-
Notifications
You must be signed in to change notification settings - Fork 103
Home
mac_apt is a tool to process Mac computer full disk images and extract data/metadata useful for forensic investigation. It is designed to be cross-platform and uses python libraries that work across mac, linux and windows.
mac_apt is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently used files, Spotlight typed searches..) The framework does the heavy lifting, parsing of disk/volume image and offers a unified output interface, which currently supports writing out data as CSV, Sqlite and Excel formats. There is an API which plugins can use to access files and folders within the disk image. Currently DD and E01 images are supported. DMG files without compression work too. You can use a mounted image too (with limited support on windows for this feature). We even put in a native HFS & APFS parser with support for lzvn/lzfse compressed files.
New in mac_apt - Plugins for spotlight, fsevents, autostart, bluetooth, dockitems, msoffice and unifiedlogs. Support for running directly on VMDK images.
- Cross platform (no dependency on pyobjc)
- Works on E01, DD, split-DD, VMDK, DMG (no compression) & mounted images
- XLSX, CSV, Sqlite outputs
- Analyzed files/artifacts are exported for later review
- zlib, lzvn, lzfse compressed files are supported!
- APFS volumes are supported!
So far, we've tested this on OSX 10.9 (Mavericks) through 10.14 (Mojave).
There are 2 main launch scripts
Script | When to use? |
---|---|
mac_apt.py | Use with full disk/volume images as input |
mac_apt_artifact_only.py | Use with individual artifact files as input. This is when you do not have the full image but you have key files like com.apple.airport.preferences.plist to analyze. (Not every plugin supports this!) |
Running the -h option will show you the optional and required parameters.
C:\Users\khatri>python c:\mac_apt\mac_apt.py -h
usage: mac_apt.exe [-h] [-o OUTPUT_PATH] [-x] [-c] [-s] [-l LOG_LEVEL] [-u]
input_type input_path plugin [plugin ...]
mac_apt is a framework to process forensic artifacts on a Mac OSX system
You are running macOS Artifact Parsing Tool version 0.4
positional arguments:
input_type Specify Input type as either E01, DD, VMDK or MOUNTED
input_path Path to OSX image/volume
plugin Plugins to run (space separated). 'ALL' will process every available plugin
optional arguments:
-h, --help show this help message and exit
-o OUTPUT_PATH, --output_path OUTPUT_PATH
Path where output files will be created
-x, --xlsx Save output in excel spreadsheet(s)
-c, --csv Save output as CSV files (Default option if no output type selected)
-s, --sqlite Save output in an sqlite database
-l LOG_LEVEL, --log_level LOG_LEVEL
Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)
-u, --use_tsk Use sleuthkit instead of native HFS+ parser (This is slower!)
The following plugins are available:
ALL Processes all plugins
AUTOSTART Retrieves persistent and auto-start programs, daemons,
services
BASHSESSIONS Reads bash (Terminal) sessions & history for every user
BASICINFO Gets basic machine and OS configuration like SN,
timezone, computer name, last logged in user, FS info,
etc..
BLUETOOTH Parses System Bluetooth Artifacts
DOCKITEMS Reads the Dock plist for every user
DOMAINS Get information about ActiveDirectory Domain(s) that
this mac is connected to
FSEVENTS Reads file system event logs (from .fseventsd)
IDEVICEBACKUPS Reads and exports iPhone/iPad backup databases
IDEVICEINFO Reads and exports connected iDevice details
IMESSAGE Parses iMessage conversations, exports messages and
attachments
INETACCOUNTS Reads configured internet account (iCloud, Google,
Linkedin, facebook..) settings used by Mail, Contacts,
Calendar and other apps
INSTALLHISTORY Parses the InstallHistory.plist to get software
installation history
MSOFFICE Reads Word, Excel, Powerpoint and other office
MRU/accessed file paths
NETUSAGE Reads the NetUsage (network usage) database to get
program and other network usage data
NETWORKING Gets network related information - Interfaces, last IP
addresses, MAC address, etc..
NOTES Reads Notes databases
NOTIFICATIONS Reads notification databases
PRINTJOBS Parses CUPS spooled print jobs to get information about
files/commands sent to a printer
QUARANTINE Reads Quarantine V2 databases, and GateKeeper
.LastGKReject file
RECENTITEMS Gets recently accessed Servers, Documents, Hosts,
Volumes & Applications from .plist and .sfl files. Also
gets recent searches and places for each user
SAFARI Gets internet history, downloaded file information,
cookies and more from Safari caches
SPOTLIGHT Reads spotlight indexes on volume
SPOTLIGHTSHORTCUTS Gets user typed data in the spotlight bar, used to
launch applications and documents
UNIFIEDLOGS Reads macOS unified logging logs from .tracev3 files
USERS Gets local and domain user information like name, UID,
UUID, GID, homedir & Darwin paths. Also extracts auto-
login stored passwords and deleted user info
WIFI Gets wifi network information from the
com.apple.airport.preferences.plist file
Here is how you can run one or more plugins. Let us assume a few parameters to understand this.
Parameter | Desired Value/Type | Command |
---|---|---|
Output path (where output goes) | C:\output | -o C:\output |
Output type(s) | excel & sqlite | -x -s |
Input type | E01 image | E01 |
Input image path | C:\sample_images\mojave.E01 | C:\sample_images\mojave.E01 |
Plugins to run | wifi, fsevents, basicinfo | WIFI FSEVENTS BASICINFO |
It is best to write the commands out in this same order as shown below.
Using code
C:\mac_apt> python.exe mac_apt.py -o C:\output -x -s E01 C:\sample_images\mojave.E01 WIFI FSEVENTS BASICINFO
Using compiled executable
C:\mac_apt> mac_apt.exe -o C:\output -x -s E01 C:\sample_images\mojave.E01 WIFI FSEVENTS BASICINFO
The below examples exercise some of the other available options.
Run all modules over a DD image, with only sqlite output
C:\mac_apt> mac_apt.exe -o C:\output -s DD C:\sample_images\mojave.dd ALL
Now the same with DEBUG logging for more information (good when investigating bugs)
C:\mac_apt> mac_apt.exe -o C:\output -s -l DEBUG DD C:\sample_images\mojave.dd ALL
Getting Started
- Introduction
- Installation
-
Sample Usage
- ios_apt
- Artifact Only Mode
- Mounted System Data Mode
- Interpreting Output
- Issues & Workarounds
Plugins
- AUTOSTART
- BASICINFO
- BLUETOOTH
- DOMAINS
- FSEVENTS
- IDEVICEBACKUPS
- IDEVICEINFO
- IMESSAGE
- INETACCOUNTS
- INSTALLHISTORY
- MSOFFICE
- NETUSAGE
- NETWORKING
- NOTES
- NOTIFICATIONS
- PRINTJOBS
- QUARANTINE
- RECENTITEMS
- SAFARI
- SCREENTIME
- SPOTLIGHT
- SPOTLIGHTSHORTCUTS
- TERMINALSTATE
- TERMSESSIONS
- UNIFIEDLOGS
- USERS
- WIFI
Development
- Write a Plugin
- Plugin Helpers