While Apple have made some efforts recently to lock these down, many are still scrapable by processes running with the user’s privileges, but not necessarily their knowledge. Third, a lot of confidential and personal user data is stored away in hidden or obscure databases on macOS. Who has accounts on the device, when have they been accessed, and do those access times correlate with the pattern of behaviour we would expect to see from the authorized users? These are all questions that we would want to be able to answer. Second, ‘user behavior’ isn’t necessarily restricted to the authorized or designated user (or users), but also covers unauthorized users including remote and local attackers. What has the user been using the device for, what have they accessed and who have they communicated with? First, there’s the possibility of either unintentional or malicious insider threats. There’s a few reasons why we might be interested in user behavior. Today, in the second post we’re going to take a look at retrieving data on user activity and behavior. In the previous post in this intro series on macOS Incident Response, we looked at collecting device, file and system data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |