macOS forensic capability

In the last 20 years, Apple’s Mac desktops and laptops have seen a significant resurgence across the enterprise network, thanks in part to the halo effect of the iPod and maintained by the ongoing dominance of the iPhone. As Mac computers have grown in popularity, those cyber adversaries responsible for creating ransomware and malware are increasingly likely to consider developing macOS variants.

According to a survey conducted by Spiceworks in 2021, macOS had a market share of around 8% in the enterprise market, while Windows had a market share of around 90%. Looking at these numbers only tells part of the story though. MacOS has a far smaller market share than Windows and is, therefore, a less attractive target for attackers. But there’s other key factors to consider. 

One factor that amplifies the importance of Mac DFIR capability beyond pure market share metrics is that many companies, regions and sectors, like finance and entertainment, still rely heavily on Mac machines. This means that the picture is skewed. If more affluent sectors and regions use Macs, then you’d better believe they’re a target. 

There’s actually a lot of malware in the wild that specifically targets Mac machines. Besides these, many types of cyber threats and attacks do not depend on any specific operating system being used. Phishing, Ransomware, and internal threats, such as industrial espionage and data leak incidents, can occur on all operating systems.

Why are there so few macOS DFIR tools on the market?

Macs have historically been strongly marketed with a focus on being more secure than other computer types. The legacy of these extremely popular campaigns has led many users and even system administrators to be far less diligent about securing their Mac systems. However, without the right sort of security protections in place, Macs are just as susceptible to breaches as any other type of device. 

Given this lack of ubiquity around macOS in enterprise and windows dominance, it’s fair to say that many security vendors have historically provided minimal macOS support. Those that do have macOS-specific solutions again lack the parity of features and functionality of their PC counterparts. But there are also some architectural differences that impact the ability/availability to perform comprehensive digital forensics on a macOS system:

Limited tools: macOS has an aggressive development cycle, typically bringing out a new OS version each year. This means the cost of development and testing for macOS is far higher. Coupled with the smaller installed base means, many vendors haven’t seen the commercial benefit to developing exhaustive forensic tools for macOS forensics. These lack of options can make it more difficult to effectively analyze and extract evidence from a macOS system.

Encryption: macOS systems use FileVault encryption by default, which can make it more difficult to access the data on the system. Forensic tools may not be able to decrypt the data without the appropriate keys.

APFS file system: macOS uses the APFS (Apple File System) by default, which can be more challenging to analyze compared to traditional file systems such as NTFS, HFS+ or legacy systems like FAT.

Third-party applications: macOS systems often have a wide variety of third-party applications installed, which can make it more difficult to identify relevant evidence and determine the context in which it was created or used.

Limited documentation: There is often less documentation available for macOS forensics compared to other operating systems, which can make it more difficult for forensic analysts to understand how the system works and how to effectively extract evidence from it.

Apple’s resistance to security software: Apple has historically been resistant to supporting third-party security software on its macOS operating system. This is because Apple has always emphasized the built-in security features of its operating system, such as its sandboxing and code signing technologies, as being sufficient to protect users from malware.

Additionally, Apple has a closed ecosystem, which means that they have very tight control over the apps that are available on its platform, and they have to go through a review process before they get approved into the macOS app store. This makes it difficult for third-party security software vendors to develop and distribute their software on macOS.

However, in recent years, Apple has begun to open up its ecosystem in the face of several high-profile malware incidents making the news.

Companies need macOS-aware DFIR solutions

Even though macOS security features are generally great, it does not mean security incidents never happen on macOS devices. Internal threats can involve data theft and data leakage incidents, and some attackers and malware can use zero-day vulnerabilities or use existing vulnerabilities on not updated devices to compromise macOS systems either. 

On these occasions, enterprise companies need to conduct incident response and digital forensics activities on those machines. They need to install, configure and manage DFIR solutions to respond to incidents.

Although we are generally focusing on the incidents that have happened, modern security and DFIR teams are trying to change their approach from being a target to being hunters anymore. 

Threat hunting and compromise assessment programs are trending, and It looks like they’ll become more widespread in the struggle with emerging threats. Enterprise companies who don't want to miss these new approaches also need to install, configure and manage new solutions to conduct threat hunting and compromise assessment programs.

Binalyze AIR macOS features and benefits

Our goal with Binalyze AIR is to offer a multi-tenanted DFIR solution for enterprises and MSSPs that enables most digital forensics investigations to be concluded in less than 4 hours. To achieve this vision we have focused on providing the broadest possible footprint of compatibility.

In addition to macOS we also support Windows, Linux, ESXI and ChromeOS. We also cover assets that are on-premise, off-network and in the Cloud (Azure/AWS) to help security and DFIR teams respond to incidents and hunt emerging threats with one tool.

With Binalyze AIR, investigators and analysts can perform digital forensics and incident response activities quickly, easily and remotely. They do not need any other macOS-aware DFIR tools; therefore they don't need to deal with other tools' purchase, maintenance, and operating expenses.

Investigators and analysts can perform the following macOS-related activities.

• Collecting forensically sound data from on-premise devices as well as off-network macOS devices

• Acquire 30+ forensically sound data

• Store forensically sound data on either local macOS devices storage or network shares, network services, or cloud storage services

• Triage scanning of systems with YARA rules

• Built-in YARA editor

• Compare two different states of the systems to identify suspicious changes, additions and deletions

• Reboot or shutdown remotely

• Conduct live forensics and remediation activities with a permission-based remote shell that is built exclusively for DFIR

• List, filter, kill services and processes

• List, create, modify and look at the contents of file and folders

• Capture full disk images

• Run all native shell commands

• Run Osquery

• Performing e-Discovery activities

Our future on Mac

As we move forward in 2023, we’re excited to bring our smart, automated built-in threat analyzer (DRONE) to macOS for assisted compromise assessment that dramatically speeds up the investigation. We’re also going to be offering:

• Expanded collection of forensically sound data in number and type

• 3rd party applications artifacts

• Applications usage statistics

• Connected devices details

• Docker artifacts

• Flexible CPU Limit

• Network capture and Netflow data

To find out more about AIR and how it can help improve your macOS based DFIR case management, why not sign up for a free 14 day trial. Simply click the link below to start your trial today.