Mac Evaluation Utility for macOS DFIR and Malware Analysis

Background:

During the beta testing phase of macOS Sequoia with AppleSeed for IT, I discovered this intriguing application called "Mac Evaluation Utility". This app, which I had never encountered before, was not only functional but also offered features that seemed to be very useful for DFIR and Malware Analysis.

Overview of Mac Evaluation Utility

According to Apple's official documentation on MEU:

• Mac Evaluation Utility evaluates your organization’s ability to deploy Mac computers. The app checks the network to help verify that critical hosts and services are reachable for essential services like Automated Device Enrollment and software updates. It also examines the device’s management configuration to help make sure you're aligned with best practices. The results can be shared with colleagues to help you build a plan to succeed at deploying Mac computers at scale.

Once the test is run, you will see output as Fig 2 and Fig 3 shown below. There are 2 tabs: Overview and Results.

Overview tab shows the results in a good User Interface with broad categories.

Results tab, shows more detailed view of the specific outcome of each test shown in Fig 3 and Fig 4

How can MEU aid in DFIR and Malware Analysis?

• It provides a quick snapshot of the macOS environment

• Although originally designed for macOS Admins, it offers many features useful for DFIR and Malware Analysis purposes

  
  

• DFIR Use cases:

  
  

  • The report can be extremely helpful in Forensic & Incident Response setting to get a snaptshot of the macOS as it provides crucial information like:

    • Applications

    • Persistence

    • System Settings and Preferences

    • Network Information

    • Bonjour Services

    • MDM related details

    • Management information to get an idea what features were turned on the macOS like

      • Apple Intelligence

      • Security

        • Gatekeeper

        • iPhone Mirroring

        • Filevault status

        • Guest User Config

        • Gatekeeper Status

        • SIP status

  
  

• Malware Analysis Use Cases:

  
  

  • Capture/Export reports and compare it for identifying how the suspicious software made changes to macOS. (Think of this like RegShot for Registry analysis on Windows)

    • Before execution of malware

    • After a dynamic ececution of malware

  • Shows status of

    • Applications:

      • Notarized Applications

      • Unsigned Applications

      • Non-universal Binaries

    • Persistence:

      • Launch Agents

      • Launch Daemons

      • Login Items

      • Kernel Extensions

        • Third-Party KEXTs

      • System Extensions

    • Network Information

      • Public IP

      • Public DNS Domain

      • Private IP

      • Host File Status

MEU Pros:

• Provided by Apple

• It is super fast and free!

  • Results in under a minute :)

• Great and easy to use UI

  • Provides a better UI compared to System Information.app

• When clicked on the result category, it provides a good description about what this is about and what command can you run on macOS terminal to fetch the same details

  • I absolutely love this!

• Data Exported in a comprehensive manner and different formats like:

  • MEU

    • Can only be imported and opened in the Mac Evaluation Tool (MEU) application

  • JSON

  • CSV

  • PDF

MEU Cons:

• Only available to beta testers! :(

  • You can download it by enrolling your Apple Account for Apple Seed program or VirusTotal

• There is no Find/Search functionality

• Lacks essential details available in System Information.app like:

  • Installed Applications and when was it installed

  • Firewall status

  • Extensions

  • Logs!

  • Printer

  • Profiles

• No integration with Apple Intelligence yet :(

  • This would have been a very cool feature if enabled

• Report Comparison not available

  • This would have been extremely useful in macOS Malware Analysis.

  • What changes were seen after a suspicious file/binary was executed on the machine? This could be easily answered

Conclusion:

Mac Evaluation Tool is a treasure trove of data for macOS DFIR and Malware Analysis but should be used alongside System Information.app output.

However, I still don't understand why this app has been kept hidden from the general public and is only available to a select group of beta testers.

It raises questions about the decision-making process behind its limited accessibility. Is there a concern regarding its stability or performance that the developers are still addressing? Or perhaps they are looking to gather more feedback from a controlled group of users before launching it to a broader audience?

The secrecy surrounding this application is puzzling, especially considering the potential benefits it could bring to everyday users who are eager for innovative tools. The anticipation builds as I wonder when, or if, this app will finally be unveiled to the wider macOS community, allowing more users to experience its unique functionalities and advantages.