Rapid Incident Response on macOS: Actionable

Insights in Under an Hour

Author: Doug Hitchen, dhitchen@[Link]

Advisor: Lenny Zeltser

Accepted: September 26, 2024

Abstract

The increasing use of macOS in enterprises requires fast, effective incident response (IR)
methodologies specific to those systems to augment conventional forensic methods, such
as full-disk imaging and log analysis. Due to architectural differences, techniques for
Windows cannot be applied to macOS. This research explores Aftermath for rapid IR on
macOS. The approach produces relevant artifacts in under an hour for more efficient,
better-informed incident response practices.
 Rapid Incident Response Triage on macOS: 2
Enhancing Cybersecurity Outcomes

1. Introduction
Much research, training, and tool development focused on Windows due to its
market share and enterprise use. The amount of commercial and open-source tools,
security conference presentations, and training available for Windows forensics and
incident response testify to this. This same level of coverage is not available for the Mac
ecosystem. StatCounter reports that macOS usage increased from 8.5 to almost 15
percent in the last decade. Windows held just over 89 percent of the corporate market in
July 2014, but that share declined to 72 percent by July 2024 (StatCounter, 2024;
StatCounter, 2014). Annual security reports and articles from Crowdstrike, SentinelOne,
RedCanary, and others show increasing attacks against Mac users. This increased usage
by businesses and targeted attacks by cybercriminals highlight the need for fast, practical
incident response tools and methods.

1.1. The Need for Rapid IR Triage Methods on macOS

Conventional approaches involve collecting and transferring full disk images,
large memory dumps, and log files. Processing time varies with target performance,
network bandwidth, and other factors but often takes several hours or more. Interpreting
the results may also require specialized skills. Most existing rapid IR triage processes,
training materials, and tools are primarily designed for Windows systems, which creates
inefficiencies and delays when applied to macOS due to the differences in operating
system architecture and security models. Techniques developed for Windows do not
often port directly to the Mac platform and do not capture macOS-specific artifacts.

Extensive resources exist for this kind of rapid response in Windows

environments. For example, Velociraptor and the Kroll Artifact Parser And Extractor
(KAPE) are used for efficient data collection and analysis (Cake, 2023). The same cannot
be said for macOS. The SANS FOR518: Mac and iOS Forensic Analysis and Incident
Response course and Bradley's "macOS Incident Response: Scripting and Analysis"
provide insights into the security architecture, challenges, and artifacts available but
reveal a significant gap compared to the knowledge and tooling available for Windows
(SANS Institute, n.d.; Bradley, 2020).

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 3
Enhancing Cybersecurity Outcomes

MacOS updates can also break existing security tools and scripts, highlighting the
need for adaptable IR processes resilient to system changes (Apple, 2024).

The process focuses on quickly collecting critical forensic artifacts, normalizing

timestamps, and creating searchable formats to enhance detection accuracy and speed up
incident analysis.

This research addresses whether a rapid IR triage process for macOS can quickly
provide high-quality artifacts that help investigate events in under an hour.

2. Research Method
This section describes the methodology, including the test environment, data
collection and analysis, testing procedures, and expected results.

2.1. Methodological Approach

The research evaluates the speed and accuracy of a rapid IR triage process for
macOS. The primary focus is to develop a method that quickly and accurately identifies
forensic artifacts on macOS devices.

Detection rate, artifact collection time, and overall incident response time are
measured and presented. The Detection rate will be calculated as a simple true/false to
show if evidence was found based on expected keyword searches. Data is collected
through simulated attack scenarios on macOS virtual machines (VMs) designed to reflect
realistic user environments. The performance of the rapid IR triage method is evaluated
based on its ability to quickly and accurately find evidence and respond to these
simulated threats.

This study does not try to deliver a comprehensive digital forensics and incident
response strategy. It presents an IR process that quickly provides actionable information
by prioritizing practicality and speed over exhaustive forensic soundness.

