Mobile Forensics
Mobile Forensics
Mobile Forensics
  • Introduction
  • Preparations
    • Knowledge
    • Safety
    • Trust
    • Backup
  • Methodology
  • Checking Windows Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Network Connections
    • Extract Data for Further Analysis
  • Checking Mac Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Kernel Extensions
    • Review Network Connections
    • Review XProtect Logs
    • Extract Data for Further Analysis
  • Checking Smartphones
    • Note: curriculum
    • Smartphone System Architecture
    • Check Devices Linked to Chat Applications
    • Check for Suspicious Messages
    • Monitor Network Traffic
    • Note: Monitoring Network Traffic on Linux
  • Checking Android Devices Basic
    • Review Installed Applications
    • Check Storage
    • Check if the Phone is under Android Device Policy
    • Check if the Phone is Rooted
    • Check if Developer Options is Enabled
    • Analyze Applications
    • Extract Data for Further Analysis
    • Optional : Check for Indicators of Stalkerware Installation
  • Checking Android Devices Advanced
    • Wireshark
    • MVT
    • Other Tools
  • Checking iOS Devices
    • Review iCloud Accounts
    • Review Installed Applications
    • Check for Mobile Device Management Profiles
    • Check for Shortcuts
    • Check for Jailbreaks
    • Enable and Check App Privacy Report
    • Extract Data for Further Analysis
    • Analyzing Extracted Data
    • About Lockdown Mode
  • Checking Devices Remotely
    • Mac Computers
    • Android
  • Concluding a Forensic Gathering
  • References and Further Learning
  • License and Credits
Powered by GitBook
On this page
  • 1. Verify Image Signature
  • 2. Check for Suspicious Application Name and Path
  • 3. Looking up Programs on VirusTotal
  1. Checking Mac Computers

Review Running Processes

PreviousReview Programs Launching at StartupNextReview Kernel Extensions

Last updated 1 year ago

A computer infected with spyware should have some malicious processes running at all times, monitoring the system and collecting data to be transmitted to the of the attackers. Therefore, another required step in triaging a suspected MacOS computer is to extract the list of running processes and find if any of them display suspicious characteristics

The best tool to do so is developed by Objective-See. You first need to download the program from , unzip the archive containing the program (double-clicking on it should work in most cases) and double-click on the TaskExplorer program to launch it. On startup, it will ask for your password in order to get administrator privileges to list all the processes running.

Before proceeding with this check, it is advisable that you close all visible running applications, in order to reduce the outputs of the tools you will run to the bare minimum.

1. Verify Image Signature

You can filter tasks to see only non-signed applications by writing #unsigned in the filtering bar and hit enter :

2. Check for Suspicious Application Name and Path

As in the startup section, it is interesting to check for any application that has a suspicious name and path. The name of the application can be faked but in some cases, malware are using either spoofed name with typos (such as Crhome) or random strings.

The path of the application gives indication on where the application is running from. Any application running from a location other than /Library or /Applications should be investigated further.

To avoid checking legitimate applications signed by Apple, you can filter the tasks with the hashtag #nonapple in the fitering bar :

3. Looking up Programs on VirusTotal

You should investigate further any task identified by at least one antivirus as malicious or not known by VirusTotal.

Similarly to KnockKnock, TaskExplorer verifies the signature of applications running. This information is shown with a loc icon near the Application name, a green closed lock means that an application belong to Apple, a black closed lock means that it is a Non-Apple signed application and an open orange lock means that the application is not signed.

Similarly to section, TaskExplorer also checks file fingerprint on VirusTotal. On the right of each task running, you will see two numbers representing first the number of antiviruses that identified this file as malicious and then the total number of antiviruses tested. An question mark will appear if this program is not known by VirusTotal.

Please note: the same considerations and warnings explained in the apply here too. Make sure to read them before proceeding.

Autoruns
previous section
Command & Control server
TaskExplorer
its official page