Automated forensics & analysis for Mac OS X with OSXCollector

Our speaker for this meetup is Kuba from Yelp. Please see below for details.

Bio:

Kuba Sendor (@jsendor) is working at Yelp security team where he fights malware and together with other Yelp engineers makes sure that the company internal network, as well as Yelp website and mobile applications, stay secure. Previously he worked at SAP in the Security and Trust research group where he participated in the initiatives related to access control and privacy in the digital world.

He holds double MSc degree in Computer Science from AGH University of Science and Technology in Krakow, Poland and Telecom ParisTech/Institut Eurecom in Sophia Antipolis, France.

Details:

OSXCollector (https://github.com/Yelp/osxcollector) is an open source forensic evidence collection and analysis toolkit for Mac OS X. It automates the steps that previously Yelp's team of responders has been doing manually.

We use Macs a lot at Yelp, which means that we see our fair share of Mac-specific malware alerts. Host based detectors like antivirus software will tell us about known malware infestations or weird new system startup items. Network based detectors see potential CnC callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, “Hey, I think I have like Stuxnet or conficker or something on my laptop.”

When alerts fire, our incident response team’s first goal is to “stop the bleeding” – to contain and then eradicate the threat. Next, we move to “root cause the alert” – figuring out exactly what happened and how we’ll prevent it in the future. One of our primary tools for root causing OS X alerts is OSXCollector. It was developed in-house at Yelp to automate the digital forensics and incident response based on our past experiences when dealing with the malware infections and other threats haunting Yelp's corporate network.

We will also have hangouts on air for this event - https://plus.google.com/events/cnpadd1bhdl1r3arkj53oheoqro