/malware_mac_fs_forensic

Check what malware has done to your mac

Primary LanguagePythonMIT LicenseMIT

Opensnoop scraper

These tools are primarily for forensic analysis of malware behaviour on macs. I use them on a mac VM to find out which files have been altered by malware.

Methodology

Have a VM with macOS and a snapshot.

Collect malware behaviour

First you need to start snoop.sh which will ask for your root password to be able to snoop all syscall opens. This script will block your terminal. Having started it, transfer your malware on to the mac VM and execute it. Play around with it. Some malware needs to be poked for some time, before it starts its payload. If you had enough, kill the snoop.sh script with Ctrl+c. It will write its log and save all opened files. Copy the generated log and after directory to your host.

Collect previous state

After you ran the malware and saw which files it touched. You might be interested to see the files' previous state. Therefore reset the VM to its previous snapshot and copy the log file to the VM. Run the carve.sh script and let it collect all the files, that the log mentions. Copy those files to your main computer as well.

Compare

Having the before and the after state, you can use tools such as meld to compare both directories and see the differences. So you can see what exact changes the malware did to your file system.

Alternatives

It is also possible to just make a snapshot before and after and then compare both snapshots. This results in more data handling and might not be suitable for your case.