OS X Incident Response: Scripting and Analysis

Jaron Bradley



OS X Incident Response: Scripting and Analysis is written for analysts who are looking to expand their understanding of a lesser-known operating system. By mastering the forensic artifacts of OS X, analysts will set themselves apart by acquiring an up-and-coming skillset.

Digital forensics is a critical art and science. While forensics is commonly thought of as a function of a legal investigation, the same tactics and techniques used for those investigations are also important in a response to an incident. Digital evidence is not only critical in the course of investigating many crimes but businesses are recognizing the importance of having skilled forensic investigators on staff in the case of policy violations.

Perhaps more importantly, though, businesses are seeing enormous impact from malware outbreaks as well as data breaches. The skills of a forensic investigator are critical to determine the source of the attack as well as the impact. While there is a lot of focus on Windows because it is the predominant desktop operating system, there are currently very few resources available for forensic investigators on how to investigate attacks, gather evidence and respond to incidents involving OS X. The number of Macs on enterprise networks is rapidly increasing, especially with the growing prevalence of BYOD, including iPads and iPhones.

Author Jaron Bradley covers a wide variety of topics, including both the collection and analysis of the forensic pieces found on the OS. Instead of using expensive commercial tools that clone the hard drive, you will learn how to write your own Python and bash-based response scripts. These scripts and methodologies can be used to collect and analyze volatile data immediately.

For online source codes, please visit:


  • Focuses exclusively on OS X attacks, incident response, and forensics
  • Provides the technical details of OS X so you can find artifacts that might be missed using automated tools
  • Describes how to write your own Python and bash-based response scripts, which can be used to collect and analyze volatile data immediately
  • Covers OS X incident response in complete technical detail, including file system, system startup and scheduling, password dumping, memory, volatile data, logs, browser history, and exfiltration


《OS X事件回應:腳本和分析》是為了那些希望擴展對一個較不為人知的作業系統的理解的分析師而寫的。通過掌握OS X的法庭證據,分析師將通過獲得一個新興的技能組合使自己與眾不同。


然而,更重要的是,企業也因為惡意軟體爆發和數據洩露而受到巨大的影響。取證調查人員的技能對於確定攻擊來源和影響至關重要。儘管Windows是主要的桌面作業系統,但目前很少有資源可供取證調查人員研究如何調查攻擊、收集證據和應對涉及OS X的事件。企業網絡上的Mac數量正在迅速增加,特別是隨著BYOD的普及,包括iPad和iPhone。

作者Jaron Bradley涵蓋了各種主題,包括收集和分析在OS上找到的取證片段。您將學習如何編寫自己的Python和bash腳本,而不是使用昂貴的商業工具來克隆硬碟。這些腳本和方法可以用於立即收集和分析易失性數據。


- 專注於OS X攻擊、事件回應和取證
- 提供OS X的技術細節,以便您可以找到使用自動化工具可能會被忽略的證據
- 描述如何編寫自己的Python和bash腳本,可用於立即收集和分析易失性數據
- 詳細介紹了OS X事件回應,包括文件系統、系統啟動和排程、密碼轉儲、記憶體、易失性數據、日誌、瀏覽器歷史和外洩。