Note : if "$ xxx" => command xxx to launch, else => file or directory to dump.
SUMMARY
FORENSICS - SYSTEM INFO AND LEAK INFO
PROOF OF CONCEPT
- Pac4Mac > https://github.com/sud0man/pac4mac
SYSTEM INFO
General information
$ system_profiler
Owner (name, address, tel, etc.)
/Users/USERNAME/Library/Preferences/com.apple.AddressBook.plist
/Users/USERNAME/Library/Preferences/AddressBookMe.plist
/Library/Preferences/AddressBookMe.plist
/private/var/db/.AppleSetupDone
Kernel Version and state
/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
$ sysctl -A
OS version
/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
/System/Library/CoreServices/SystemVersion.plist
/System/Library/CoreServices/ServerVersion.plist (if server)
$ uname -an
Timezone
/Library/Preferences/.GlobalPreferences.plist
/etc/localtime
AUTHENTICATION DATA
Usernames and password hashes
/Users/USERNAME
[10.6]/var/db/shadow/hash/
[10.7]/private/var/db/dslocal/nodes/Default/users/USERNAME.plist
[10.8]/private/var/db/dslocal/nodes/Default/users/USERNAME.plist
Administrators
/var/db/dslocal/nodes/Default/groups/admin.plist
Autologin password (XOR)
/private/etc/kcpassword
Last connected user
/Library/Preferences/com.apple.loginwindow.plist
Last Login Info + Hint master password + autologin user
/Library/Preferences/com.apple.loginwindow.plist
Deleted Users
/Library/Preferences/com.apple.preferences.accounts.plist
User Keychain (contains a lot of passwords :))
/Users/USERNAME/Library/Keychains/login.keychain
System Keychain
/Library/Keychains/FileVaultMaster.keychain => contains the FileVault Recovery Key to use master password
/Library/Keychains/System.keychain
/Library/Keychains/applepushserviced.keychain
/var/db/SystemKey => contains key to decrpyt System.Keychain
ALL LOGS
/var/log/system.log*
/var/log/windowserver.log*
/var/log/secure.log*
/var/log/kernel.log*
/private/var/log/install.log*
/private/var/log/appfirewall.log*
/var/audit/
/.fseventsd/* => FSEventsParser (tool to parse)
LOGS 3rd App
/Users/USERNAME/Library/Logs/
PERSISTENCE
XPC Services
$ find /Applications/ -name XPCServices -exec ls -lsct {} \;
Launched XPC System
/System/Library/XPCServices/
Launched Agents System
/System/Library/LaunchAgents/
Launched Agents Library
/Library/LaunchAgents/
/Users/USERNAME/Library/LaunchAgents/
Launched Daemons System
/System/Library/LaunchDaemons/
Launched Daemons Library
/Library/LaunchDaemons/
Launched LoginItems > User
/Users/USERNAME/Library/Preferences/com.apple.loginitems.plist
Launched LoginItems > Application
$ find /Applications/ -name LoginItems -exec ls -lsct {} \;
Launched ScriptingAdditions
/System/Library/ScriptingAdditions/
/Library/ScriptingAdditions/
Launchd DB
/private/var/db/launchd.db/
$ find /private/var/db/launchd.db/ -name com.apple.launchd.peruser.* -exec ls -lsct {} \;/com.apple.launchd.peruser.*
Loaded_Drivers
$ kextstat
All Extensions
/System/Library/Extensions/
Extra Extensions
/Extra/Extensions/
Crontab
$ crontab -u root -l , crontab -u USERNAME -l
Kernel Cache installed Extensions
/System/Library/Extensions/Extensions.kexstat/
/System/Library/Extensions/Extensions.mkext
Rc.common
/etc/rc.common
Login hook
/Users/USERNAME/Library/Preferences/com.apple.loginwindow.plist
Startup Items
/System/Library/StartupItems/
/Library/StartupItems/
Launchd.conf
/etc/launchd.conf
Re-Open Application (when shutdown)
/Users/USERNAME/Library/Preferences/ByHost/com.apple.loginwindow..plist
Spotlight Importation
/Library/Spotlight/
Re-Open Application (when shutdown)
/Users/USERNAME/Library/Preferences/ByHost/com.apple.loginwindow..plist
