Skip to content
Yogesh Khatri (@swiftforensics) edited this page Apr 28, 2020 · 48 revisions

mac_apt - macOS Artifact Parsing Tool

mac_apt is a tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is designed to be cross-platform and uses python libraries that work across mac, linux and windows.

mac_apt is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently used files, Spotlight typed searches..) The framework does the heavy lifting, parsing of disk/volume image and offers a unified output interface, which currently supports writing out data as CSV, Sqlite and Excel formats. There is an API which plugins can use to access files and folders within the disk image. mac_apt can work with DD, VMDK, E01 images and DMG files without compression. You can use a mounted image too (with limited support on windows for this feature). We even put in a native HFS & APFS parser with support for lzvn/lzfse compressed files.

New in mac_apt 0.4

  • Plugins for spotlight, fsevents, autostart, bluetooth, dockitems, msoffice and unifiedlogs
  • Support for running directly on VMDK images

New in mac_apt 0.5

  • Plugins for screentime, quicklook, terminalstate, applist, cookies
  • Support for macOS 10.15 (Catalina)'s separated System and Data volumes

Notable features:

  • Cross platform (no dependency on pyobjc)
  • Works on E01, DD, split-DD, VMDK, DMG (no compression) & mounted images
  • XLSX, CSV, Sqlite outputs
  • Analyzed files/artifacts are exported for later review
  • zlib, lzvn, lzfse compressed files are supported!
  • Native HFS & APFS parser
  • Reads the Spotlight database and Unified Logging (tracev3) files

So far, we've tested this on macOS 10.9 (Mavericks) through 10.15 (Catalina).

Running mac_apt

There are 3 main launch scripts

Script When to use?
mac_apt.py Use with full disk/volume images (or mounted or live systems) as input
mac_apt_artifact_only.py Use with individual artifact files as input. This is when you do not have the full image but you have key files like com.apple.airport.preferences.plist to analyze. (Not every plugin supports this!)
mac_apt_mounted_sys_data.py Use this if you have a macOS 10.15 or higher image mounted. In 10.15, you have two separate volumes for SYSTEM and DATA. This script accepts two mounted paths for SYSTEM and DATA volumes.

Running the -h option will show you the optional and required parameters.

C:\Users\khatri>python c:\mac_apt\mac_apt.py -h
usage: mac_apt.exe [-h] [-o OUTPUT_PATH] [-x] [-c] [-s] [-l LOG_LEVEL] [-u]
                   input_type input_path plugin [plugin ...]

mac_apt is a framework to process forensic artifacts on a Mac OSX system
You are running macOS Artifact Parsing Tool version 0.4

positional arguments:
  input_type            Specify Input type as either E01, DD, VMDK or MOUNTED
  input_path            Path to OSX image/volume
  plugin                Plugins to run (space separated). 'ALL' will process every available plugin

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT_PATH, --output_path OUTPUT_PATH
                        Path where output files will be created
  -x, --xlsx            Save output in excel spreadsheet(s)
  -c, --csv             Save output as CSV files (Default option if no output type selected)
  -s, --sqlite          Save output in an sqlite database
  -l LOG_LEVEL, --log_level LOG_LEVEL
                        Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)
  -u, --use_tsk         Use sleuthkit instead of native HFS+ parser (This is slower!)

The following plugins are available:
    ALL                 Processes all plugins
    AUTOSTART           Retrieves persistent and auto-start programs, daemons,
                        services
    BASHSESSIONS        Reads bash (Terminal) sessions & history for every user
    BASICINFO           Gets basic machine and OS configuration like SN,
                        timezone, computer name, last logged in user, FS info,
                        etc..
    BLUETOOTH           Parses System Bluetooth Artifacts
    DOCKITEMS           Reads the Dock plist for every user
    DOMAINS             Get information about ActiveDirectory Domain(s) that
                        this mac is connected to
    FSEVENTS            Reads file system event logs (from .fseventsd)
    IDEVICEBACKUPS      Reads and exports iPhone/iPad backup databases
    IDEVICEINFO         Reads and exports connected iDevice details
    IMESSAGE            Parses iMessage conversations, exports messages and
                        attachments
    INETACCOUNTS        Reads configured internet account (iCloud, Google,
                        Linkedin, facebook..) settings used by Mail, Contacts,
                        Calendar and other apps
    INSTALLHISTORY      Parses the InstallHistory.plist to get software
                        installation history
    MSOFFICE            Reads Word, Excel, Powerpoint and other office
                        MRU/accessed file paths
    NETUSAGE            Reads the NetUsage (network usage) database to get
                        program and other network usage data
    NETWORKING          Gets network related information - Interfaces, last IP
                        addresses, MAC address, etc..
    NOTES               Reads Notes databases
    NOTIFICATIONS       Reads notification databases
    PRINTJOBS           Parses CUPS spooled print jobs to get information about
                        files/commands sent to a printer
    QUARANTINE          Reads Quarantine V2 databases, and GateKeeper
                        .LastGKReject file
    RECENTITEMS         Gets recently accessed Servers, Documents, Hosts,
                        Volumes & Applications from .plist and .sfl files. Also
                        gets recent searches and places for each user
    SAFARI              Gets internet history, downloaded file information,
                        cookies and more from Safari caches
    SPOTLIGHT           Reads spotlight indexes on volume
    SPOTLIGHTSHORTCUTS  Gets user typed data in the spotlight bar, used to
                        launch applications and documents
    UNIFIEDLOGS         Reads macOS unified logging logs from .tracev3 files
    USERS               Gets local and domain user information like name, UID,
                        UUID, GID, homedir & Darwin paths. Also extracts auto-
                        login stored passwords and deleted user info
    WIFI                Gets wifi network information from the
                        com.apple.airport.preferences.plist file

For usage and examples, see here

Getting Started

Plugins

Development

  • Write a Plugin
  • Plugin Helpers
Clone this wiki locally