Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate logging disk image mounts #36

Closed
russellhancox opened this issue Feb 29, 2016 · 2 comments
Closed

Investigate logging disk image mounts #36

russellhancox opened this issue Feb 29, 2016 · 2 comments
Assignees
@russellhancox
Labels
enhancement
Milestone
0.9.10

Comments

@russellhancox
Copy link
Contributor

Knowing which disk image an executable came from can be very useful when tracking down possible malware. Knowing where that DMG was downloaded from is even better.

Possible method for this:

  1. Use DiskArbitration to monitor for new mounts
  2. Run hdiutil info -plist each time a mount happens
  3. Retrieve the record matching the new mount, get image-path
  4. Get quarantine data (if possible) and hash of image-path
@russellhancox
Copy link
Contributor Author

This may no longer be necessary, the recent fixes to quarantine data collection mean that binaries run from or copied from a disk image still reference the disk image download URL.

@russellhancox russellhancox self-assigned this May 31, 2016
@russellhancox russellhancox added this to the 0.9.10 milestone May 31, 2016
@russellhancox
Copy link
Contributor Author

Even better, it's possible to get disk image paths from IOKit. This should be included in 0.9.10.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@russellhancox russellhancox

Labels
enhancement
Projects
None yet
Milestone
0.9.10
Development

No branches or pull requests
1 participant
@russellhancox