Spotlight Importation
/Library/Spotlight/
Plugins
/Library/Security/SecurityAgentPlugins/
/Library/Internet\ Plug-Ins/
/Users/USERNAME/Library/Safari/Extensions/Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/External Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/Default/Extensions/
/Users/USERNAME/Library/Application Support/Mozilla/Extensions/
Plugins
/Library/Security/SecurityAgentPlugins/
/Library/Internet\ Plug-Ins/
/Users/USERNAME/Library/Safari/Extensions/Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/External Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/Default/Extensions/
/Users/USERNAME/Library/Application Support/Mozilla/Extensions/
APPLICATIONS
Installation History
/Library/Receipts/InstallHistory.plist
Uninstallation History
sudo egrep --colour=auto -Ri 'uninstalld|removing Application' /var/log/*
sample :
/var/log/commerce.log:Nov 26 15:42:35 amalard-3.mrc.cossi.internet storeassetd[413]: SoftwareMapSpotlightSource: removing Application : (com.tastycocoabytes.CocoaPacketAnalyzer.mas, 1.31, 418357707:660823895 VPP:NO source:Spotlight /Applications/CocoaPacketAnalyzer.app)
/var/log/system.log:Nov 26 15:42:30 amalard-3.mrc.cossi.internet uninstalld[2105]: Could not get Info.plist for /Applications/CocoaPacketAnalyzer.app
Updates History
/Library/Preferences/com.apple.SoftwareUpdate.plist
Metadata of all installed pkg (.bom and .plist)
/var/db/receipts/
Last launched applicationsls -lshtr /Library/Caches
ls -lshtr /Users/USERNAME/Library/Caches
All installed Application and association files
#All bundle .app, mounted volume(containing .app) and association files (recorded by Launch Service)
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep --after-context 5 "^volume"
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep --after-context 40 --before-context 1 "^bundle"
Sandboxed Applications
/Users/USERNAME/Library/Containers/
Sandboxed Applications
/Users/USERNAME/Library/Containers/
Crash et Logs Applications
/Users/USERNAME/Library/Application Support/CrashReporter/
/Users/USERNAME/Library/Logs/
/var/log/install.log
Crash et Logs Applications
/Users/USERNAME/Library/Application Support/CrashReporter/
/Users/USERNAME/Library/Logs/
/var/log/install.log
Environment Variables
/Users/USERNAME/.MacOSX/environment.plist
/etc/launchd.conf
/Users/USERNAME/Library/LaunchAgents/
Environment Variables
/Users/USERNAME/.MacOSX/environment.plist
/etc/launchd.conf
/Users/USERNAME/Library/LaunchAgents/
Execution artefacts : com.apple.sharedfilelist : ApplicationRecentDocuments
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/BUNDLEID.sfl
Execution artefacts : com.apple.sharedfilelist : ApplicationRecentDocuments
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/BUNDLEID.sfl
Execution artefacts : com.apple.sharedfilelist : RecentApplications
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications.sfl
Execution artefacts : com.apple.sharedfilelist : RecentApplications
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications.sfl
USER ARTEFACTS
Recent searches, Trash setting, view settings, recent folders
/Users/USERNAME/Library/Preferences/com.apple.finder.plist
Applications in the Dock
/Users/USERNAME/Library/Preferences/com.apple.dock.plist
Folders and network shares in the Dock
/Users/USERNAME/Library/Preferences/com.apple.dock.plist
Desktop picture
/Users/USERNAME/Library/Preferences/com.apple.desktop.plist
Recent documents, applications, and network connections
/Users/USERNAME/Library/Preferences/com.apple.recentitems.plist
