You can find the AutoMacTC tool in our public Github repo. CrowdStrike AutoMacTCĬrowdStrike has developed a new module for its open-source Mac forensics triage tool, AutoMacTC, which has the ability to automatically parse the Terminal saved state files on both live systems and forensic images. This blog discusses the significance of macOS Terminal saved state files and how to reconstruct these files to identify additional adversary activity during interactive sessions. In the case of anti-forensic measures taken by an adversary, for example, such as disabling the creation of or deleting the standard Terminal history files, the scrollback history for Terminal.app can still persist via UI Preservation. Like many features intended to enhance the user experience, UI Preservation can also provide immense forensic value to an investigator. In Mac OSX Lion (10.7), Apple introduced a feature called “ User Interface (UI) Preservation ”, intended to save the state of application windows and restore them upon future launches.
0 kommentar(er)
