This document provides an overview of investigating Mac OS X systems, including analyzing the file system and various system artifacts. It discusses the HFS+ file system structures like the volume header, catalog file, and attributes file. It also covers time stamps, Spotlight indexing, and managed storage revisions. Key directories in the local, system, network, and user domains are outlined. Specific sources of evidence from the user domain like user accounts, shares, and trash are also mentioned. The document discusses tools like OpenBSM for system auditing and various system logs and databases that can be analyzed.
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
This slide presents a practical methodology on how to carry out forensic on hackers' tools which is most often a malicious program(s) left on the victim's system during or after the attack.
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
This slide presents a practical methodology on how to carry out forensic on hackers' tools which is most often a malicious program(s) left on the victim's system during or after the attack.
Dojo given at ESEI, Uvigo.
The slides include a set of great slides from a presentation made by Elvin Sindrilaru at CERN.
Docker is an open platform for building, shipping and running distributed applications. It gives programmers, development teams and operations engineers the common toolbox they need to take advantage of the distributed and networked nature of modern applications.
Hadoop is a well-known framework used for big data processing now-a-days. It implements MapReduce for processing and utilizes distributed file system known as Hadoop Distributed File System (HDFS) to store data. HDFS provides fault tolerant, distributed and scalable storage for big data so that MapReduce can easily perform jobs on this data. Knowledge and understanding of data storage over HDFS is very important for a researcher working on Hadoop for big data storage and processing optimization. The aim of this presentation is to describe the architecture and process flow of HDFS. This presentation highlights prominent features of this file system implemented by Hadoop to execute MapReduce jobs. Moreover the presentation provides the description of process flow for achieving the design objectives of HDFS. Future research directions to explore and improve HDFS performance are also elaborated on.
Big Data Architecture Workshop - Vahid Amiridatastack
Big Data Architecture Workshop
This slide is about big data tools, thecnologies and layers that can be used in enterprise solutions.
TopHPC Conference
2019
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...Docker, Inc.
Docker leverages capabilities in Linux like namespaces and cgroups to enable containers and then builds tooling on top to enable users to build distributed apps. A common question is "What about Docker support for Windows?" In this session the Windows engineering leads will dive deep into the primitives within Windows to enable an awesome Docker experience on Windows. This session will also include a live demo of Docker and Windows Server.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
5. HFS+ and File System
Analysis
• Hierarchical File System features:
6. Nine Structures
1. Boot block
s
2. Volume heade
r
3. Allocation
fi
l
e
4. Extents over
fl
ow
fi
l
e
5. Catalog
fi
l
e
6. Attributes
fi
l
e
7. Startup
fi
l
e
8. Alternate volume heade
r
9. Reserved blocks
7.
8. Nine Structures
1. Boot block
s
• First 1024 bytes of volum
e
• Typically empty on modern system
s
2. Volume Header and Alternate Volume Heade
r
•Located 1024 bytes from the beginning of
the volum
e
•Information about the volume, including the
location of other structures
11. Mac Timestamps
•All in local tim
e
•HFS+ Volum
e
•Create date, modify date, backup date,
checked dat
e
•Fil
e
•Access, modify, inode change, inode birth
time (
fi
le creation)
15. Catalog File
• Details hierarchy of
fi
les and folders in the syste
m
• Each
fi
le and folder has a unique catalog node ID
(CNID)
16. Attributes File
• Optiona
l
• Used for named fork
s
• Additional metadata assigned to a
fi
l
e
• Like Microsoft's Alternate Data Stream
s
• Stores origin of
fi
les from the Internet, and tags
like "Green" and "Important"
20. Spotlight
• Metadata indexing and searching servic
e
• Indexers examine the content of
fi
les to
fi
nd
keyword
s
• Some index entire content, others only import
metadata
21. Spotlight
• Can be used to search a live syste
m
• Not much use for a static acquisitio
n
• Indexes are deleted when a
fi
le is delete
d
• No tools are available to parse the data stored
by the Spotlight indexer once it's extracted
from a drive image
22. Managed Storage
• New in Mac OS X Lion (10.7
)
• Allows apps to continuously save dat
a
• Uses daemon "revisiond
"
• Saves data on volumes under the "hidden"
directory
• /.DocumentRevisions-V100
23. Capturing db Files
• Copy them to another folde
r
• Originals are in use and won't ope
n
• db.sqlite shows
fi
les used with timestamps
28. File System Layout
• Four domains for data classi
fi
catio
n
• Loca
l
• Syste
m
• Networ
k
• User
29. Local Domain
• Applications and con
fi
gurations that are shared
among all users of a syste
m
• Administrative privileges required to modify
data in this domai
n
• These directories are in the local domain:
30. System Domain
• Data installed by Apple, and a few specialized
low-level utilitie
s
• Most useful domain for intrusion investigations
because it contains the system log
s
