The invulnerability of macOS in the face of various cyber threats has become somewhat of a misperception over the past few years. The emergence of Mac ransomware and the rise of adware targeting this operating system are serious challenges requiring an all-new protection paradigm. Under the circumstances, tools like MacBooster come in handy as they stand sentinel to safeguard Macs against known and uncatalogued malware. Furthermore, said utility ensures smooth Mac performance by freeing up unused disk space and delivering multiple other optimization extras.
It’s no exaggeration to say that reliable security solutions for Mac are rare. There’s a bevy of junk tools whose behavior is actually reminiscent of malware activity that they are supposed to tackle in the first place. As opposed to these pseudo cleaners, the Freshmac application was tailored to bridge the gap between ostensible and genuine security. It detects and easily removes adware and other types of malicious code, also boosting the performance of a Mac computer it’s running on.
Such important vectors of examining arbitrary code’s activity on Mac OS X as process analysis and network analysis are the subjects Sarah Edwards explicates here. In the context of the former, the expert dwells on instruments called Dtrace, including execsnoop and newproc.d; fs_usage; procxp; and the Activity Monitor. As far as network analysis is concerned, popular tools like CocoaPacketAnalyzer, Wireshark, Tcpdump and lsock get scrutinized and demonstrated via real-world examples.
Forensic analyst Sarah Edwards now turns the focus of her presentation to the ins and outs of file analysis on Mac OS X. Within the framework of this nontrivial activity, really verbose tools such as Dtrace, fs_usage and fseventer are looked into, with some examples of the returned metadata and other attributes being provided along the way. Generally, this part is covering the methods for analyzing arbitrary Mac files and the types of information that can be retrieved as a result of this workflow.
The topics covered by Sarah Edwards in this sub-section of her presentation are related to the various aspects of performing dynamic analysis of Mac applications, including malicious ones. In particular, the following processes are looked into: virtualization - that is, running code in a virtual machine; and application tracing, which is intended to return data on app execution, file system events, etc. Also, the tools applicable for dynamic analysis are listed here and demonstrated in action.
The focus of this part of Sarah Edwards’ presentation is entirely on Mach-O binaries. In particular, the highlighted aspects include properties of these Mac OS X files, characteristics of universal/fat binaries, file signatures and code signed binaries. Furthermore, binary analysis using commands and such tools as MachOView and Hopper is graphically illustrated to give you a better idea of the capabilities and features provided by these apps.