Performing macOS Forensics with FREE Tools in cybersecurity
Many DFIR professionals struggle with macOS analysis because most tools are commercial, but guess what? Below are some FREE tools that can help you do that free of charge for cybersecurity comunity
π¦ππ_ππ©π
↪️ Yogesh Khatari’s mac_apt is a find-all evidence tool for Mac Forensics. It allows users to process a Mac forensic image using various plugins that target different artifacts. Digital forensics examiners looking to triage a macOS system quickly can benefit significantly from this powerful tool. However, installation can be tricky, and it has not been updated recently.
π github[.]com/ydkhatri/mac_apt
ππππππ
↪️Developed by Sarah Edwards a few years ago, Apple Pattern of Life Lazy Output’er (APOLLO) targets multiple iOS and Mac databases to extract information and build it into a timeline that examiners can quickly review. APOLLO is a fast, standalone tool that extracts a significant amount of data and places it quickly into the hands of examiners. Unfortunately, the tool has not been updated in a while, so it’s crucial to validate the findings to ensure everything is functioning correctly. Hopefully, an update will be available in the future.
π github[.]com/mac4n6/APOLLO
π¦πππ¨π¬_ππ¬ππ―ππ§ππ¬π π©ππ«π¬ππ«
↪️This tool parses fseventsd logs on either a live Mac or a folder containing extracted log files. The parser extracts the entries from the log files and presents them in CSV and JSON files for review. This is a great standalone tool that works well.
π github[.]com/puffyCid/macos-fseventsd
π’π¦ππ¬π¬ππ π_π«πππππ«
↪️This tool parses the chat.db file and provides the output in a CSV or SQLite db file. The developer is still working on adding the ability to show attachments. Currently, it only targets the local Mac’s chat.db file, and I have requested the ability to select the location of the db file in order to parse those from a forensic image or another Mac.
πgithub[.]com/niftycode/imessage_reader
π¦πππ¨π¬ππ
↪️This tool is useful for collecting macOS artifacts for potential compromise investigations. The tool extracts specific artifacts to a DMG file, which can be analyzed using other tools. There is an .ini file with the configuration for the file search and extraction. If necessary, it appears the .ini file can be modified to fit specific targeting needs.
πgithub[.]com/mnrkbys/macosac
π πππ―ππ§ππ¬ πππ«π¬ππ«-π«π¬
↪️ This tool also parses fseventsd logs on either a live Mac or a folder containing extracted log files. The parser extracts the entries from the log files and presents them in CSV, JSON, or SQLite files for review. I think including the SQLite db file is a great benefit. This tool is stable and works quickly to get the examiner the data for review.
π github[.]com/Houwenda/FSEventsParser-rs