Preview files cache plist
/Users/USERNAME/Library/Preferences/com.apple.Preview.LSSharedFileList
Preview files cache sqlite
/private/var/folders/xx/wxyxyxyxyxy/X/com.apple.QuickLook.thumbnailcache/index.sqlite
/Users/USERNAME/Library/Preferences/com.apple.Preview.LSSharedFileList
Preview files cache sqlite
/private/var/folders/xx/wxyxyxyxyxy/X/com.apple.QuickLook.thumbnailcache/index.sqlite
Recent files : com.apple.sharedfilelist : RecentDocument
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentDocuments.sfl
Recent files : com.apple.sharedfilelist : RecentDocument
/Users/USERNAME/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentDocuments.sfl
USER SYSTEM HISTORY
Concole Search History
/Users/USERNAME/Library/Preferences/com.apple.Console.plist
SQLite History
/Users/USERNAME/.sqlite_history
BASH History
/Users/USERNAME/.bash_history
/Users/USERNAME/.bash_sessions/*
SH History
/Users/USERNAME/.sh_history
Last logged users
$ last
Connected media history
/Users/USERNAME/Library/Preferences/com.apple.sidebarlists.plist
TOOL EVERYDAY INFO
Address Book
/Users/USERNAME/Library/Application Support/AddressBook/MailRecents-v4.abcdmr
Calendar (through Spotlight)
/Users/USERNAME/Library/Calendars/Calendar\ Cache
User emails, only text (through Spotlight)
/Users/USERNAME/Library/Mail/V2/MailData/Envelope\ Index
User emails, full (through mBox files)
/Users/USERNAME/Library/Mail/V2/IMAP-username@mail.test.com/xxxx.mbox
Office documents restored by AutoRecovery? service
/Users/USERNAME/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery
Recent printed documents
var/spool/cups/
[http://sud0man.blogspot.fr http://sud0man.blogspot.fr/2013/01/american-series-are-usefull-in.html]
Text notes taken with Stickies Widget (Widget available natively)
/Users/USERNAME/Library/Preferences/widget-com.apple.widget.stickies.plist
/Users/USERNAME/Library/StickiesDatabase
/Users/USERNAME/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV1.storedata-wal
Evernotes text notes
/Users/USERNAME/Library/Application Support/Evernote/accounts/Evernote/xxxxxxxx/content/
CHAT
Skype messages history (stores conversations)
/Users/USERNAME/Library/Application\ Support/Skype/xxxxxxxx/main.db
Message history or new iChat (stores conversations)
/Users/USERNAME/Library/Messages/
iChat history (stores conversations)
/Users/USERNAME/Documents/iChats/
Adium history (stores conversations)
/Users/USERNAME/Library/Application\ Support/Adium\ 2.0/Users/Default/Logs/
iDEVICES
iDevice SMS (through iTunes backup)
/Users/USERNAME/Library/Application\ Support/MobileSync/Backup/<UUID>/3d0d7e5fb2ce288813306e4d4636395e047a3d28
iDevice Calendar (through iTunes backup)
/Users/USERNAME/Library/Application\ Support/MobileSync/Backup/<UUID>/2041457d5fe04d39d0ab481178355df6781e6858
iDevice Call history (through iTunes backup)
/Users/USERNAME/Library/Application Support/MobileSync/Backup/<UUID>/ff1324e6b949111b2fb449ecddb50c89c3699a78
iDevice SMS (through iTunes backup)
/Users/USERNAME/Library/Application Support/MobileSync/Backup/<UUID>/31bb7ba8914766d4ba40d6dfb6113c8b614be442
WEB BROWSING
Safari Browsing
[HISTORY]/Users/USERNAME/Library/Safari/History.plist]
[COOKIES]/Users/USERNAME/Library/Cookies/Cookies.plist
[COOKIES]/users/USERNAME/Library/Cookies/Cookies.binarycookies
[DOWNLOADS]/Users/USERNAME/Library/Safari/Downloads.plist
Safari Webpage Preview (stored Screenshot of your navigation):
/Users/USERNAME/Library/Caches/com.apple.Safari/Webpage Previews/
Firefox Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/places.sqlite
