ydkhatri / Mac_apt
Licence: mit
macOS Artifact Parsing Tool
Stars: ✭ 329
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Mac apt
uac
UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Stars: ✭ 260 (-20.97%)
Mutual labels: forensics, dfir
PSTrace
Trace ScriptBlock execution for powershell v2
Stars: ✭ 38 (-88.45%)
Mutual labels: forensics, dfir
iTunes Backup Reader
Python 3 Script to parse out iTunes backups
Stars: ✭ 108 (-67.17%)
Mutual labels: forensics, dfir
Recuperabit
A tool for forensic file system reconstruction.
Stars: ✭ 280 (-14.89%)
Mutual labels: dfir, forensics
LevelDBDumper
Dumps all of the Key/Value pairs from a LevelDB database
Stars: ✭ 23 (-93.01%)
Mutual labels: forensics, dfir
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (-31.91%)
Mutual labels: forensics, dfir
DFIR-O365RC
PowerShell module for Office 365 and Azure log collection
Stars: ✭ 158 (-51.98%)
Mutual labels: forensics, dfir
MEAT
This toolkit aims to help forensicators perform different kinds of acquisitions on iOS devices
Stars: ✭ 101 (-69.3%)
Mutual labels: forensics, dfir
WELA
WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅(ウェラ)
Stars: ✭ 442 (+34.35%)
Mutual labels: forensics, dfir
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (-90.27%)
Mutual labels: forensics, dfir
CDIR
CDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library
Stars: ✭ 122 (-62.92%)
Mutual labels: forensics, dfir
hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Stars: ✭ 908 (+175.99%)
Mutual labels: forensics, dfir
ad-privileged-audit
Provides various Windows Server Active Directory (AD) security-focused reports.
Stars: ✭ 42 (-87.23%)
Mutual labels: forensics, dfir
RdpCacheStitcher
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
Stars: ✭ 176 (-46.5%)
Mutual labels: forensics, dfir
GetConsoleHistoryAndOutput
An Incident Response tool to extract console command history and screen output buffer
Stars: ✭ 41 (-87.54%)
Mutual labels: forensics, dfir
EventTranscriptParser
Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)
Stars: ✭ 22 (-93.31%)
Mutual labels: forensics, dfir
mac_apt - macOS (and iOS) Artifact Parsing Tool
mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..)
mac_apt now also includes ios_apt, for processing ios images.
Requirements: Python 3.7 or above (32/64 bit)
Features
- Cross platform (no dependency on pyobjc)
- Works on E01, VMDK, AFF4, DD, split-DD, DMG (no compression), SPARSEIMAGE & mounted images
- XLSX, CSV, Sqlite outputs
- Analyzed files/artifacts are exported for later review
- zlib, lzvn, lzfse compressed files are supported!
- Native HFS & APFS parser
- Reads the Spotlight database and Unified Logging (tracev3) files
Latest
✔️ Can read RECON created .sparseimage files
✔️ Support for macOS Big Sur Sealed volumes (11.0)
✔️ Introducing ios_apt for processing iOS/ipadOS images
✔️ FAST mode ⏳
✔️ Encrypted 🔒 APFS images can now be processed using password/recovery-key 🔑
✔️ macOS Catalina (10.15) separately mounted SYSTEM & DATA volumes now supported
✔️ AFF4 images (including macquisition created) are supported
| Available Plugins (artifacts parsed) | Description |
|---|---|
| APPLIST | Reads apps & printers installed and/or available for each user from appList.dat |
| ARD | Reads ARD (Apple Remote Desktop) cached databases about app usage |
| AUTOSTART | Retrieves programs, daemons, services set to start at boot/login |
| BASICINFO | Basic machine & OS configuration like SN, timezone, computer name, last logged in user, HFS info |
| BLUETOOTH | Gets Bluetooth Artifacts |
| CHROME | Read Chrome History, Top Sites, Downloads and Extension info |
| COOKIES | Reads .binarycookies, .cookies files and HSTS.plist for each user |
| DOCKITEMS | Reads the Dock plist for every user |
| DOCUMENTREVISIONS | Reads DocumentRevisions database |
| DOMAINS | Active Directory Domain(s) that the mac is connected to |
| FSEVENTS | Reads file system event logs (from .fseventsd) |
| IDEVICEBACKUPS | Reads and exports iPhone/iPad backup databases |
| IDEVICEINFO | Reads and exports connected iDevice details |
| IMESSAGE | Read iMessage chats |
| INETACCOUNTS | Retrieve configured internet accounts (iCloud, Google, Linkedin, facebook..) |
| INSTALLHISTORY | Software Installation History |
| MSOFFICE | Reads Word, Excel, Powerpoint and other office MRU/accessed file paths |
| NETUSAGE | Read network usage data statistics per application |
| NETWORKING | Interfaces, last IP address, MAC address, DHCP .. |
| NOTES | Reads notes databases |
| NOTIFICATIONS | Reads mac notification data for each user |
| PRINTJOBS | Parses CUPS spooled print jobs to get information about files/commands sent to a printer |
| QUARANTINE | Reads the quarantine database and .LastGKReject file |
| QUICKLOOK | Reads the QuickLook index.sqlite and carves thumbnails from thumbnails.data |
| RECENTITEMS | Recently accessed Servers, Documents, Hosts, Volumes & Applications from .plist and .sfl files. Also gets recent searches and places for each user |
| SAFARI | Internet history, downloaded file information, cookies and more from Safari caches |
| SAVEDSTATE | Gets window titles from Saved Application State info |
| SCREENTIME | Reads ScreenTime database for program and app usage |
| SPOTLIGHT | Reads the spotlight index databases |
| SPOTLIGHTSHORTCUTS | User typed data in the spotlight bar & targeted document/app |
| SUDOLASTRUN | Gets last time sudo was used and a few other times earlier (if available) |
| TERMINALSTATE | Reads Terminal saved state files which includes full text content of terminal windows |
| TERMSESSIONS | Reads Terminal (bash & zsh) history & sesions for every user |
| UNIFIEDLOGS | Reads macOS unified logging logs from .tracev3 files |
| USERS | Local & Domain user information - name, UID, UUID, GID, account creation & password set dates, pass hints, homedir & Darwin paths |
| WIFI | Gets wifi network information |
Coming soon..
- More plugins
- More documentation
For installation (to run from code) see https://github.com/ydkhatri/mac_apt/wiki/Installation-for-Python3
Please read the documentation here: https://github.com/ydkhatri/mac_apt/wiki
To download, proceed here - https://github.com/ydkhatri/mac_apt/releases
Bugs
Feel free to send comments and feedback to [email protected], or open an issue.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].