Advanced Admin-Level Scan for macOS: Magnet OUTRIDER
Triaging Mac workstations has never been easier with Magnet OUTRIDER for Mac. From importing NCMEC data to using keywords and searching browser history, OUTRIDER can uncover actionable evidence quickly.
Sometimes though, you may want to take the extra time for a deeper look at the device and all user accounts present on the device while it’s on hand. When this is the case, OUTRIDER does offer some advanced search and scan options for macOS via administrative access using the appropriate credentials.
The standard OUTRIDER scan will be all you need in most instances, but when scanning a device that has multiple users, OUTRIDER will scan data associated with the user currently logged in, and any attached media and network locations they have access to. An admin-level scan will be able to retrieve data for all users accounts present on the device.
Advanced Search Options
To do an advanced, thorough scan of the target computer, two steps are necessary:
- OUTRIDER will need “Full Disk Access”. To enable, go to “Security & Privacy”, “Full Disc Access” and then add “Outrider.app”.
- OUTRIDER needs to run as “admin”. To enable, double-click the “admin.outrider” file in the macOS folder.
Getting Started
After launching OUTRIDER for Mac on the target machine, the Scan Template can be created and altered for the needs of a particular case.
The keyword list can be modified, Regular Expressions can be added to a list. To scan Safari history, ensure “Search priority paths” is selected. Browser history can be searched for URLs and keywords, if selected under “Artifacts”. By enabling “Search running processes” and “Obtain IP address”, OUTRIDER will identify the located details for investigator review.
After configuring the Scan Template, select the drive(s) to include in the scan.
After starting the scan, OUTRIDER begins to display the artifacts that meet the criteria for the Scan Template. The results can be viewed by clicking in the Search Results navigation pane.
An HTML report was generated during the initial scan and saved to a Reports folder where OUTRIDER was launched. Depending on the investigative needs, the OUTRIDER report may be the only artifacts needed or may provide documentation that a further review or an examination is needed.
Advanced admin-level scans for macOS are available as of version 3.1 of Magnet OUTRIDER.
If you have any questions, please don’t hesitate to reach out directly via kim.bradley@magnetforensics.com.