CrowdStrike and FireEye have released tool(s) to handle terminal savedState files on OSX.
FireEye talked about an OSX IR where they were able to pull these files and reconstruct whole screens from the terminal. Great for pulling back history of commands, even if someone unsets the history file.
Pretty simple, AES-128-CBC, the key is in one file, then you can decrypt the data file.
I'd like to take a stab at this if no one else has done it or is thinking about it. I think it would be a really cool addition to the framework, being able to potentially gather info.
CrowdStrike and FireEye have released tool(s) to handle terminal savedState files on OSX.
FireEye talked about an OSX IR where they were able to pull these files and reconstruct whole screens from the terminal. Great for pulling back history of commands, even if someone unsets the history file.
Pretty simple,
AES-128-CBC, the key is in one file, then you can decrypt the data file.I'd like to take a stab at this if no one else has done it or is thinking about it. I think it would be a really cool addition to the framework, being able to potentially gather info.