2.2. Testing Environment

Virtual machines (VMs) running the latest macOS version (as of September,
2024) are used for testing. The configuration uses default security settings and commonly

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 4
Enhancing Cybersecurity Outcomes

used web browsers. VMs provide a quick and easy testing environment, but the study
recognizes that real-world attackers can detect virtualization and change their tactics
accordingly.
Red Canary's Atomic Red Team framework simulates attacker behavior. The
framework automates running MITRE ATT&CK techniques, ensuring the simulations
are realistic and relevant for evaluating the IR triage methods.
The open-source Aftermath was selected to collect and analyze forensic artifacts,
producing readily accessible text and CSV files. This helps quickly identify indicators of
compromise (IoCs). Aftermath requires installation but does not have any dependencies.
Installation and removal can easily be scripted or pushed using Mobile Device
Management (MDM) tools.

2.3. Data Collection and Analysis

This section describes the VM setup, simulation preparation, and artifact
collection. Although this process focuses on macOS, the same approach applies to all
platforms.

2.3.1. Data Collection

After simulating attacks on macOS virtual machines (VMs), Aftermath was used
to collect forensics artifacts.

A VM snapshot helped ensure a clean and consistent environment for each

simulation. The VM was restored to this snapshot before each test to prevent cross-
contamination. Aftermath requires access to protected folders. To avoid prompts for
access to these folders, grant Terminal “full disk access” before running the collection.
The following section shows the steps to configure the initial base VM image. All
commands are run from the Terminal unless otherwise specified.

Installed Xcode Command Line Tools as a prerequisite for Homebrew.

xcode-select --install

Used Homebrew to install web browsers and tools needed for testing.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 5
Enhancing Cybersecurity Outcomes

/bin/bash -c "$(curl -fsSL

[Link]

Chrome and Firefox were installed on the macOS VM due to their market share,
with Chrome holding between 65% and 70% and Firefox between 5% and 10% as of
2024 (BrowserStack, 2024). Including these browsers and Safari ensures that the testing
reflects realistic conditions.
brew install --cask firefox
brew install --cask google-chrome
brew install --cask visual-studio-code
brew install wget

PowerShell was installed as a prerequisite for the Atomic Red Team Execution
Framework.
cd ~/Downloads
wget -q
[Link]
[Link]
sudo xattr -rd [Link] ~/Downloads/powershell-7.4.5-osx-
[Link]
sudo installer -pkg ~/Downloads/[Link] -target /

PowerShell was then used to install the Atomic Red Team Execution Framework
and Atomics Folder using the Invoke-AtomicRedTeam execution framework.
pwsh

IEX (IWR '[Link]

atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);

Install-AtomicRedTeam -getAtomics -Force

Installed Aftermath to collect forensic artifacts without requiring Python or other

dependencies on the target system.
baseurl= [Link]
release=v2.2.1
package=[Link]

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 6
Enhancing Cybersecurity Outcomes

wget -q $baseurl/$releae/$package
sudo installer -pkg [Link] -target /

Ran Aftermath after each test to collect artifacts from the target with --deep
parameter to gather as much evidence as possible.
sudo aftermath -o /tmp –deep

Simulated various attack scenarios using the Atomic Red Team framework,
aligning with the MITRE ATT&CK framework. These tests were chosen to represent
common macOS threats reported by CrowdStrike, Red Canary, and SentinelOne.

• T1566 - Phishing: Simulated by creating a test website to capture user credentials

(Stokes, 2024; CrowdStrike, 2024).

• T1204 - User Execution: Simulated by creating a test website with instructions

for users to download, extract, and run a benign test script (Stokes, 2024;
CrowdStrike, 2024).

• T1547 - Boot or Logon Autostart Execution: Used Launch Agents and Launch
Daemons to simulate malware persistence on startup (Red Canary, 2024;
CrowdStrike, 2024).

• T1082 - System Information Discovery: Built-in information-gathering

commands for reconnaissance were used (Stokes, 2024; CrowdStrike, 2024).

• T1070 - Indicator Removal on Host: Simulated erasing forensic evidence from

the host (CrowdStrike, 2024).

• T1059.002 - AppleScript Abuse: Simulated malicious tasks using AppleScript

(Stokes, 2024; CrowdStrike, 2024).

• T1056.001 - Keylogging - Input Capture: Used keylogging techniques to

capture user inputs and sensitive information (Red Canary, 2024; Stokes, 2024).

• T1078.001 - Valid Accounts: Activated guest account to simulate using stolen

credentials to gain unauthorized access (Red Canary, 2024; Stokes, 2024).

