This blog post focuses on the Day 2 of JSAC2022, following the previous report on the Day 1.
An Introduction to macOS Forensics with Open Source Software
Speaker: Minoru Kobayashi (Internet Initiative Japan Inc.)
Minoru provided the basic knowledge of macOS forensics, and its analysis methods using mac_apt, followed by hands-on training on macOS forensics.
He mentioned that when it comes to forensics, information is acquired and analysed at the same priority as macOS and other operating systems. He introduced the basic computer forensics procedures as follows:
- Obtain and analyse highly volatile information
- Obtain an artefact file
- Obtain a disk image
- Analyse the artifact file
- Analyse the disk image
In the hands-on session, the participants used the result of the mac_apt analysis, KnockKnock and the dynamic analysis to create timelines and investigate malware behaviour and causes of infection. Using the following files created by mac_apt analysis, it was possible to check the execution history of files, the creation date and time of files, the communication history on Safari, etc.
- mac_apt.db
- UnifiedLogs.db
- APFS_Volumes_<GUID>.db
KnockKnock allows users to verify the signature of the program being launched and to check the VirusTotal detection results. The result of mac_apt analysis combined with such information was used to confirm the file creation date and time and execution results.
The speaker also explained the dynamic analysis of malware on macOS. ProcessMonitor and FileMonitor in a macOS virtual environment can be used to investigate whether malware causes other processes to run or to create persistence files.
Hands-on data is available on the JSAC2020 website below.
https://jsac.jpcert.or.jp/archive/2022/data/JSAC2022_macos_forensic_workshop_without_malware.7z
Following is the URLs for the tools used in this workshop.
mac_apt
https://github.com/ydkhatri/mac_apt
KnockKnock
https://objective-see.com/products/knockknock.html
ProcessMonitor, FileMonitor
https://objective-see.com/products/utilities.html
YARA Pretty Darby: Hunt the Spider like a Champ
Speakers: Shota Nakajima (Cyber Defense Institute Inc.), Hiriaki Hara, Kohei Kawabata (Trend Micro Inc.)
In this workshop, the speakers introduced an overview of Yara rules and know-how on how to create them and then provided a hands-on exercise where the participants created Yara rules.
They explained what a good Yara rule is. It is important that they follow the format, and the detection target should be mentioned in the comments.
They also raised the following 4 points to note when creating Yara rules from malware analysis.
- Find characteristic strings
- Find APIs that causes a characteristic behaviour
- Find malware-specific algorithms and codes that are difficult to be modified
- Use wildcards for addresses and constants that attackers may change
Ghidra's Strings window is useful for finding distinctive strings, and Symbol Tree can be used to find APIs that causes a characteristic behaviour. In addition, they showed how to use the YaraGhidraGUIScript to create a Yara rule for a part selected in Ghidra's Listing View. YaraGhidraGUIScript makes it possible to create Yara rules with algorithms and codes that are difficult to change as well as wildcards.
In the hands-on session, participants created Yara rules using Ghidra, based on the analysis results of SpiderPig Loader and SpiderPig RAT, the malware described in Hiroaki Hara's presentation “Ambiguously Black: The Current State of Earth Hundun's Arsenal” at JSAC2022 Day 1. Using the created Yara rules, the participants checked whether they could detect only SpiderPig Loader and SpiderPig RAT from about 10,000 files registered in the web service for Yara search.
Finally, the presenter introduced the Yara rules they created. The contents of those Yara rules are different when computational load is considered and depending on the priority between the number of false positives and undetected cases.
Following is the URL for the tool used in this workshop.
https://ghidra-sre.org/
On 18 February, JPCERT/CC held “After JSAC2022” to honour the best speaker. Based on the feedback from participants, the CFP review board members selected Minoru Kobayashi (Internet Initiative Japan Inc.). His workshop “An Introduction to macOS Forensics with Open Source Software” was highly valued by the audience for its practicability with an informative content and a high quality material using open source software that can be applied for forensics of macOS in business.
We would like to take this opportunity to thank everyone who joined JSAC2022 and who read this series of reports.
Kengo Teramoto
(Translated by Takumi Nakano and Masa Toyama)
Article Link: JSAC 2022 -Day 2- - JPCERT/CC Eyes | JPCERT Coordination Center official Blog