GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ydkhatri → UnifiedLogReader

ydkhatri / UnifiedLogReader

Licence: MIT license
A parser for Unified logging tracev3 files

Programming Languages

python
139335 projects - #7 most used programming language

Labels

macosforensicstracev3unifiedlogs

Projects that are alternatives of or similar to UnifiedLogReader

MantOS
LIFARS Networking Security GNU/Linux distro
Stars: ✭ 24 (-57.14%)
Mutual labels:  forensics
uac
UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Stars: ✭ 260 (+364.29%)
Mutual labels:  forensics
fingerprint denoising
U-Net for fingerprint denoising
Stars: ✭ 19 (-66.07%)
Mutual labels:  forensics
dnslog
Minimalistic DNS logging tool
Stars: ✭ 40 (-28.57%)
Mutual labels:  forensics
btrfscue
Recover files from damaged BTRFS filesystems
Stars: ✭ 28 (-50%)
Mutual labels:  forensics
ingest-file
Ingestors extract the contents of mixed unstructured documents into structured (followthemoney) data.
Stars: ✭ 40 (-28.57%)
Mutual labels:  forensics
BURN
[WIP] Anti-Forensics ToolKit to clear post-intrusion sensible logfiles 🔥 (For Research Only)
Stars: ✭ 13 (-76.79%)
Mutual labels:  forensics
PSTrace
Trace ScriptBlock execution for powershell v2
Stars: ✭ 38 (-32.14%)
Mutual labels:  forensics
vminspect
Tools for inspecting disk images
Stars: ✭ 25 (-55.36%)
Mutual labels:  forensics
ad-privileged-audit
Provides various Windows Server Active Directory (AD) security-focused reports.
Stars: ✭ 42 (-25%)
Mutual labels:  forensics
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (+300%)
Mutual labels:  forensics
yara-forensics
Set of Yara rules for finding files using magics headers
Stars: ✭ 115 (+105.36%)
Mutual labels:  forensics
Imm2Virtual
This is a GUI (for Windows 64 bit) for a procedure to virtualize your EWF(E01), DD (raw), AFF disk image file without converting it, directly with VirtualBox, forensically proof.
Stars: ✭ 40 (-28.57%)
Mutual labels:  forensics
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (-42.86%)
Mutual labels:  forensics
memscrimper
Code for the DIMVA 2018 paper: "MemScrimper: Time- and Space-Efficient Storage of Malware Sandbox Memory Dumps"
Stars: ✭ 25 (-55.36%)
Mutual labels:  forensics
TryHackMe-Write-Up
The entire walkthrough of all my resolved TryHackMe rooms
Stars: ✭ 53 (-5.36%)
Mutual labels:  forensics
nsa-codebreaker-2020
My solutions to the 2020 NSA Codebreaker Challenge
Stars: ✭ 69 (+23.21%)
Mutual labels:  forensics
Vol3xp
Volatility Explorer Suit
Stars: ✭ 31 (-44.64%)
Mutual labels:  forensics
DFIR-O365RC
PowerShell module for Office 365 and Azure log collection
Stars: ✭ 158 (+182.14%)
Mutual labels:  forensics
iTunes Backup Reader
Python 3 Script to parse out iTunes backups
Stars: ✭ 108 (+92.86%)
Mutual labels:  forensics
View All Similar Projects ➔

UnifiedLogReader

A parser for Unified logging .tracev3 files.

Project Status

alpha (experimental)

This is a work in progress.. Currently this does not support the first version of tracev3 which is seen on macOS 10.12.0 (which uses catalog v2). It has been tested to work on catalog v3 files used in macOS 10.12.5 upto the current 10.15. Also tested on iOS 12.x successfully.

License

MIT

Requirements & Installation

Python 3.6+ and the following modules

  • lz4
  • biplist
  • ipaddress

UnifiedLogReader (and the dependencies) can be installed using pip install unifiedlog lz4 biplist ipaddress

Do not download from here, unless you want the latest code. For development, if you only need the dependencies, use pip install -r requirements.txt

Usage

The script needs access to files from 3 folders (same on iOS or macOS)

  • /private/var/db/diagnostics
  • /private/var/db/diagnostics/timesync
  • /private/var/db/uuidtext

The tracev3 files are located within the diagnostics folder. If you have a disk image, just extract the diagnostics and uuidtext folders (shown at paths above) and provide it to this script.

Currently the script supports the default log output format, TSV and sqlite output.

Output options

SQLITE gives you every available field in an sqlite db
TSV_ALL gives you every available field in a tab-seperated file
LOG_DEFAULT gives only those fields shown by 'log' utility (with no options specified)

G:\>c:\Python37-32\python.exe c:\Github\UnifiedLogReader\UnifiedLogReader.py -h
usage: UnifiedLogReader.py [-h] [-f OUTPUT_FORMAT] [-l LOG_LEVEL]
                           uuidtext_path timesync_path tracev3_path
                           output_path

UnifiedLogReader is a tool to read macOS Unified Logging tracev3 files.
This is version 0.3 tested on macOS 10.12.5 - 10.15 and iOS 12.

Notes:
-----
If you have a .logarchive, then point uuidtext_path to the .logarchive folder,
 the timesync folder is within the logarchive folder

positional arguments:
  uuidtext_path         Path to uuidtext folder (/var/db/uuidtext)
  timesync_path         Path to timesync folder (/var/db/diagnostics/timesync)
  tracev3_path          Path to either tracev3 file or folder to recurse (/var/db/diagnostics)
  output_path           An existing folder where output will be saved

optional arguments:
  -h, --help            show this help message and exit
  -f OUTPUT_FORMAT, --output_format OUTPUT_FORMAT
                        SQLITE, TSV_ALL, LOG_DEFAULT  (Default is LOG_DEFAULT)
  -l LOG_LEVEL, --log_level LOG_LEVEL
                        Log levels: INFO, DEBUG, WARNING, ERROR (Default is INFO)
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].