So it’s good information to know which user - an admin user or a regular user – doing some stuff.Īnother one. We also see the root user doing some stuff here with TextEdit. Down here you can see 501, a normal user. This one actually opens and shows you the process IDs, the User ID that opened the process or started the process. Some of the tools will actually be able to filter out a lot of this.Īnother one – files opened – gives you a slightly different view on things. So, in a normal working system you will see overpopulation from mdworker and Spotlight stuff. Also, there’s, obviously, configuration the ‘mdworker’, ‘mds’ – that’s all related to the metadata service for SpotlightServer. In this example you can see I touched a document called ‘test.txt’. You see the application name we got ‘Finder’, ‘Dock’, ‘touch’ and the path. And again, this is very similar to what we saw before.
You really want to look at what kind of files this thing is opening, creating, touching and working with.
We are going over some Dtrace, fs_usage, and fseventer.ĭtrace script, ‘filebyproc’, opens up files opened by process. Methods and tools for Mac file analysis, including Dtrace, fs_usage and fseventer, are extensively analyzed by Sarah Edwards in this part of the presentation.Ī little bit about file analysis.
Read previous part: Reverse Engineering Mac Malware 3 - Dynamic Analysis
0 kommentar(er)
