当前位置:首页 > 报告详情

macOS 锁定模式:数字取证与事件响应之旅.pdf

上传人: 可*** 编号:991727 2025-12-07 63页 7.27MB

1、macOS Lockdown Mode:A DFIR OdysseyBhargav RathodSecurity Analyst,Salesforce24 July 2025$whoamiBhargav Rathodhe/-Security Analyst CSIRT-Organizing Committee Member,DFRWS(APAC&USA)-GIAC Advisory Board Member-GIAC iOS and macOS Examiner(GIME)-GIAC Reverse Engineering Malware Certification(GREM)-Public

2、Speaker-SANS DFIR Summit&Training 2025&2023-NullCon Goa 2025 -BSides Ahmedabad 2024-Alumni,Rashtriya Raksha University(RRU),Gujarat,India-MS-Digital Forensics(Gold Medallist)-Interest areas:DFIR&Malware Analysis(macOS)Agenda1.Lockdown Mode 101 2.Why LDM?3.What happens when LDM is enabled on macOS?4.

3、How to detect if LDM is enabled?5.LDM Artefacts 6.Caveats of LDM7.Acknowledgements8.ReferencesIntroductionLockdown Mode 101 What?Lockdown Mode is an optional,extreme protection thats designed for the very few individuals who,because of who they are or what they do,might be personally targeted by som

4、e of the most sophisticated digital threats.Most people are never targeted by attacks of this nature.When Lockdown Mode is enabled,your device wont function like it typically does.To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware,certain apps,websi

5、tes,and features are strictly limited for security and some experiences might not be available at all.When?Introduced in 2022 For iOS 16 and macOS Ventura(13)Why?Mercenary spyware on iOS Where?iOS,iPadOS,watchOS,macOS Who?SEAR behind developing this with different versions Apples Security Engineerin

6、g&Architecture(SEAR)provides operating system security foundations across all of Apples innovative products,including Mac,iPhone,iPad,Apple Watch,Apple TV,and Vision Pro.Why LDM?LDM explorationFeature introduced in 2022 but no one is talking about it from DFIR perspective or has researched on it.All

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据《macOS Lockdown Mode: A DFIR Odyssey》一文,以下是全文关键点: 1. **Lockdown Mode 简介**:Lockdown Mode 是 macOS 中的一个极端保护模式,旨在应对针对特定个人的高级数字威胁。 2. **启用 Lockdown Mode 的效果**:启用后,某些应用、网站和功能受到限制,以减少攻击面。 3. **Lockdown Mode 的检测**:检测 Lockdown Mode 是否启用需要专业知识,因为系统没有明显提示。 4. **Lockdown Mode 的证据**:可以通过系统日志、文件和内存中的特定条目来检测 Lockdown Mode。 5. **Lockdown Mode 的限制**:启用 Lockdown Mode 可能会影响数据获取、USB 连接和某些系统功能。 6. **Lockdown Mode 的有效性**:虽然 Lockdown Mode 可以防止攻击者在设备被感染后执行恶意软件,但它不会检测已存在的恶意软件。 7. **DFIR 影响**:Lockdown Mode 可能对数字取证调查造成挑战,例如数据丢失和工具限制。
苹果如何锁定恶意软件?" "LDM启用后,你的Mac会发生什么?" "如何检测Mac上的LDM状态?"
客服
商务合作
小程序
服务号
折叠