๐Ÿ“š Logical Acquisition

Created: 30.05.2023

This type of acquisition can only happen on a live system. It’s quicker and easier than imaging the drive, but you will miss some data. It’s sometimes the only way to collect data from a mobile device.


  • Attach a write blocker or run a software-based one. On the forensic MacBook, you can turn off disk arbitration or use write blockers. To turn off this feature, refer to this page. It’s needed so the forensic machine won’t change the data on the suspect MacBook. For Mac acquisition - follow these steps.
  • List all drives to get the id of the target.
  • Connect external HDD or SSD
  • Launch some forensic distribution (for example, Paladin). Make an image of the local HDD (โ—๏ธ Won’t work for M1 Apple devices).

๐Ÿงช What files are changed when something is connected to a Mac (USB or using Thunderbolt)? Is turning off the disk arbitration feature really preventing changes to the target drive?

Order of Volatility

  • Cache, registers (CPU). ๐Ÿ›  Debuggers (OllyDbg, gdb, x64dbg etc)
  • ARoTa MeKSaPTa. ARP cache, routing table, memory, kernel statistics, process table. Mnemonics: ARoTa MeKSaPTa
    • Routing tables. Contain the following info: destination IP addresses or networks; the gateway IP address, or interface name if a directly connected resource; the metric, or cost, associated with the route โ€“ this enables the most efficient route to be selected; the outgoing interface the machine will use when forwarding a packet.
      • Windows route print
      • UNIX netstat -rn
    • ARP cache: arp -a
    • Process table. The list of processes currently running + metadata.
      • UNIX ps
      • Windows. Task Manager (GUI) or tasklist (-> csv).
    • Kernel stats. ๐Ÿ›  RAMMap, part of the Sysinternals suite for Windows, and memmap in the Linux world. Tracks the page usage (physical RAM chunks), mappings of those pages.
  • Temporary files. Malware likes these folders because it’s often already full of garbage.
    • Linux /tmp.
    • swap (UNIX)
    • pagefile (Windows)
  • Disk.
  • Logs. Monitoring data and remote logging pertaining to the computer in question. SIEMs and other log storages.
  • Physical configurations, network topology.
  • Archival media. CDs, backups, USBs.


Using ๐Ÿ› ๏ธ Kansa, one can collect a wealth of artefacts from a Windows machine.

Set-NetConnectionProfile -InterfaceIndex X -NetworkCategory private # requires admin

.\kansa.ps1 -Pushbin -Target localhost -Credential username -Authentication Negotiate

โ—๏ธ On macOS Parallels 18 with Windows 11 running as a VM, you’d need to change the password for the user first to provide them in the prompt.

Select-String "something" *.csv # search for something keyword in all csv files in the current directory

If the -Analysis option is provided when collecting data, it will generate analysis files following the collection from remote hosts. This script can be used to pull the frequency of autoruns based on ImagePath, LaunchString and MD5 tuple (given that the publisher is not verified): Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1 https://github.com/davehull/Kansa/blob/master/Analysis/asep/Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1. Here is the most crucial part of the script, its heart โค๏ธ:

		COUNT(ImagePath, LaunchString, MD5) as ct,
		Publisher not like '(Verified)%' and (ImagePath not like 'File not found%')
		ImagePath, LaunchString, MD5, Publisher
		ct ASC

This script accomplishes frequency analysis using Get-Command logparser.exe with the above SQL statement.

Select columns ImagePath, LaunchString, MD5, and Publisher from all CSV files with the names that end with autorunsc.csv. Then use (ImagePath, LaunchString, MD5) as a unique identifier, discard all that have been Verified in the Publisher column and File not found in the ImagePath column. Count unique values, put in the ct column, group by ImagePath, LaunchString, MD5, Publisher and sort in ascending order.

Another tool is ๐Ÿ› ๏ธ Autoruns (comes with Sysinternals), but its focus is various autorun locations.

autorunsc.exe /accepteula -a * -c -h -s '*' -nobanner

a - all artefacts (boot, appinit dlls, explorer addons, sidebar gadgets, image hijacks, IE addons, known dlls, logon startups, WMI, office addons, printerr mon dll, LSA sec providers, autostart services and non-disabled drivres, winlogon entries, scheduled tasks, winlock protocol and net providers). c - codec h - hashes s - verify digital signature '*' - all user profiles

Something similar to Kansa is KAPE, but looks like it is no longer maintained. It provides the ability to extract artefacts from the mounted drives (be it an image, over network or a loval drive). Here are the files/folders pulled: https://ericzimmerman.github.io/KapeDocs/#!Pages%5C2.1-Targets.md.

๐Ÿ“ Some commercial tools like Cyber Triage allow analysing the evidence on a live system without imaging drives or dumping memory. The digital footprint is claimed to be minimal. It can be used remotely.


๐Ÿ› ๏ธ AutoLLR. This script was designed for Linux. However, it can be adjusted for macOS. For example, adding system_profiler, sw_vers. Substitute prinenv for env.

๐Ÿ’ก My plan is to review and try running all these commands. This will help understand the type of evidence in the system and make necessary macOS-specific substitutions.

๐Ÿ’ก Write a macOS triage tool similar to Kansa but bash-based, specifically targeting macOS. Do the same for iOS, Android, Linux, AWS etc. Check Sarah’s GitHub to ensure there is nothing of that sort yet. Use https://github.com/mac4n6/APOLLO to collect DBS, https://github.com/mac4n6/macMRU-Parser to collect plists, https://github.com/mac4n6/Mac-Locations-Scraper location DBS, https://github.com/mac4n6/iOS-Frequent-Locations-Dumper frequent locations.


Expand… Something here