Views:

Collect evidence from macOS endpoints manually using the Trend Micro Incident Response Toolkit.

Important
Important
Evidence archives use the same folder structures as the SANS Institute and the CyLR tool.

Procedure

  1. Select Agentic SIEM & XDRForensicsPackages.
  2. Click Collect Evidence.
  3. Configure the following settings for manual collection.
    Setting
    Description
    Evidence types
    The types of evidence to collect.
    For macOS endpoints, you need the following information:
    Archive location on endpoint
    Location of the evidence package on the local endpoint.
    Important
    Important
    • The local archive does not have encryption and remains on the endpoint until deleted. This might allow anyone with access to the file system to access sensitive information or reveal the presence of an ongoing investigation.
    • Evidence archives take up hard drive space which may impact endpoint performance.
  4. Click download_icon=5c7476c2-cf15-4572-b7cd-5fc67a57d22f.png to download the Trend Micro Incident Response Toolkit.
  5. Deploy the toolkit on the endpoints you want to collect evidence.
  6. Execute the toolkit.
    1. Extract the contents of the .zip archive.
    2. Execute TMIRT.sh as the root user.
  7. If you do not have privileges for executing scripts, execute the following commands.
    1. To extract the toolkit from the .tgz file, execute xattr -c ./TMIRT-macos.tgz and then ./tar -xf.
    2. To begin collecting evidence, execute ./TMIRT-bin evidence --config_file ./config.json.
  8. Upload the evidence packages that the toolkit generates to Forensics. You can upload multiple files at once. Each file must not exceed 4 GB.
Forensics begins processing the uploaded evidence packages.
Important
Important
  • Processing an evidence package can take several minutes.
  • Do not close the browser tab or refresh the screen until the process finishes.