macOS 锁定模式：数字取证与事件响应之旅.pdf

《macOS 锁定模式：数字取证与事件响应之旅.pdf》由会员分享，可在线阅读，更多相关《macOS 锁定模式：数字取证与事件响应之旅.pdf（63页珍藏版）》请在三个皮匠报告上搜索。

1、macOS Lockdown Mode:A DFIR OdysseyBhargav RathodSecurity Analyst,Salesforce24 July 2025$whoamiBhargav Rathodhe/-Security Analyst CSIRT-Organizing Committee Member,DFRWS(APAC&USA)-GIAC Advisory Board Member-GIAC iOS and macOS Examiner(GIME)-GIAC Reverse Engineering Malware Certification(GREM)-Public

2、Speaker-SANS DFIR Summit&Training 2025&2023-NullCon Goa 2025 -BSides Ahmedabad 2024-Alumni,Rashtriya Raksha University(RRU),Gujarat,India-MS-Digital Forensics(Gold Medallist)-Interest areas:DFIR&Malware Analysis(macOS)Agenda1.Lockdown Mode 101 2.Why LDM?3.What happens when LDM is enabled on macOS?4.

3、How to detect if LDM is enabled?5.LDM Artefacts 6.Caveats of LDM7.Acknowledgements8.ReferencesIntroductionLockdown Mode 101 What?Lockdown Mode is an optional,extreme protection thats designed for the very few individuals who,because of who they are or what they do,might be personally targeted by som

4、e of the most sophisticated digital threats.Most people are never targeted by attacks of this nature.When Lockdown Mode is enabled,your device wont function like it typically does.To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware,certain apps,websi

5、tes,and features are strictly limited for security and some experiences might not be available at all.When?Introduced in 2022 For iOS 16 and macOS Ventura(13)Why?Mercenary spyware on iOS Where?iOS,iPadOS,watchOS,macOS Who?SEAR behind developing this with different versions Apples Security Engineerin

6、g&Architecture(SEAR)provides operating system security foundations across all of Apples innovative products,including Mac,iPhone,iPad,Apple Watch,Apple TV,and Vision Pro.Why LDM?LDM explorationFeature introduced in 2022 but no one is talking about it from DFIR perspective or has researched on it.All