Mobile Forensics
Mobile Forensics
Mobile Forensics
  • Introduction
  • Preparations
    • Knowledge
    • Safety
    • Trust
    • Backup
  • Methodology
  • Checking Windows Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Network Connections
    • Extract Data for Further Analysis
  • Checking Mac Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Kernel Extensions
    • Review Network Connections
    • Review XProtect Logs
    • Extract Data for Further Analysis
  • Checking Smartphones
    • Note: curriculum
    • Smartphone System Architecture
    • Check Devices Linked to Chat Applications
    • Check for Suspicious Messages
    • Monitor Network Traffic
    • Note: Monitoring Network Traffic on Linux
  • Checking Android Devices Basic
    • Review Installed Applications
    • Check Storage
    • Check if the Phone is under Android Device Policy
    • Check if the Phone is Rooted
    • Check if Developer Options is Enabled
    • Analyze Applications
    • Extract Data for Further Analysis
    • Optional : Check for Indicators of Stalkerware Installation
  • Checking Android Devices Advanced
    • Wireshark
    • MVT
    • Other Tools
  • Checking iOS Devices
    • Review iCloud Accounts
    • Review Installed Applications
    • Check for Mobile Device Management Profiles
    • Check for Shortcuts
    • Check for Jailbreaks
    • Enable and Check App Privacy Report
    • Extract Data for Further Analysis
    • Analyzing Extracted Data
    • About Lockdown Mode
  • Checking Devices Remotely
    • Mac Computers
    • Android
  • Concluding a Forensic Gathering
  • References and Further Learning
  • License and Credits
Powered by GitBook
On this page
  • Launching Kext Viewer
  • Analyzing Results
  • 1. Verify Image Signatures
  • 2. Check Program Names Paths
  • 3. Check VirusTotal Scan Results
  1. Checking Mac Computers

Review Kernel Extensions

PreviousReview Running ProcessesNextReview Network Connections

Last updated 3 years ago

Kernel extensions (often called kexts) are programs extending the features of the MacOS kernel and as such they are running with the highest privilege, which make them interesting for malware. The tool developed by Objective-See allows to list all loaded kernel extensions.

Launching Kext Viewer

To launch KextViewr, download it first from . Then extract the program from the archive and double click on it :

Analyzing Results

1. Verify Image Signatures

To view only 3rd party kernel extensions, you can uncheck the Show OS Kexts checkbox at the bottom of KextViewr window.

2. Check Program Names Paths

As with previous steps, you should check kexts name and paths. The name should give you an indication of the utility of the kext, any typo or random string here is suspicious.

For the extension paths, OS Kexts should run from /System while non-OS Kexts should run from /Library.

3. Check VirusTotal Scan Results

KextViewr also checks file fingerprint on VirusTotal. On the right of each task running, you will see two numbers representing first the number of antiviruses that identified this file as malicious and then the total number of antiviruses tested. An question mark will appear if this program is not known by VirusTotal.

You should investigate further any task identified by at least one antivirus as malicious or not known by VirusTotal.

Similarly than with other tools, KextViewr displays the signature status with a icon near the name, a green locked icons means that the extension is signed by Apple, a closed black lock means that the extension is signed by another company while an open orange lock means that the extension is not signed.

Please note: the same considerations and warnings explained in the apply here too. Make sure to read them before proceeding.

previous section
KextViewr
its official page