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 7
Enhancing Cybersecurity Outcomes

Aftermath was selected as the primary tool for collecting browser history, logs,
system configurations, network activity, user actions, and other forensic artifacts.
Aftermath simplifies the data collection and minimizes the impact on the target. The
collected data was transferred from each subject VM to another machine for analysis and
keyword searches.

Speed and accuracy make Aftermath ideal for incident response in macOS
environments. Figure 1 below shows how to download, install, and run Aftermath. Its
modules collect data from various system logs, configurations, and user activities.

Figure 1: Download, install, and run Aftermath

Figure 2 shows the path to the Aftermath archive file that gets copied to another
workstation for analysis. Some key findings Aftermath provides include a timeline of
files with the file creation and last accessed and last modified dates (if available), a
storyline with file metadata, database changes, and browser information (Vigo, 2022).

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 8
Enhancing Cybersecurity Outcomes

Figure 2: Aftermath finished; note path to Aftermath archive

Copy the Aftermath archive offline for analysis. Then, shut down the test VM or
restore from a snapshot in preparation for the next test. In real-world applications, decide
whether to leave Aftermath installed for future use or uninstall to keep the system clean.
Figure 3 shows how to remove Aftermath using the uninstaller package.

Figure 3: Download and run the Aftermath uninstaller

2.3.2. Data Analysis
The rapid IR process is evaluated on detection accuracy, artifact identification,
and triage speed.

• Detection Accuracy: The percent of simulated attacks successfully detected

measures accuracy. A high detection rate shows Aftermath’s ability to detect
potential threats accurately.

• Artifacts Identified: Each detected technique lists the specific artifacts

identifying the attack. These artifacts may include browser history, logs, system
configurations, network activity, or other indicators. Artifact quality and
relevance help to determine their value in confirming malicious activity and
speeding incident response.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 9
Enhancing Cybersecurity Outcomes

• Triage Speed: The triage speed evaluates how quickly Aftermath collects and
analyzes relevant artifacts for searching. Faster triage speeds minimize the time
from detection to response.

The time required for traditional forensic methods is not measured for the study,
but a high-level comparison provides context for the benefits of the rapid IR triage
process.

Conventional forensics and IR methods that capture and transfer large full-disk
images, memory dumps, and log files can take a few hours to days. These processes are
thorough but not well suited for speed or quick decision-making. Contrast this with rapid
IR triage, focusing on fast, accurate detection and actionable insights. This is not unique
to macOS. The same applies to all operating system platforms: macOS, Windows, and
Linux.

Aftermath’s ability to quickly and accurately identify high-quality, relevant

artifacts is assessed for how easily they can be interpreted to confirm a security incident
and how quickly they allow responders to understand the incident scope or blast radius.

2.4. Testing Procedures

The following sections describe the testing process of restoring the macOS virtual
machines, running attack simulations, and analyzing the collected data.

2.4.1. Procedure
Restore the macOS test VM from the snapshot to start each test in a known state
and prevent cross-contamination. Then, run the selected Atomic Red Team test or
simulation technique by following the documentation in the Atomics repository.

After conducting attack simulations, run Aftermath to collect forensic artifacts.

The collection process targets critical logs, system configurations, network activity,
browser history, and user actions essential for identifying indicators of compromise.

Copy the Aftermath artifact collection zip from the VM to the host machine for
analysis. Run Aftermath on the host to extract and analyze the artifacts.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 10
Enhancing Cybersecurity Outcomes

This creates a searchable dataset for analysis, and normalization ensures

consistency across tests and enables accurate detection of potentially malicious activity.
Aftermath’s analysis includes a file timeline showing birth, accessed, and modified
timestamps, as shown in Figure 4.

Figure 4: Aftermath's file_timeline.csv

A storyline of user activity showing browser history, installation history, database
changes, and more is seen in Figure 5.

Figure 5: Additional Actions Included in Aftermath's [Link]

Once Aftermath analyzes the artifacts, the data is ready for searching and
pivoting. Perform recursive searches for expected keywords against the Aftermath and
Aftermath_Analysis folders. Keywords for searching were chosen from known test
patterns, such as osascript, eicar_test, etc. In real-world applications, this could be known
indicators of compromise or suspicious messages reported by users.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 11
Enhancing Cybersecurity Outcomes

2.4.2. MITRE ATT&CK Techniques

The selected MITRE ATT&CK techniques represent macOS attacks reported in
the wild by security vendors. Focusing on these techniques helps to ensure that the results
are relevant and directly applicable to enhancing macOS incident response.