[COOKIES]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/cookies.sqlite
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/downloads.sqlite
Chrome Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/History
[COOKIES]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/Cookies
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/History
Opera Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/History
[HISTORY]/Users/USERNAME/Library/Opera/global_history.dat
[COOKIES]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/Cookies
[COOKIES]/Users/USERNAME/Library/Opera/cookies4.dat
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/History
[DOWNLOADS]/Users/USERNAME/Library/Opera/download.dat
QuarantineEventsV (can contain Browser history and iChat)
/Users/USERNAME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*
DELETED/RECOVERED DATA
Trashes
/Users/USERNAME/.Trash
/.Trashes
Recovery Office Files
/Users/USERNAME/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery
NETWORK HISTORY
Bluetooth History
/Library/Preferences/com.apple.Bluetooth.plist
Network History
/Library/Preferences/SystemConfiguration/com.apple.network.identification.plist
WiFI AP History
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences|sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3
Remote Desktop History
/Library/Preferences/com.apple.RemoteDesktop.plist
NETWORK CONFIGURATION
Firewall
/Library/Preferences/com.apple.alf.plist
Wireless
/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
NAT
/Library/Preferences/SystemConfiguration/com.apple.nat.plist
SMB Server
/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
Interfaces (10.8)
/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
Interfaces
/Library/Preferences/SystemConfiguration/com.apple.NetworkInterfaces.plist
/Library/Preferences/SystemConfiguration/com.apple.preferences.plist
/Library/Preferences/SystemConfiguration/preferences.plist
MEMORY
Hibernate file
/private/var/vm/sleepimage
Swap file
/private/var/vm/swapfile0
...
FORENSICS - EVENTS
PROOF OF CONCEPT
- CheckOut4Mac > https://github.com/sud0man/checkout4mac // http://sud0man.blogspot.fr/2016/10/new-version-of-checkout4mac-02.html
[]STARTUP ACTIVITIES ...
[][]BOOT dates/hours
zegrep 'BOOT_TIME' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3,$6}'|cut -d : -f 2-
syslog -T UTC -f /var/log/asl/BB.* |grep bootlog|awk '{print$1" "$2" "$6" "$4}'| sed 's/Z//g'
[][]SHUTDOWN dates/hours
zegrep 'SHUTDOWN_TIME' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3,$6}'|cut -d : -f 2-
syslog -T UTC -f /var/log/asl/BB.* |grep shutdown|awk '{print$1" "$2" "$6" "$4}'| sed 's/Z//g'
[][]REBOOT dates/hours (reboot => wih button, rebooted => with terminal)
zegrep 'reboot by|rebooted by' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3,$6}'|sort -u|cut -d : -f 2-
syslog -T UTC -f /var/log/asl/BB.* |grep reboot|awk '{print$1" "$2" "$6" "$4}'| sed 's/Z//g'
[][]Hibernation dates/hours
zegrep 'hibernate_setup(0) took|PMScheduleWakeEventChooseBest|sleep images' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-| sed 's/$/ : Hibernation/'|sort -u
[][]Out of hibernation dates/hours
zegrep 'full wake promotion|Previous sleep|Wake reason' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-| sed 's/$/ : Out of hibernation/'|sort -u
zegrep 'Wake reason' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-| sed 's/$/ : Out of hibernation/'
syslog -T UTC -F raw -f /var/log/asl/2016.10.24.*|grep 'Message Wake'|grep -i 'Oct 24 09:'|cut -d ] -f 2|sed -e 's/\ \[Time//g'
[]SESSION ACTIVITIES ...
