Incident Response Capture Script

What the incident response capture Worklet does

This Automox Worklet™ collects comprehensive incident response data from macOS endpoints by executing a bash script that gathers forensic artifacts, system logs, and metadata. The script creates an IR_collection directory, populates it with data from various system sources, and compresses everything into a timestamped zip file stored on the endpoint's Desktop.

The Worklet captures user and daemon information, running processes, network state, bash command history, security keychains, environment variables, persistence mechanisms, and browser artifacts from Safari, Chrome, Brave, and Firefox. It also copies relevant system logs from /var/log/ for comprehensive forensic analysis.

Each collected file includes timestamps to maintain temporal accuracy during investigation. The script is designed to run both as an adhoc incident response tool and for baselining endpoint states over time.

Why gather incident response artifacts from macOS endpoints

When security incidents occur on macOS systems, critical forensic evidence is scattered across dozens of system locations–process lists, network states, browser histories, persistence mechanisms, and logs. Manually collecting this data is time-consuming, inconsistent, and risks missing key artifacts or contaminating evidence. Security teams need immediate access to comprehensive forensic snapshots to determine breach scope, identify indicators of compromise, and meet regulatory requirements for incident documentation.

The collected artifacts provide incident responders with visibility into user activity, network connections, running processes, and installed persistence mechanisms. This data helps identify compromise indicators, track attacker behavior, and support regulatory compliance requirements for breach investigations.

By collecting baseline data proactively through this Worklet, you establish a forensic snapshot that aids in detecting deviations from normal system state and accelerates the investigation timeline when incidents occur.

How incident response data collection works

1. Evaluation phase: Checks whether the IR_collection directory already exists on the endpoint. If it does, the script exits to prevent duplicate collection runs.

2. Remediation phase: Creates the IR_collection directory and systematically gathers forensic data including user enumeration, running process list, network snapshots (ifconfig, netstat, lsof, arp), bash history, security settings, environment variables, persistence data (launchctl, crontab, kext drivers), hidden files, system logs from /var/log/, and browser history and extensions from Safari, Chrome, Brave, and Firefox. The script compresses all collected data into a timestamped zip file and places it on the Desktop for retrieval via EDR remote shell, remote desktop, or other third-party tools.

Incident response collection requirements

• macOS endpoint (any supported version)

• Bash shell environment

• Sufficient disk space in user home directory for IR_collection folder and compressed archive

• Browser applications (Safari, Chrome, Brave, Firefox) should be closed before execution for accurate history and extension data collection

• FixNow compatible for on-demand execution from Automox console

Expected incident response data state

After execution, the endpoint contains a complete forensic snapshot ready for analysis. An IR_collection directory appears in the user's home directory containing organized forensic data in a standardized structure. The directory includes separate subdirectories for system logs and browser information, text files with timestamps documenting collection times, and detailed logs of user sessions, network connections, running processes, bash command history, persistence mechanisms (launch agents, cron jobs, kernel extensions), and security settings. The zip archive on the Desktop typically ranges from 5-50 MB depending on log sizes and browser history volume.

A compressed zip file with the endpoint's computer name and collection date in the filename appears on the Desktop. This archive can be extracted and analyzed by your incident response team, security tools, or forensic analysts to investigate potential compromises and reconstruct the timeline of suspicious activity.

How to validate incident response capture script changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for incident response capture script.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as mkdir, cd, w, then rerun evaluation for compliance.