Each test provides a realistic evaluation of the rapid IR process. The tests include
credential phishing, malware download, AppleScript abuse, and more.

Red Canary’s Atomic Red Team framework simulates the MITRE ATT&CK
techniques in a controlled environment, providing a standard, repeatable method for
executing attack simulations. By leveraging this framework, the study can accurately
reproduce the behaviors associated with each attack technique.

2.5. Expected Results

Aftermath is expected to produce fast, accurate forensic artifacts. The process
should be fast and accurate enough to add value to real-world investigations. It is
designed to help responders quickly find indicators of compromise, making it easier to
assess the situation and respond appropriately.

2.5.1. Response Times

Aftermath’s speed is expected to reduce response times by efficiently collecting
and analyzing relevant artifacts. Minimizing the time spent on manual data collection and
focusing on key indicators of compromise enables quicker, better-informed decisions and
mitigations. Faster response times help minimize potential damage by limiting the threat
exposure window.

2.5.2. Detection Accuracy

The accuracy should be high enough to allow defenders to detect indicators of
compromise, some of which may be missed using broader or Windows-focused methods.

2.5.3. Enhanced Artifact Identification

Aftermath is expected to collect comprehensive and relevant artifacts. It should
quickly gather and normalize forensic artifacts, providing clear and actionable insights
about security incidents.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 12
Enhancing Cybersecurity Outcomes

2.5.4. Potential Limitations and Challenges

Virtual machines may not fully represent real-world settings and can be detected
by attackers. Testing against only a subset of MITRE ATT&CK techniques may not
cover all the scenarios responders face.

3. Findings and Discussion

This study evaluated the speed and accuracy of a rapid IR triage process on
macOS systems. The following subsections discuss the findings.

3.1. Simulation Results

This section presents the findings from the simulations conducted during the
study. The results are analyzed for speed and detection accuracy.

3.1.1. Summary of Results

The rapid IR triage process produced reasonably accurate results in under thirty
minutes across multiple attack vectors.

3.1.2. Detection Accuracy

Aftermath found indicators of compromise (IoCs) in ten of the twelve tests. The
[Link] artifact revealed evidence of the macOS Swift Keylogger accurately pinpointing
the timestamps that matched the attack start and end times. The tests for keylogging,
scripting, and command execution all showed similar accuracy, as shown in Figures 6, 7,
and 12.

A false positive related to sudo was detected in the processes reported in the
true_tree_output.txt file and excluded from future accuracy calculations. This
artifact appeared in multiple tests but did not correlate with the simulation. Figure 8
shows an example of this false positive.

3.1.3. Detailed Test Results

T1056.001 – Input Capture: Keylogging was tested using Atomic Test #8 –
MacOS Swift Keylogger. Keyword searches for “swift” found evidence of the attack in

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 13
Enhancing Cybersecurity Outcomes

the [Link] artifact extracted by Aftermath. TCC stands for Transparency Consent and
Control (TCC), a framework developed by Apple to allow users to manage application
access to sensitive data. The test user followed all instructions to enable input monitoring
for the terminal, which was written into the TCC database and subsequently detected by
the process. The Atomic Test execution log shows the test start and end times, correlating
with the artifacts discovered.

Figure 6: Evidence of Technique T1056.001, Input Capture: Keylogging

T1059.002 – Command and Scripting Interpreter: AppleScript was tested
using a slight variation on Atomic Test #1 – AppleScript. The original test required

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 14
Enhancing Cybersecurity Outcomes

Python, which is no longer installed by default. The test was modified to use a NetCat
(NC) listener in a separate window and osascript and curl in a separate window.

Terminal 1:
sudo nc -l 80

Terminal 2:
osascript -e 'do shell script "

if [[ $(ps aux | grep \"Little Snitch\" | grep -v grep) ]]; then

exit 0

fi

curl -A \"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)

like Gecko\" -b \"session=t3VhVOs/DyCcDTFzIKanRxkvk3I=\"
[Link]

"'

Figure 7 shows evidence of the attack found in the [Link] artifact based on a
keyword search for “osascript,” which is expected due to its use in the test script run from
the second terminal.

