International Journal of Open Information Technologies

The article presents a software usage artifacts detecting process model used in an information security incidents investigation on macOS operating systems. The emphasis is on examples of identifying malicious software running artifacts. The input data of the pro-posed model are data arrays containing features related to the fact of a program activity: the name (full path to) the file, the launch time and the data source about the activity. The article briefly describes structure of data arrays and shows indirect feature software identification process based on accessing and creating files. The proposed model can be expanded by additional (new) data arrays, and can also be used as the basis for creating in-formation analysis software to speed up the information security incident response process.

(Desktop operating system market share worldwide) [Online]. Available: https://gs.statcounter.com/os-market-share/desktop/worldwide.

(Complete list of Mac viruses, malware and trojans) [Online]. Available: https://www.macworld.com/article/672879/list-of-mac-viruses-malware-and-security-flaws.html.

K. Kent, S. Chevalier, T. Grance. Guide to integrating forensic techniques into incident response. NIST Special Publication, vol. 10, pp. 800–886, 2006.

J. Bradley. OS X incident response: scripting and analysis. Rockland: Syngress Publishing, Inc., 2016. https://doi.org/10.1016/C2015-0-00440-3.

G. Johansen. Digital forensics and incident response: incident response techniques and procedures to respond to modern cyber threats, 2nd Edition, Birmingham: Packt Publishing Ltd., 2020.

J. T. Luttgens, M. Pepe, K. Mandia. Incident response & computer forensics, third edition, New York: McGraw Hill Ltd., 2014.

M. H. Ligh, J. Levy. The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory, New York: John Wiley & Sons, Inc., 2014.

J. Levin. Mac OS X and iOS internals to the Apple’s core. New York: John Wiley & Sons, Inc., 2013.

(GitHub — ydkhatri/mac_apt: macOS (& ios) artifact parsing tool) [Online]. Available: https://github.com/ydkhatri/mac_apt.

(Knowledge is power! using the macOS/iOS knowledgeC.db database to determine precise user and application usage) [Online]. Available: https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage.

P. Shukla, A. Pratap Forensic investigation: Apple devices acquisition & analysis. NFSU Journal of Cybersecurity & Digital Forensics, vol. 1, no. 1, pp. 17-24, 2022.

(Mac Bookmark Format — mac_alias 2.2.2 documentation) [Online]. Available: https://mac-alias.readthedocs.io/en/latest/ bookmark_fmt.html.

(RFC 9562 — Universally Unique Identifiers) [Online]. Available: https://datatracker.ietf.org/doc/html/rfc9562.

S. T. Atwal, M. Scanlon, N. Le-Khac. Shining a light on Spotlight: leveraging Apple's desktop search utility to recover deleted file metadata on macOS. Digital Investigation, vol. 28, pp. S105-S115, 2019. https://doi.org/10.1016/j.diin.2019.01.019.

Y. Khatri. Investigating spotlight internals to extract metadata. Digital Investigation, vol. 28, pp. S96-S103, 2019. https://doi.org/10.1016/j.diin.2019.01.005.

J. Joun, S. Lee, J. Park. Discovering spoliation of evidence through identifying traces on deleted files in macOS. Digital Investigation, vol. 44, 2023. https://doi.org/10.1016/j.fsidi.2023.301502.

B. Maddu, R. Maddu. OS X artifact analysis. International Journal of Recent Technology and Engineering, vol. 7, pp. 26-32, 2019.

R. Niranjan. Mac OS forensics. Practical Cyber Forensics, vol. 1, pp. 101-132, 2019. https://doi.org/10.1007/978-1-4842-4460-9_4.

V. Baryamureeba, F. Tushabe. The enhanced digital investigation process model. Proceedings of the Fourth Digital Forensic Research Workshop, vol. 1, pp. 1–9, 2004.

F. C. Freiling, B. Schwittay. A common process model for incident response and computer forensics. International Conference on IT-Incidents Management & IT-Forensics, vol. 1, pp. 19–39, 2007.

A. Agarwal, M. Gupta, S. Gupta. Systematic digital forensic investigation model. International Journal of Computer Science and Security (IJCSS), vol. 5, no. 1, pp. 118-131, 2011.

M. D. Kohn, M. M. Eloff, J. H. P. Eloff. Integrated digital forensic process model. Computers & Security, vol. 38, pp. 103–115, 2013. https://doi.org/10.1016/j.cose.2013.05.001.

L. Johnson. Computer incident response and forensics team management. Rockland: Syngress Publishing, Inc.; 2014. https://doi.org/10.1016/C2012-0-01092-7.

D. Lillis, B. Becker, T. O'Sullivan. Current challenges and future research areas for digital forensic investigation. Proceedings of 11th ADFSL Conference on Digital Forensics, Security and Law (CDFSL 2016), vol. 1, pp. 9–20, 2016. https://doi.org/10.48550/arXiv.1604.03850.

X. Du, N. Le-Khac, M. Scanlon. Evaluation of digital forensic process models with respect to digital forensics as a service. Proceedings of the 16th European Conference on Cyber Warfare and Security (ECCWS 2017), vol. 1, pp. 573–581, 2017.

A. Presley, D. H. Liles. The use of IDEF0 for the design and specification of methodologies, vol. 1, pp. 5–12, 1998.

(MacRansom offered as ransomware as a service) [Online]. Available: https://www.fortinet.com/blog/threat-research/macransom-offered-as-ransomware-as-a-service.

(EvilQuest ransomware mac) [Online]. Available: https://www.pcrisk.com/removal-guides/18425-evilquest-ransomware-mac.

(New OS X ransomware KeRanger infected Transmission bittorrent client installer) [Online]. Available: https://unit42.paloaltonetworks.com/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer.

T. J. Grant, E. Eijk, H. S. Venter. Assessing the feasibility of conducting the digital forensics process in real time. Proceedings of 11th International Conference on Cyber Warfare & Security (ICCWS 2016), vol. 25, pp. 147–155, 2016.

M. Debinski, F. Breitinger, P. Mohan. Timeline2GUI: A Log2Timeline CSV parser and training scenarios. Digital Investigation, vol. 28, pp.34–43, 2019. https://doi.org/10.1016/j.diin.2018.12.004.

M. M. Deza, E. Deza. Encyclopedia of distances, 2nd edition. Heidelberg: Springer Berlin, 2013. https://doi.org/10.1007/978-3-642-30958-8.

D. Gusfield. Algorithms on strings, trees and sequences: computer science and computational biology, 1st edition, Cambridge: Cambridge University Press; 1997.

E. Sutinen, J. Tarhio. Approximate string matching with ordered q-grams. Nordic Journal of Computing, vol. 11, no. 4, pp. 321–343, 2004.

G. Navarro. A guided tour to approximate string matching. ACM Computting Surveys, vol. 33, no. 1, pp. 31–88, 2001. https://doi.org/10.1145/375360.375365.