Running a Mac-only or mixed-OS environment? Don’t wait until disaster strikes. Network Defense Solutions, Inc. specializes in Apple-focused Incident Response. From custom SOPs and tools to expert guidance and rapid event support, we provide everything your team needs to stay secure and operational. With our Incident Response Retainer, you're never alone when incidents occur — we’re ready to respond and protect your business when it matters most. Time is critical in a breach — let us help you prepare before it happens.
We specialize in incident response across Windows systems from 9X to 11, including modern server platforms. With over 20 years of experience, we've developed effective practices, tools, and utilities to support fast, efficient investigations.
Our services help maintain forensic integrity and provide clear, actionable reports to aid in threat hunting and identifying affected systems. Whether you're responding to an active incident or preparing for potential threats, our expertise ensures meaningful support every step of the way. Click the link below to learn more about how we can assist your company with its cybersecurity needs.
MacOS poses specific challenges with how Apple governs it's operating systems and, the "protections" it introduces with each version of MacOS. From shell limitations to full on annoyances with permissions and, permission re-checks at each month. Understanding MacOS is crucial for environments that may be utilizing MacOS and, is critical for understanding how MacOS can be circumvented -- other issues are tools specific to MacOS that many incident responders may not know coming from a purely Linux background!
Artifact Collection
Our artifact collection encmpasses many key points of the operating system, even tools that Apple utilizes themselves. The standard tools are incorporated but also enhanced with tools that make a difference to the investigatory process for MacOS. Below is a short sample of the information our tools, scripts and process collects all while supporting the forensics process should your organization need to followup with law enforcement.
Artifact Collection Information
-
Network Artifact Collection
Your system will be polled for network connections, running programs and which programs are using which ports and PID numbers. This will help you identify any malicious communications or applications running on the syste.
-
File System Collection
Your file system will be searched for malicious hashes, this will include desktop, downloads and documents folder(s). Additionally temp files and other locations will also be searched to help incident responders pull together important information about a system that needs to be cross-referenced.
-
User Collection
User information (if local accounts) will be polled on the local box. This will be all users in the /Users/ path (or your default disk path) as well (if running as root) all the files within each folder for malicious hashes, etc. The scripts will also pull information from your browsers to determine if the user has gone to any malicious web locations or, downloaded any malicious files.
-
Running Processes
All running processes will be dumped with detailed information to help an incident responder cross reference other collected details from the system. This can be accessed within the directories created as well as the output from the network and, the details from other dumps.
-
Full Collection
The purpose of these options is to enable the responder to find all the details discussed above but also attempt to isolate files that have been created within the last 30 days. In addition to which, these tools will also attempt to pull information from the system logs to allow responders the ability of focusing their threat hunting efforts to specific areas.
If you are interested in licensing our custom tooling, please let us know by filling out the Licensing & Tooling form.
If you feel that your system has been affected by malware a threat actor or other impact or you simply need assistance with Incident Response for your Mac or, Mac environment please feel free to fill out the Incident Response request form below: