AutoMacTC: Automated Mac Forensic Triage Collector

This is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis. The output may provide valuable insights for incident response in a macOS environment. Automactc can be run against a live system or dead disk (as a mounted volume.)

Current Modules

– pslist (current process list at time of automactc run)
– lsof (current file handles open at time of automactc run)
– netstat (current network connections at time of automactc run)
– asl (parsed Apple System Log (.asl) files)
– autoruns (parsing of various persistence locations and plists)
– bash (parsing bash/.*_history files for all users)
– chrome (parsing chrome visit history and download history)
– coreanalytics (parsing program execution evidence produced by Apple diagnostics)
– dirlist (list hof files and directories across the disk)
– firefox (parsing firefox visit history and download history)
– installhistory (parsing program installation history)
– mru (parsing SFL and MRU plist files)
– quarantines (parsing QuarantineEventsV2 database)
– quicklook (parsing Quicklooks database)
– safari (parsing safari visit history and download history)
– spotlight (parsing user spotlight top searches)
– ssh (parsing known_hosts and authorized_keys files for each user)
– syslog (parsing system.log files)
– systeminfo (basic system identification, such as current IP address, serial no, hostname)
– users (listing present and deleted users on the system)
– utmpx (listing user sessions on terminals)

Changelog v1.2

Added

• –rtr flag for reducing verbosity of some modules to display nicely on CrowdStrike RTR console
• automactc.py flag -is for System drive input if using forensic mode on a 10.15+ image.
• Dirlist module support for 10.15+ style Data and System volume recursion.
• SystemInfo module support for 10.15+ location of required input. Checks input from -i and -is flags as needed.
• UnifiedLogs live module to collect the Unified Audit Logs from a live system as the syslog format into a file using the log show command.
• Ability to include non-data_writer generated files with output.
• Added datawriter support for buffered output writing
  • Fixed Unicode string issues with python 2
  • Fixed JSON write bytes issue with python 3
• Added .Office and .blacklight file type exclusion to dirlist
• Added /System/Volumes/Data/private/var/folders/kb/* and /System/Volumes/Data/private/var/folders/zz/* filepath exclusion to dirlist

Changed

• Behavior of include and exclude dirlist command line flags updated to support 10.15+ split Data and System volume.
• Fixed common/functions.py SQLite query_db function issue where extra chars were appended to input file path string, resulting in incorrect output for various modules.
• Updated browser (chrome,firefox,cookies) modules to use SQLite3 wrappers.
• Updated mac_alisas library to fix issue 10 for ARM64 inodes (to do with M1 Mac).
• Bump Dirlist module to v2
  • Added multiprocessing wrapper
  • Use buffered output writing
  • Update xattr parsing
• Update modules to use docstring comments and bump minor versions
• Fixed syntax and deprecation issues

Install && Use

Copyright (c) 2019, CrowdStrike, Inc.