Figure 7: Evidence of Technique T1059.002 - Command and Scripting

Interpreter: AppleScript
T1070.002 – Indicator Removal on Host was tested using Atomic Test #3 –
Delete log files using built-in log utility. This test used sudo log erase with various
parameters to erase log files on a host. Evidence of the attack was found in the file
timeline, storyline, diagnostic logs, and metadata by searching for “sudo.” This test also

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 15
Enhancing Cybersecurity Outcomes

uncovered a likely false positive for sudo in the process true_tree_output file, circled in
Figure 8. A similar artifact was found in all other tests, and this false positive was
removed from future calculations.

Figure 8: Evidence of T1070.002 - Indicator Removal on Host

T1078.001 – Valid Accounts: Default Accounts were tested using Atomic Test
#3 – Enable Guest Account on macOS. This test enabled the guest account on the target
system. Keyword searches for “guest” found evidence of this attack in the file timeline,
storyline, and metadata.

T1082 – System Information Discovery was tested using Atomic Test #2 –

System Information Discovery. This test used system_profiler to discover

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 16
Enhancing Cybersecurity Outcomes

information about the system. Evidence of the attack was found in the [Link] artifact by
searching the analysis and artifacts for “system_profiler,” which is expected for this
attack.

T1547.007 – Boot or Logon Autostart Execution: Re-opened Applications

were tested using Atomic Test #1 – Copy in [Link] for Re-Opened
Applications. Keyword searches for “[Link]” found evidence of this attack in
the file timeline, storyline, and metadata.

No Atomic Tests were available for T1566 – Phishing and T1204 – User
Execution at the time of this writing. Both scenarios were tested using Python scripts to
serve web pages simulating credential phishing and downloading and executing malware.
These Python-based web servers were run in a separate Kali Linux VM and then visited
from a web browser in the test VM. Each test was performed against three commonly
used web browsers: Safari, Chrome, and Firefox. Safari is the built-in default browser.
Enterprises commonly use Chrome and Firefox. All scripts developed for this research
project are listed in Appendix A and available on GitHub. For clarity, they may be named
slightly differently in the repository.

T1566 – Phishing was tested using a Python-based web server in a separate Kali
Linux VM to create a simulated credential-stealing page. Figure 9 shows the output in the
Kali Linux VM from the test user connecting to the phishing page.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 17
Enhancing Cybersecurity Outcomes

Figure 9: Phishing Post - Credential Stealing Page on Kali Linux

Keyword searches for “[Link]” found evidence of this test in the storyline and
browser history, but only for Firefox, as seen below in Figure 10. No evidence was found
for Chrome or Safari using the same keyword search.

Figure 10: Evidence of T1566 – Phishing Only Found for Firefox

T1204 – User Execution was tested using a Python-based web server in a
separate Kali Linux VM to serve up a simulated malicious download with a “helpful”
message explaining how to extract and run the program. The Kali Linux VM screenshot
below shows the web server running and the test user downloading the EICAR script
archive.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 18
Enhancing Cybersecurity Outcomes

Figure 11: Phishing Download - Malware Download Page on Kali Linux

The test user dutifully extracted and ran the benign script, outputting the IECAR
test pattern to /tmp/eicar_test.txt. Keyword searches for “/downloads/” and “eicar_test”
uncovered evidence of this attack in the file timeline, storyline, and metadata for all three
browsers, as seen for Safari in Figure 12 below.

Figure 12: Evidence of Malware Download and Execution for Safari

The keyword searches also found evidence in the Firefox history and downloads
artifacts, as seen below in Figure 13. It is unknown whether the lack of similar findings in
the browser artifacts for Chrome and Safari was due to issues with Aftermath or with the
testing procedure.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 19
Enhancing Cybersecurity Outcomes

Figure 13: Evidence of Malware Download and Execution Includes Browser

Artifacts for Firefox
The table below summarizes and provides time measurements for each collection,
analysis, and indication of evidence found. Collection and analysis combined took less
than a half hour per scenario, quickly providing a searchable file timeline, storyline, and
archive of relevant artifacts.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 20
Enhancing Cybersecurity Outcomes

Table 1: Test Results Summary and Statistics

3.2. Implications of Findings

Implications for macOS incident response and recommendations for future
research are presented in this section.