• Includes all the traditional Unix structures, all of
which require administrative privileges to
modif
y
• /bin, /usr, /dev, /etc, and so on, also /System
31. Network Domain
• Applications and data stored here is shared
among a network of systems and user
s
• In practice, rarely populated with dat
a
• Located under the /Network directory
32. User Domain
• Primary source of data for most other
investigation
s
• Contains user home directories and a shared
director
y
• All user-created content and con
fi
gurations will
be found under /User
s
• High-privilege and Unix-savvy users may break
this model
33. MacPorts Package Manager
• Lets you add BSD packages to your Ma
c
• Very usefu
l
• Requires command-line developer tool
s
• Link Ch 13b
35. /Applications
• Nearly every installed application is her
e
• Application Bundle
s
• Contain everything an application needs to
run
:
• Executable code, graphics, con
fi
guration
fi
les, libraries, helper applications and scripts
37. Inside the Bundle
• Right-click, Show Package Content
s
• Subdirectorie
s
• MacOS, Resources, Library, Frameworks,
PlugIns, SharedSuppor
t
• Developers can put anything in these
directorie
s
• VMware Fusion's Library folder contains
command-line utilities to manage the VMware
hypervisor
39. Package Contents
• Contains additional metadat
a
• Time and date stamps show when the app was
installe
d
• A good place to hide data
40. /Developer
• Used by XCode, Apple's development
environmen
t
• Until recently, all development tools, SDKs,
documentation, and debugging tools were her
e
• Later versions of XCode moved the tool
s
• This directory may still be present on some
systems
41. /Library
• /System/Librar
y
• App settings for the operating syste
m
• /Librar
y
• Settings shared between user
s
• /Users/username/Librar
y
• User-speci
fi
c settings
42. Application Support
• /Library/Application Suppor
t
• /User/username/Library/Application Suppor
t
• Settings, caches, license information, and
anything else desired by the developer
48. Receipts
• /Library/Receipt
s
• /User/username/Library/Receipts
• Files here are updated when an application is
added to the syste
m
• InstallHistory.plist contains information about
every application installed via the OS's
installer or update framework
51. WebServer
• /Library/WebServe
r
• Apache, installed on every copy of Mac OS X,
is started when a user turns on Web sharin
g
• Removed from Preferences in 10.8, but
Apache is still installe
d
• This folder is Apache's Document Root
52. File Types
• Used by nearly every applicatio
n
• Property lists (.plist
)
• Tools: plutil on Mac, "plist Explorer" on
Window
s
• SQLite database
s
• Tools: Firefox Plugin SQLite Manager,
sqlitebrowser
55. Traditional Unix Paths
• Some investigations are based entirely on data
found here, such as log
fi
le
s
• /System directory is structured similarly to the
/Library director
y
• Locations where applications maintain
persistenc
e
• Requires administrator privileges to create or
modify
fi
les
56. Artifacts
• System logs in /var/lo
g
• Databases in /var/d
b
• Records of printed data in the CUPS lo
g
• System sleep imag
e
• Software imported using MacPorts or Fink, or
compiled in place, may be in /opt
60. User and Service
Con
fi
guration
• Apple uses LDAP for enterprise management
and Directory Services for local user
managemen
t
• Directory Services doesn't use the traditional
Unix
fi
les /etc/passwd and /etc/group
s
• Data in SQLite databases and binary-formatted
property lists
61. The Evidence
• Directory Service data is in
/private/var/db/dsloca
l
• Databases (or nodes) for the local system are in
the subdirectory nodes/Defaul
t
• My password hash is on the next slid
e
• More info at links Ch 13c and 13d
64. Mojave
• Now password hashes are inaccessibl
e
• Even to roo
t
• Hashes can still be captured from Recovery
Mode under some circumstance
s
• Link Ch 13g
66. sqlindex
• In /private/var/db/dsloca
l
• Maintains creation and modi
fi
cation time for the
plist
fi
les in the directory structur
e
• And information on the relationships between
the dat
a
• Automatically backed up to /private/var/db/
dslocal-backup.xar (a gzip tar
fi
le)
67. Analysis of sqlindex
• Shows when a share was create
d
• Whether an account existed, and its privilege
level
69. Sharepoints
• Status of the share for
• AFP (Apple Filing Protocol
)
• SMB (Server Message Block
)
• FTP (File Transfer Protocol
)
• Sharepoint names and share pat
h
• When the share was created
70. Trash and Deleted Files
• Files deleted from USB sticks go into a Trash
folder on the stick, labeled by user ID, lik
e
• /Volumes/USBDRIVE/.Trashes/501
71. System Auditing,
Databases, and Logging
• Open Source Basic Security Module (OpenBSM
)
• Powerful auditing syste
m
• Logs
:
• File acces
s
• Network connection
s
• Execution of applications and their
command-line options
72. OpenBSM
• Default con
fi
guration doesn't save detailed
information and is of limited use for I
R
• Con
fi
guration
fi
les in /etc/securit
y
• Primary
fi
le is audit_control
73. OpenBSM
• This con
fi
guration will log everything for all
users, an
d
• Login/logout, administrative events,
processes, and network activity
74. Helper Services
• Run in backgroun
d
• Track events or common dat
a
• Maintain state with SQLite databases or
property lis
t
• Examples:
75. Airportd
• Runs in an application sandbo
x
• Con
fi
gured in /usr/share/sandbox
90. • BOM contains a complete inventory of
fi
le
s
• Plist contains install date, package identi
fi
er,
and path access control lists
Application Installers