Dynamic malware reverse engineering helps forensic analysts and reverse engineers gather quick data points such as callout domains, file download URLs or IP addresses, and dropped or modified files. These methods have long been used on Windows malware...so why not Mac malware? This presentation introduces the audience to methods, tools, and resources to assist reversing Mac binaries with a Mac. Topics include Mach-O file format, virtualization, analysis VM setup, and various analysis tools (native and 3rd-party). This presentation is intended for those familiar with dynamic analysis (with a touch of static thrown in) or for those reverse engineering masters of the Windows executable to get a introductory idea of how to start analyzing Mac malware.
SANS Author & Instructor of FOR518, SANS Institute Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counterāintelligence, counter-narcotic, and counterāterrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at the following industry conferences; Shmoocon, CEIC, Bsides*, TechnoSecurity, HTCIA and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the new SANS Mac Forensic Analysis Course - FOR518.