Both methods rely on opening the corresponding document in a protected environment in order to observe its behavior or extract content. It is comparatively easy to set up a virtual machine (VM) on a Mac with Apple Silicon. Apple’s APFS file system also makes it easier to clone an existing VM in a resource-saving manner to create a one-time copy. For this purpose, Oakley provides two programs that help create and operate VMs: Viable and the sandbox variant ViableS.
Create VM with Viable
For the most secure analysis, Oakley recommends a multi-stage process to analyze downloads and extract content. The first step is to set up a macOS-based VM. The standard version of Viable is used for this purpose – a PDF included in the download explains the procedure. The resulting VM file is over 20 GB in size. The second step is to duplicate this file in Finder. A feature of APFS is particularly noticeable here: the clone is just as large as the original, but initially does not take up any additional storage space on the SSD.
Set up copy
In Viable you now click on “Start VM…” and select the copy, work through the setup wizard and install additional software that you need for your test environment. Oakley, for example, recommends its PDF reader Podofyllin. In the Settings app within the VM, under “Users & Groups” you then create a new user for which you leave the “User can manage this Mac” option disabled. Switch to this new account and also go through the setup wizard – skip setting up the Apple account. You can then use shared folders to transfer files or downloads from the host system that should be examined. Then close the virtual machine and the “Viable” program.
Further into the sandbox
Then start the same VM, but from the “ViableS” app. All connections to the host macOS are blocked and file exchange is not possible. If downloads are to be carried out here, Oakley recommends starting with the network activated (e.g. “Wi-Fi”) and then using the standard account to download the corresponding objects (e.g. from a webmail interface or an app download page). Then shut down the VM to start it up again without the network. In this state, the VM is now maximally encapsulated. You can now open files or start apps to read content or examine suspicious programs. After the analysis is complete, delete the second VM file – and, if necessary, create a copy of the original to simulate an untouched macOS version.
ViableS starts a virtual machine without a connection to the guest system; In the basic setting even without a network connection.
Alternative danger zone
If it’s just about text documents, such as Word files or PDFs, Oakley mentions a second option that could particularly benefit journalists: The free program Dangerzone reads widely used documents, automatically creates image files for the individual pages, and then subjects them to text recognition. Dangerzone created. This approach is also based on a VM (a Podman container to be precise), which is why the program takes up 2.2 GB of storage space – but that’s only a tenth of a macOS VM. If you just want to transfer files to a secure PDF, Dangerzone saves you a lot of time and storage space. If you are very careful, simply install Dangerzone within a macOS VM.
Dangerzone is offered by the Freedom of the Press Foundation for macOS, Windows and many open source operating systems.