Jordan Mussman 👋

Forensicating a MacBook in 2026 requires understanding an operating system built on decades of Unix heritage, proprietary security layers, and an ever-evolving threat landscape. This guide cuts through the complexity to focus on modern endpoint security as reference material through the practical lens of digital forensics. macOS Protections Most MacBook compromises follow predictable patterns. This post examines three common attack vectors to illustrate how attackers exploit security gaps and how forensic analysts uncover them. ...

I found /usr/bin/lesspipe.sh and ~/.lessfilter. ls -al /usr/bin/lesspipe.sh -rwxr-xr-x. 1 root root 3622 Sep 1 14:25 /usr/bin/lesspipe.sh ⚠️ This post is in no way detailing a vulnerability or exploit. I am sharing a novel persistence mechanism that I was not aware of until recently. I am writing this post because I do not believe many defenders — SOC, DFIR and system administrators alike — know about this. Not MITRE ATT&CK nor GTFOBins.com include this level of detail in their respective repositories, either. ...

eBPF for All1 eBPF (Extended Berkley Packet Filtering) emerged a few times in my career dealings over the last couple of years, and I only now sat down to start taking it seriously. Whether on DFIR engagements or protecting some of the systems I use at my current employer, eBPF always plays a role in helping a user do some elegant things with the assistance of the kernel. But it’s not just my employer (and their operating system) teams that are exploring ways to make the Linux kernel work for them. So too is Facebook and Netflix and Apple and Splunk and DataDog and 5G Telco Networks even Cloudflare! ...