sysdiagnose is a powerful Apple utility that collects a plethora of system-wide diagnostic information. While it is primarily used by Apple to troubleshoot errors, it can be equally as valuable in an incident response or digital forensics scenario as it provides a wide range of low-level information about the host, covering areas such as network information, launch items present, and even log dumps. However, the sheer amount of information collected from a sysdiagnose can be quite intimidating.
To run a sysdiagnose, you need elevated permissions.
sudo sysdiagnose -f <output_dir>
You should see a brief warning pop up and a prompt to press Enter to continue.
If you want to script this out and deploy it more conveniently, you can use echo | sysdiagnose -f <output_dir> -u to make it non-interactive.
The information collected using sysdiagnose ranges from unified log dumps to text files containing various command outputs. Additionally, different categories of data are also sorted into folders, such as the Wifi folder for network related logs. As a result, interacting with this data through a terminal or an IDE where you can grep for certain strings and easily navigate and interact with different file types will make this process a little more streamlined.
Note: Some plists are not immediately in human-readable format. If you are having trouble viewing a .plist file, run plutil -convert xml1 <path/to/plist> to convert it into xml format.
Below are key artifacts you can analyze within a sysdiagnose dump:
system_logs.logarchive
If the source of the compromise/the artifact that you are looking for is not entirely clear yet, a helpful place to start would be system_logs.logarchive, which contains a comprehensive dump of recent unified logs (dependent on the size of the logs). If there is a specific application or process to look for, it would also be helpful to start by finding it within the unified log dump to gain an understanding of the incident. The one downside to these logs is that they can only be viewed from a macOS device.
There are two ways to interact with the unified logs–either through the terminal using the log command while specifying predicates, or opening the file with the Console app where you can interact with the logs with a more intuitive interface.
I have a blog in the works about understanding unified log and helpful predicates ;)
launchctl-*.txt
These text files contain a list of all launch agents and launch daemons present on the device at the time of the sysdiagnose dump. Additionally, supplemental information about each plist, such as associated environment variables and the paths to the applications/executables, can be found in launchctl-dumpstate.txt. This information can be extremely helpful to see if any malware was persisted on the device.
launchctl-list-0.txt contains information about launch files owned by the root user, and the rest pertain to other users on the system.
/WiFi
This folder contains a large amount of network-related logs, including netstat outputs, network configurations, recently connected networks, and even logs about paired bluetooth devices.
/WiFi/com.apple.wifi.recent_networks.plistThis plist contains a list of wifi networks that the device has connected to, along with timestamps for when it was last connected to and when it was last discovered. Additionally, it also contains more information about each wifi network, such as its SSID and the time when it was first added to the device.
/WiFi/netstat-*.txt
These text files contain netstat outputs with various flags from the time of the sysdiagnose, which can be helpful in identifying suspicious connections.
/WiFi/bluetooth_status.txt
This text file will contain a list of all paired bluetooth devices, along with whether or not they were connected at the time of the sysdiagnose.
/logs
In addition to the unified logs mentioned earlier, a sysdiagnose also pulls a set of system logs from the machine, including information such as USB device logs, cups logs, and installation logs. Of course, some of this information does overlap with the unified log dump in system_logs.logarchive, but these logs encompass events going back way further than the sysdiagnose and are in a more accessible format.
/logs/install.logThis file contains a comprehensive log of recent applications installed on the system, including all processes associated with the installation, which can show information such as the installation path, created users, the installation package, etc.
/logs/InstallHistory.plistThis plist contains a record of all installed applications on the system, along with the associated installation process (softwareupdated, appstored - macOS app store, installer - installer packages), timestamps of the install, and package information.
/logs/USB/usbdiagnose.txtThis text file contains a list of all USB devices that are connected to the machine, with information about whether it is connected to the device itself or a hub, the capabilities of the device, the device and manufacturer name, connection status, etc.
/logs/lsappinfo.txt
This text file contains the output of the lsappinfo command from the time of the sysdiagnose, containing information including the name and file path of the application, whether or not the application is signed (and by whom), whether or not the application running was hidden, and associated process IDs and parent processes.
/Accessibility/com.apple.universalaccessAuthWarning.plistThis plist keeps a record of all applications that have requested universal access over the device. Universal Access is a macOS component that allows users to gain better accessibility controls over their device. While this does allow for further customization of the device, it also comes at the price of granting these applications a high amount of control over the system. As a result, it is common for malware to seek out applications with these entitlements and inject into their processes (see HealthInspector, SwiftBelt) or even obtain these permissions themselves by socially engineering the user to grant it to them.
/brctl
This folder contains a collection of text files that track various iCloud-related events, such as cached files from iCloud uploads in defaults-com.apple.bird.txt or iCloud errors in diagnose-errors.log.
systemextensionsctl_diagnose.txtSystem extensions were introduced to phase third-party applications away from needing the level of access kernel extensions grant. This text file contains a list of all system extensions installed on the system, along with information such as their identifier, whether it is activated and enabled, the associated developer name, associated app bundle and application, etc. If you are working in an enterprise environment, it is common for security tools to have system extensions.
This blog would not be possible without the work laid out in the following resources:
sysdiagnose to find evidence of a device being booted into recovery mode.