[][]Attempting to unlock session next to a boot
zegrep -B 9 'The authtok is incorrect.' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
praudit -l /var/audit/current|egrep 'Login Window login proceeding' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-
zegrep 'Login Window login proceeding' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-|sort -u| sed 's/$/ : Attempting to unlock session after the boot/'
[][]Attempting to unlock session without success
Authentication without success by su or sudo commands are also notified ...
zegrep -B 9 'The authtok is incorrect.' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
praudit -l /var/audit/current|egrep 'user authentication'|grep -v '_securityagent' | grep -i 'failure' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-
[][]Unlocked session with success
Authentication with su or sudo commands are also notified ...
zegrep -A 1 'Establishing credentials' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
praudit -l /var/audit/current|egrep 'user authentication'|grep -i 'success' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-
[][]Locked session dates/hours
zegrep 'Application App:"loginwindow"' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3}' |cut -d : -f 2-|sort -u| sed 's/$/ : Locked Session/'
[][]Attempting to unlock session (Yes : if two occurence with the same time, No: if just one occurence)
WARNING 1 : there are several occurences when an user account is created
WARNING 2 : there is always one occurence for each user account just after the boot
zegrep 'AuthenticationAllowed' /var/log/accountpolicy.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[]PHYSICAL CONNECTION ACTIVITIES ...
[][]USB plugged devices
zegrep 'USBMSC' /var/log/system.log*|grep -i 'Oct 24 09:'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$9", "$10"(vendor), "$11"(Device) - To identify the plugged device : external_bin/usb.ids or http://www.linux-usb.org/usb.ids"}'|cut -d : -f 2-
[][]File system events(USB, mounting, etc.)
zegrep 'fsevents' /var/log/system.log*|grep -i 'Oct 24 09:'|grep Volumes|cut -d : -f 2-
[][]Firewire connections with another machine or storage media (activation of 'fw' interface)
zegrep 'fw' /var/log/system.log*|grep -i 'Oct 24 09:'| grep 'network changed'|cut -d : -f 2-
[]ESCALATION PRIVILEGES ACTIVITIES ...
[][]Opened/Closed TTY terminals
zegrep 'ttys' /var/log/system.log*|grep -i 'Oct 24 09:'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g' |sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}'|cut -d : -f 2-
[][]ROOT commands executed with success
zegrep 'sudo\[' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
syslog -T UTC -F raw -f /var/log/asl/2016.10.24.*|grep 'USER=root'|grep -i 'Oct 24 09:'|cut -d ] -f 2|sed -e 's/\ \[Time//g'
[][]Attempting to execute commands with SUDO without success
zegrep 'incorrect password attempts' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[][]User, password modification and creation
praudit -l /var/audit/current|egrep 'create user|modify password|delete user' |grep -i 'Oct 24 09:' | awk -F, '{print $6"; ACTION: "$4"; FROM:"$10"; INFO:"$19"; RES:"$21}' | cut -d " " -f 2-
[][]System Privileges asking
zegrep -A 1 'authenticated as user' /var/log/authd.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[]APPLICATIONS ACTIVITIES ...
[][]Executed applications
[Recent App - last modif]
WARNING : date files can be updated during the boot
stat -q -f '%Sm %N' '/Users/amalard/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/'*|grep -i 'Oct 24 09:'|grep 2016| awk -F"/" '{print $1 $NF}'|sed 's/$/ : Executed App/'|sort
[Recent App - last access]
WARNING : date files can be updated during the boot
stat -q -f '%Sa %N' '/Users/amalard/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/'*|grep -i 'Oct 24 09:'|grep 2016| awk -F"/" '{print $1 $NF}'|sed 's/$/ : Executed App/'|sort
[Caches]
stat -q -f '%Sa %N' '/Users/amalard/Library/Caches/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Executed App/'|sort
[][]Creation of reporter crash plist
stat -q -f '%SB %N' '/Users/amalard/Library/Application Support/CrashReporter/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Executed App/'|sort
[][]Recording App in csstore : lsregister
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | egrep -i 'reg date' -B 25 -A 4 | grep -B 25 -A 4 '10/24/2016 09:' |sed 's/$/ : Recorded App/'
[][]Logging app 3rd party
stat -q -f '%Sm %N' '/Users/amalard/Library/Logs/'*|grep -i 'Oct 24 09:'|grep 2016|sort
[][]Installed applications
[Installation pkg : Install.log]
zegrep -A 1 'Installation' /var/log/install.log|grep -i 'Oct 24 09:'|sed 's/$/ : Installed pkg/'
[Installation pkg : InstallHistory.plist]
cat /Library/Receipts/InstallHistory.plist | grep -A 7 '2016-10-24T09:'|sed 's/$/ : Installed pkg/'
[Installation (or new) pkg : /var/db/receipts]
stat -q -f '%Sm %N' '/var/db/receipts/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Installed pkg/'|sort
[Creation of Sandbox directory for App]
stat -q -f '%Sm %N' '/Users/amalard/Library/Containers/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Installed App/'|sort
[]PERSISTENCE ACTIVITIES ...
