Incident Response Capture Script

What the macOS IR capture Worklet does

This Automox Worklet™ runs a bash collection script on the target macOS endpoint and assembles a forensic snapshot inside an IR_collection directory under the console user home at /Users/<console_user>/IR_collection/. The console user is resolved from stat -f '%Su' /dev/console so the capture follows the active session rather than the agent context. Each artifact class lands in its own text file, system logs and browser stores land in dedicated subdirectories, and the whole tree is packaged with ditto into a zlib-compressed zip archive.

The Worklet captures the artifacts a responder reaches for first. User and session state come from w, dscl . ls /Users, and last. Process state comes from ps aux narrowed to user, PID, %CPU, and command columns. Network state comes from ifconfig, netstat -an, lsof -i, and arp -a written to network_snapshot.txt. Security posture is captured from security list-keychains and security dump-trust-settings -d. Environment dumps target the PATH and DYLD_INSERT_LIBRARIES variables, which is the macOS dylib-injection vector equivalent to Linux LD_PRELOAD.

Persistence collection writes launchctl list, crontab -l, atq if any at jobs exist, and non-Apple kext drivers (kextstat filtered against com.apple) into persistence.txt, plus a hidden-files listing of the user home. System logs are gathered by copying every system.log* file out of /var/log/ into all_the_system_logs/. Browser collection runs against Safari, Google Chrome, Brave, and Firefox: Safari history and downloads, Chrome history (after killing the Chrome process), Brave history with extension inventory and Databases, and Firefox places.sqlite from each profile.

Why capture macOS forensic evidence at fleet scale

When an alert fires on a macOS endpoint, volatile evidence has a short shelf life. Running processes terminate, network sockets close, /var/log/ rotates, and a user shutting the laptop lid flushes information that would have answered the first triage question. A responder logging into each endpoint by hand collects different artifacts in different orders, and the resulting evidence is hard to compare across hosts or hand off to a forensic analyst.

Manual collection also leaves an investigator footprint on the endpoint, which is the opposite of what evidence handling under SOC 2, PCI-DSS section 12.10, and HIPAA §164.308(a)(6) calls for. Triggering this Worklet through FixNow lets a SOC analyst capture a consistent evidence set from one endpoint or a thousand in a single action. The snapshot is collected before the analyst issues containment commands, which preserves volatile state for review. Because the collection logic lives in the Worklet rather than in an ad hoc script, the same artifacts are returned every run.

How the macOS IR capture works

1. Evaluation phase: The script tests for an IR_collection directory in the Automox agent working directory with [[ -d "IR_collection" ]]. If the directory is present, the script prints a notice and exits 0, marking the endpoint compliant. If the directory is absent, the script exits 1 and remediation is scheduled. The check is intentionally cheap so the Worklet can be fanned out across the fleet through FixNow without re-running the full collection on hosts that already produced an archive in the same agent cycle.

2. Remediation phase: The script resolves the console user with stat -f '%Su' /dev/console, sets BASE_DIR to /Users/<console_user>/, creates IR_collection there, and cd's in. It then writes logged_in_users.txt (w), daemons_all_users.txt (dscl . ls /Users), login_frequency.txt (last), running_processes.txt (ps aux awk-filtered), network_snapshot.txt (ifconfig, netstat -an, lsof -i, arp -a), IR_bash_history.txt, keychains.txt (security list-keychains), security_dump.txt (security dump-trust-settings -d), env_var.txt (PATH and DYLD_INSERT_LIBRARIES from printenv), and persistence.txt (launchctl list, crontab -l, atq, non-Apple kextstat, hidden files). Logs are copied into all_the_system_logs/ via find /var/log/ -name 'system.log*'. Browser data goes into browser_information/ with one subdirectory per detected browser; Chrome and Brave processes are killed after a 10-second warning before their History databases are copied. The tree is then packaged with ditto -k --zlibCompressionLevel 5 -c into <ComputerName>_<YYYY-MM-DD>.zip (ComputerName comes from scutil --get ComputerName) and copied to /Users/<console_user>/Desktop/.

macOS IR capture requirements

• macOS endpoint with the Automox agent installed and reporting; the Worklet targets the active console user resolved from /dev/console, so the endpoint should have a logged-in user at run time

• Root execution context, which the Automox agent provides by default; needed to read /var/log/, run security dump-trust-settings -d, and copy per-user browser stores under /Users/<console_user>/Library/

• Full Disk Access granted to the Automox agent under System Settings → Privacy and Security → Full Disk Access; required on Mojave and later to read Safari History.db and the protected /Library/ paths the persistence and browser steps touch

• Awareness that the script will kill Chrome and Brave with kill <pid> after a 10-second on-screen warning so their History SQLite files can be copied without a lock; Safari and Firefox are not killed and may produce locked-database copy warnings if open

• Free disk space in the console user home for the staging directory plus the final zip; the archive typically lands between 5 MB and 50 MB depending on /var/log/system.log* volume and browser history size

• FixNow compatible; trigger the Worklet on demand from the Automox console when an alert fires rather than waiting for the next policy cycle

Expected state after the capture runs

On a successful run /Users/<console_user>/IR_collection/ contains the artifact text files logged_in_users.txt, daemons_all_users.txt, login_frequency.txt, running_processes.txt, network_snapshot.txt, IR_bash_history.txt, keychains.txt, security_dump.txt, env_var.txt, and persistence.txt. The all_the_system_logs/ subdirectory holds copies of every system.log* file pulled from /var/log/. The browser_information/ subdirectory holds Safari_dump/ (History.db, Downloads.plist), Chrome_dump/ (History), Brave_dump/ (History, Databases, Brave_extensions.txt), and Firefox_dump/ (places.sqlite) for whichever of those browsers were installed.

On the console user Desktop, the final archive <ComputerName>_<YYYY-MM-DD>.zip is ready for retrieval through an EDR remote shell, an MDM file transfer, or a third-party remote desktop tool. Validate the capture by listing the archive contents with unzip -l <ComputerName>_<date>.zip and confirming the expected tree is present. For chain-of-custody, hash the archive immediately after retrieval with shasum -a 256 <archive> and store the digest alongside the policy run identifier from the Automox activity log. Subsequent runs against the same endpoint exit at the evaluation phase until the IR_collection directory is removed from the agent working directory, which prevents accidental re-collection on top of an evidence set that has not yet been pulled off the endpoint.