CrowdStrike Services Releases AutoMacTC 1.2.0

The CrowdStrike Services team is excited to announce the release of AutoMacTC 1.2.0 to the community. AutoMacTC was originally released in March 2019 to help incident responders investigate intrusions on macOS systems. Read on for what’s new for this update.

 

What Is AutoMacTC?

AutoMacTC, or Automated macOS Triage Collector (pronounced auto-mac-tick), is a framework of Python scripts designed to parse macOS forensic artifacts and produce output in a format that can be easily accessed and leveraged by forensic analysts. Forensic analysts performing incident response (IR) investigations know the power of having well-crafted automation in place to capture, parse and analyze forensic data across disparate affected systems. You can read more about AutoMacTC in the blog post about the release. You can find the AutoMacTC tool in our public Github repo.

What’s New?

AutoMacTC has been updated to provide full Python 3 support, compatibility with macOS 11 and M1 chipsets, support for deployment via Falcon’s Real Time Response (RTR), and new data collection modules. Here's a detailed look at what's new in version 1.2.0.

New Features

  • RTR Support: AutoMacTC can be deployed remotely using Falcon’s Real Time Response feature. A sample bash wrapper script to facilitate deployment of AutoMacTC is available on the public Github repo.

New Modules

  • Apple Unified Log: This module will parse the Apple Unified Log (AUL) on a live system using native predicate-based filtering that CrowdStrike Services has found to be the most useful for IR investigations. The AUL and selected predicates are described in detail here.

Compatibility Fixes

  • Python 3 Support: AutoMacTC is now compatible up to Python 3.9, with backward compatibility for Python 2.7.
  • macOS 11 Support: AutoMacTC has been tested for compatibility up to macOS 11.3 in both live and forensic modes. Forensic mode now prompts for the path to the “System” and “Data” drives to reflect macOS’s new storage architecture as of macOS 10.15.
  • M1 Processor Support: AutoMacTC has been tested for compatibility on live systems using the M1 chipset.

Performance Improvements

  • New data writer class: The new class allows for buffered output to reduce disk I/O operations and improve overall performance. The greatest performance benefits are realized during execution of the dirlist module.
  • Dirlist: Improved multi-threading support and exclusion of certain bundles from recursion has significantly reduced dirlist runtime and data output size.

Bug Fixes

Thanks to public feedback in conjunction with internal testing, the following bugs were fixed:
  • Firefox: resolved the issue with non-existent tables
  • TerminalState: fixed Cipher.AES import
  • InstallHistory and NetConfig: improved error handling for non-existent keys
  • query_db: fixed issue with appending extra characters to file names
  • Overall Error Handling: error handling has been improved across all modules to increase program stability

What’s Next

AutoMacTC will continue to be updated to maintain compatibility with the latest versions of macOS and improve performance. New modules will be added as additional forensic artifacts are discovered on macOS and provide relevance to incident response investigations.

Additional Resources

Breaches Stop Here