'|sort
[Caches]
stat -q -f '%Sa %N' '/Users/amalard/Library/Caches/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Executed App/'|sort
[][]Creation of reporter crash plist
stat -q -f '%SB %N' '/Users/amalard/Library/Application Support/CrashReporter/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Executed App/'|sort
[][]Recording App in csstore : lsregister
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | egrep -i 'reg date' -B 25 -A 4 | grep -B 25 -A 4 '10/24/2016 09:' |sed 's/$/ : Recorded App/'
[][]Logging app 3rd party
stat -q -f '%Sm %N' '/Users/amalard/Library/Logs/'*|grep -i 'Oct 24 09:'|grep 2016|sort
[][]Installed applications
[Installation pkg : Install.log]
zegrep -A 1 'Installation' /var/log/install.log|grep -i 'Oct 24 09:'|sed 's/$/ : Installed pkg/'
[Installation pkg : InstallHistory.plist]
cat /Library/Receipts/InstallHistory.plist | grep -A 7 '2016-10-24T09:'|sed 's/$/ : Installed pkg/'
[Installation (or new) pkg : /var/db/receipts]
stat -q -f '%Sm %N' '/var/db/receipts/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Installed pkg/'|sort
[Creation of Sandbox directory for App]
stat -q -f '%Sm %N' '/Users/amalard/Library/Containers/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Installed App/'|sort
[]PERSISTENCE ACTIVITIES ...
[][]Added or modified files (like trojan or malware App)
[Modified directories for persistence (birth date)]
stat -q -f '%SB %N' '/System/Library/LaunchAgents/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/LaunchAgents/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Users/amalard/Library/LaunchAgents/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/System/Library/LaunchDaemons/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/LaunchDaemons/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/private/var/db/launchd.db/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/System/Library/Extensions/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/Extensions/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/System/Library/StartupItems/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/StartupItems/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/Spotlight/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/Internet Plug-Ins/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
[Files for persistence (modif date)]
stat -q -f '%Sm %N' '/Users/amalard/Library/Preferences/com.apple.loginitems.plist'|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : File creation or modification/'
stat -q -f '%Sm %N' '/etc/rc.common'|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : File creation or modification/'
stat -q -f '%Sm %N' '/Users/amalard/Library/Preferences/com.apple.loginwindow.plist'|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : File creation or modification/'
[]NETWORK ACTIVITIES ...
[][]Ethernet/WiFI connections (activation of 'enX' interface)
[Activation of enX]
zegrep 'network changed' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[Link Down and Up]
zegrep 'Link up|Link down' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[][]WiFI access points (last connection dates) / warning to the time zone
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'| grep 'LastConnected' -A 9 | grep -A 9 2016-10-24
WIFI
My WiFI Scripts
WiFI tricks
How to display available WiFI networks:
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -s
FreeWifi_secure 16:10:18:47:f2:4d -83 5 Y -- WPA(802.1x/AES/AES)
Livebox-eaXX 00:1d:6a:45:06:eb -79 6 Y FR WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP)
Freebox-4862XX f4:ca:e5:e1:ec:ac -88 8 Y -- WPA(PSK/AES/AES)
FreeWifi 22:48:94:aa:8d:e2 -84 11 Y -- NONE
FreeWifi f4:ca:e5:8b:46:91 -85 11 Y -- NONE
Réseau Wi-Fi de toto 5c:96:9d:69:36:92 -85 60,+1 Y FR WPA2(PSK/AES/AES)
Réseau Wi-Fi de toto 5c:96:9d:69:36:91 -66 11 Y FR WPA2(PSK/AES/AES)
FreeWifi f4:ca:e5:e1:ec:ad -86 8 Y -- NONE
FreeWifi_secure 00:24:d4:ca:02:5e -85 7 Y -- WPA2(802.1x/AES,TKIP/TKIP)
2 IBSS networks found:
SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
HP01C65B f6:3f:43:f9:3f:92 -85 1 N EU NONE
HP0142F9 02:2d:8d:e6:9f:e0 -65 10 N EU NONE
How to join WiFI networks (or test pre-shared key) :
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword8888" => good pre-shared key (no error message)
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword12345" Failed to join network yellowstay => bad pre-shared key (error message)
How to disassociate you of a WiFI network :
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -z
WiFI history (last connection, date, SSID, etc.):
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3
...
MISC
How to take a screenshot every second and store images (during 30s in this example):
for i in $(seq 1 30); do sleep 1 && /usr/sbin/screencapture /tmp/screen$i.png;done > /dev/null 2&>1
From the simplest iPhone screen repairs to the most complex liquid damage or data recovery for your Apple, Samsung,Huawei device, Repair My Phone Today is always here to help!
RépondreSupprimerMacbook Repair Oxford