3.2.1. Implications for macOS Incident Response

This process provides fast, accurate results that help detect and respond to macOS
threats. It does not require specialized training or skills and can be implemented by
security teams of any size.

3.2.2. Recommendations for Future Research

Future research should test more attacks to ensure comprehensive coverage and
accurate detection. It should also validate test findings in diverse, real-world macOS
environments. Further testing will be needed to find the root cause of issues with Chrome
and Safari browser artifacts. Research integrating this rapid IR triage process with
Endpoint Detection and Response (EDR), Antivirus (AV), and Security Information and
Event Management (SIEM) systems.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 21
Enhancing Cybersecurity Outcomes

3.3. Study Limitations

While useful for controlled testing, virtual machines may only partially replicate
real-world macOS environments. Testing only a subset of techniques may limit the
findings' applicability.

3.4. Study Insights

The detection accuracy, artifact quality, and triage efficiency are presented next.
Each subsection describes how the process enhances incident response.

3.4.1. Impact on Detection Accuracy

Aftermath accurately detected clear indicators of compromise in 83 percent of the
simulated attacks. This is accurate enough for many scenarios and adds value where no
such rapid IR process exists today. It also shows opportunities for future research and
improvement.

3.4.2. Artifact Quality and Relevance

Artifacts uncovered by the rapid IR triage process proved accurate and relevant
for confirming incidents. Collecting comprehensive data ensures that a wide range of
potentially malicious activities are captured for analysis, helping quickly determine the
scope and impact.

3.4.3. Efficiency in Triage and Analysis

The rapid IR triage sped through the collection and analysis in under thirty
minutes per test. This allows responders to prioritize high-risk incidents and make
quicker, more informed decisions.

3.5. Discussion

This section explores how speed and accuracy translate into practical advantages
for security operations. The discussion focuses on efficiency gains in the triage and
analysis phases and the implications for macOS-specific incident response strategies.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 22
Enhancing Cybersecurity Outcomes

3.5.1. Efficiency in Triage and Analysis

Aftermath’s speed offers advantages over traditional forensics and IR methods,
which could take hours or days. Data collection and analysis were completed in under
thirty minutes using Aftermath in each test. This efficient triage process enables more
immediate response by reducing the time required for artifact collection and analysis.

3.5.2. Implications for macOS Incident Response Strategies

The process enables responders to quickly and accurately detect a wide range of
attacks. Allowing fast, well-informed responses can reduce the exposure window during
an attack.

The simplicity makes this process scalable across different company sizes and
structures, from small security teams with limited resources to large enterprises. It works
well for one-off and minor investigations, but the true power and benefit lie in scaling
this to dozens, hundreds, or more machines.

4. Recommendations and Implications for Future

Research
This section provides recommendations for implementing the processes on
macOS systems and suggests future research directions to further validate and enhance
these methods.

4.1. Recommendations for Practice

This study's findings described the benefits of the rapid IR process. The following
recommendations offer guidance for security teams to maximize these benefits.

4.1.1. Regular Updates and Testing

Practitioners should update IR triage tools and scripts regularly to ensure
compatibility with the latest macOS and web browser versions. Updates can introduce
new security features and deprecate older ones.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 23
Enhancing Cybersecurity Outcomes

Test and validate the updated tools in a controlled environment to ensure they
function correctly with new macOS and browser updates.

4.1.2. Automation and Integration

Integrate the rapid IR triage process with existing security tools and workflows to
add value. For example, combine with a Security Information and Event Management
(SIEM) system to enrich data and alerts sent by an Endpoint Detection and Response
(EDR) or Antivirus (AV) system. The deployment of Aftermath can be automated using
MDM tools.

4.1.3. Training and Skill Development

Train security teams on the latest macOS threats, triage techniques, and tool
functionalities. Training should cover technical tool use and the analytical skills
necessary for practical data interpretation.

Focus on developing skills for understanding and responding to macOS-specific

threats, including macOS internals, command-line tools, and relevant scripting languages.

4.2. Implications for Future Research

Future research should explore more advanced attacks and ways to improve
Aftermath and other incident response tools for macOS.