[][]Added or modified files (like trojan or malware App)
[Modified directories for persistence (birth date)]
stat -q -f '%SB %N' '/System/Library/LaunchAgents/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/LaunchAgents/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Users/amalard/Library/LaunchAgents/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/System/Library/LaunchDaemons/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/LaunchDaemons/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/private/var/db/launchd.db/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/System/Library/Extensions/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/Extensions/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/System/Library/StartupItems/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/StartupItems/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/Spotlight/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
stat -q -f '%SB %N' '/Library/Internet Plug-Ins/'*|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : Directory modification/'
[Files for persistence (modif date)]
stat -q -f '%Sm %N' '/Users/amalard/Library/Preferences/com.apple.loginitems.plist'|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : File creation or modification/'
stat -q -f '%Sm %N' '/etc/rc.common'|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : File creation or modification/'
stat -q -f '%Sm %N' '/Users/amalard/Library/Preferences/com.apple.loginwindow.plist'|grep -i 'Oct 24 09:'|grep 2016|sed 's/$/ : File creation or modification/'
[]NETWORK ACTIVITIES ...
[][]Ethernet/WiFI connections (activation of 'enX' interface)
[Activation of enX]
zegrep 'network changed' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[Link Down and Up]
zegrep 'Link up|Link down' /var/log/system.log*|grep -i 'Oct 24 09:'|cut -d : -f 2-
[][]WiFI access points (last connection dates) / warning to the time zone
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'| grep 'LastConnected' -A 9 | grep -A 9 2016-10-24
WIFI
My WiFI Scripts
WiFI tricks
How to display available WiFI networks:
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -s
FreeWifi_secure 16:10:18:47:f2:4d -83 5 Y -- WPA(802.1x/AES/AES)
Livebox-eaXX 00:1d:6a:45:06:eb -79 6 Y FR WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP)
Freebox-4862XX f4:ca:e5:e1:ec:ac -88 8 Y -- WPA(PSK/AES/AES)
FreeWifi 22:48:94:aa:8d:e2 -84 11 Y -- NONE
FreeWifi f4:ca:e5:8b:46:91 -85 11 Y -- NONE
Réseau Wi-Fi de toto 5c:96:9d:69:36:92 -85 60,+1 Y FR WPA2(PSK/AES/AES)
Réseau Wi-Fi de toto 5c:96:9d:69:36:91 -66 11 Y FR WPA2(PSK/AES/AES)
FreeWifi f4:ca:e5:e1:ec:ad -86 8 Y -- NONE
FreeWifi_secure 00:24:d4:ca:02:5e -85 7 Y -- WPA2(802.1x/AES,TKIP/TKIP)
2 IBSS networks found:
SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
HP01C65B f6:3f:43:f9:3f:92 -85 1 N EU NONE
HP0142F9 02:2d:8d:e6:9f:e0 -65 10 N EU NONE
How to join WiFI networks (or test pre-shared key) :
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword8888" => good pre-shared key (no error message)
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword12345" Failed to join network yellowstay => bad pre-shared key (error message)
How to disassociate you of a WiFI network :
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -z
WiFI history (last connection, date, SSID, etc.):
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3
...
MISC
How to take a screenshot every second and store images (during 30s in this example):
for i in $(seq 1 30); do sleep 1 && /usr/sbin/screencapture /tmp/screen$i.png;done > /dev/null 2&>1