Isn’t Windows DFIR enough?

If you work in Digital Forensics and Incident Response (DFIR) or even just read about it on the side, you know Windows DOMINATES the field. Windows is still king when it comes to organizational/business use. Therefore, more Windows systems are being targeted and hacked by these pesky adversaries. So, don’t get it twisted, Windows DFIR is essential to understand if you plan on working in the field.

I do want to make a case for understanding DFIR outside of Windows. Will a majority of the work you do today be centered around Windows? ABSOLUTELY! However, Linux isn’t too far behind when it comes to forensics. Enterprise servers, appliances, web-facing systems and even Internet of Things (IoT) are often Linux based. I can tell you from personal experience, you WILL come across DFIR investigations involving Linux systems. Then we have macOS, it’s growing fast in the business world, and I do think it will become more prevalent in enterprise information technology (IT).

The Achilles Mainframe

If you know the story of Achilles, you know he was a seemingly invincible warrior. In the end, he still had one incapacitating weakness, his heel. Let’s get this out of the way now. MacOS devices are not invincible, and they are capable of being hacked. Are they more secured by default? In my opinion, yes. Is macOS less targeted by adversaries than Windows? I would argue, yes. Will macOS be a larger target in the future? I think so.

Adversaries are going to target what is being used. Even if something is more “secure”, if someone has the resources and time, they will find a way in. Vulnerabilities continue to exist and are being discovered quickly and macOS is no stranger to this. I will give Apple credit, they do a pretty great job patching vulnerabilities quickly and with limited disruption of device usage.

If everyone happens to be using macOS more than Windows, then that is what the adversaries will go after. Keep in mind, not everything has to be a wicked technical hack. Often, a simple phishing or social engineering will get the job done.

Don’t forget DFIR is not just for businesses and organizations. I have a feeling that law enforcement probably deals with macOSa lot more than us private sector folks. MacOS is becoming more popular for personal devices, especially in the United States. The problem is personal devices are not often investigated by private-sector organizations, so there are not many chances for work experience. However, I can imagine several public-sector organizations and legal cases are running into more and more macOS.

Advertising is also a contributing factor. If you ask most people familiar with technology, I’m sure many will tell you that macOS is just more secure than Windows. While they are not necessarily wrong, that level of confidence can lead to a lack of additional protections. Someone security-minded will probably take extra steps to “harden” their Windows computers. However, they may not do the same hardening for macOS, thinking “it’s already super secure”.

Getting evidence from macOS sucks!

I’m not going to lie, it really does. Getting evidence from macOS is difficult and it’s only getting harder as Apple continues to innovate. Fear not though, it’s not impossible it is just very tedious and particular. I know some people hate macOS in general for its User Interface (UI), lack of customization, and cult like following. After working with these systems, I can say macOS is incredibly frustrating, but not for any of those reasons. I get frustrated with it because it is such a pain to get good forensic data efficiently. Even when you manage to get solid evidence from macOS, interpreting the data is like putting together a jigsaw puzzle in the dark only to find out you are missing half the pieces. In addition, as soon as you finally solve the puzzle Apple releases an update that changes everything AGAIN and supplies NO DOCUMENTATION!

So, do I hate macOS? No, I do not. In fact, from an engineering perspective it is absolutely incredible how much thought and efficiency are built into the product. It is clear Apple has put thoughtful security and privacy into their design philosophies. It is fantastic for consumers, but frustrating for people who want to look under the hood.  

Light at the end of the tunnel

Several researchers put in a tremendous amount of time and effort to understand how it all works under the hood. A major salute to those folks:

• Patrick Wardle – https://objective-see.org/blog.html
• Sarah Edwards – https://www.mac4n6.com/
• Howard Oakley – https://eclecticlight.co/
• Kinga Kieczkowska – https://kieczkowska.wordpress.com/  
• Yogesh Khatri – https://www.swiftforensics.com/

I know I am missing other great contributors out there. These folks are the only reason DFIR is possible on these systems. I urge you to look through their blogs because they will help clear up numerous complexities of macOS.

I’ve given you my ramblings and quick thoughts, but I’m not done! Over the next few posts, I’ll talk about some details when it comes to DFIR on macOS. It’s going to be a headache to wrap your head around. It still is for me, but I can promise you will learn something and be better for it.

Terryn Valikodath

Twitter: @CyberCoat

Mastodon: @ChocolateCoat@infosec.exchange

LinkedIn: terrynvalikodath

GitHub: https://github.com/chocolatecoat/