4.2.1. Enhancing Tool Compatibility

Develop tools that can withstand frequent macOS updates. Focus on compatibility
testing to ensure tools work as expected after updates. Machine learning techniques could
be explored to help predict compatibility issues based on change logs and past issues.

4.2.2. Exploring Advanced Attack Vectors

If a company's threat profile includes advanced threats, its security team should
evaluate the rapid IR process against realistic threat examples. Or, they should perform
tabletop exercises with advanced attack simulations for insight into the strengths and
weaknesses against such threats. The process should be refined accordingly.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 24
Enhancing Cybersecurity Outcomes

4.2.3. Real-World Case Studies

Compare the rapid IR triage process against conventional forensics and incident
response methods in real-world scenarios. This will provide more data on the process's
speed and accuracy, inform best practices, and highlight areas for improvement.

5. Conclusion
Results showed that Aftermath's rapid IR process gathers and analyzes data in less
than thirty minutes. It provides fast, accurate insights into macOS security incidents.

Future research should focus on ensuring tools continue working with macOS and
web browser updates and extending the process to address more sophisticated threats.
Validate the effectiveness against specific threats using real-world case studies and
tabletop exercises.

For companies that support Macs, consider adopting this rapid IR triage process
to strengthen incident response capabilities.

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 25
Enhancing Cybersecurity Outcomes

References
Apple Inc. (2021). Apple Platform Security Guide. Retrieved from

[Link]

Apple Inc. (2024). How to Update the Software on Your Mac. Retrieved from

[Link]

Bradley, J. (2020). macOS Incident Response: Scripting and Analysis. Syngress.

BrowserStack. (2024). Understanding browser market share. Retrieved from

[Link]

Cake, P. (2023). Rapid Windows Endpoint Investigations. Retrieved from GitHub

Repository and Black Hills Information Security. Webcast available on YouTube.

CrowdStrike. (2024). 2024 Global Threat Report. Retrieved from

[Link]

Jamf. (2022). Aftermath. Retrieved from [Link]

Jamf. (n.d.). Aftermath Incident Response for macOS. Retrieved from

[Link]

Jamf. (n.d.). Complete Rapid Incident Response on macOS with Aftermath. Retrieved

from [Link]

business/page/Complete_Rapid_Incident_Response_on_macOS_with_Aftermath.

html

MITRE. (2024). ATT&CK Framework. Retrieved from [Link]

Red Canary. (2024). Atomic Red Team. Retrieved from

[Link]

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 26
Enhancing Cybersecurity Outcomes

Red Canary. (2024). 2024 Threat Detection Report Reveals Top Cybersecurity Threats.

Retrieved from [Link]

SANS Institute. (n.d.). FOR518: Mac and iOS Forensic Analysis and Incident Response.

Retrieved from SANS Institute.

SentinelOne. (2024). 20 Common Tools & Techniques Used by macOS Threat Actors &

Malware. Retrieved from [Link]

2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/

StatCounter. (2014). Desktop Operating System Market Share Worldwide. Retrieved

from [Link]

StatCounter. (2024). Desktop Operating System Market Share Worldwide. Retrieved

from [Link]

Stokes, P. (2024). Protecting macOS | 7 Strategies for Enterprise Security in 2024.

Retrieved from [Link]

for-enterprise-security-in-2024/

Vigo, J. (2022). Get to know Aftermath: Jamf’s open-source incident response tool.

Retrieved from [Link]

response-tool/

Doug Hitchen, dhitchen@[Link]

 Rapid Incident Response Triage on macOS: 27
Enhancing Cybersecurity Outcomes

Appendix A: Scripts and Configuration Files

All scripts developed during this project are available here, on GitHub.
[Link]

Name Purpose
search_aftermath_analysis.sh Search individual Aftermath
collection and analysis folder using
configured search and ignore
patterns
[Link] Configuration file for
search_aftermath_analysis.sh
phishing_post.py Python-based web server to simulate
T1566 – Phishing
phishing_post.html HTML page for T1566 – Phishing
simulation
phishing_download.py Python-based web server to simulate
T1204 – User Execution
phishing_download.html HTML page for T1204 – User
Execution simulation

Doug Hitchen, dhitchen@[Link]