We can confirm that it’s 10.14.4 – I’m going to go ahead and add this as a tag. We can identify that for our report by going to the Artifacts view we’ll navigate on down to Operating System, and we will look for ‘Operating System Information.’ We’re going to go ahead and check the OS information. Here we have a MacBook Air image already processed in AXIOM. This investigation hinges on possible insider threats, where the associate may have attempted to copy files to a USB. The different evidence, but depending on the organisation you may be faced with identifying a USB that’s been inserted into a Mac in question for a possible data exfil. Lastly, we have some organisations that tell staff it’s against policy to use USBs, but don’t take any additional steps to further protect the end point. Other organisations may block the external drive from being mounted altogether, or may only allow specific external drives to be used by employees. ![]() ![]() Some have alerting mechanisms in place for when USBs are detected, while others may encrypt the drive when it’s inserted into the end point. Today we’re talking about Mac USB investigations, and what happens when we’ve been alerted that a USB has been inserted into an end point.ĭifferent organisations handle USB policies differently. Hey everyone, Trey Amick from Magnet Forensics here.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |