mac_apt v1.5.8-dev releases: macOS Artifact Parsing Tool
mac_apt
macOS Artifact Parsing Tool
mac_apt is a DFIR tool to process Mac computer full disk images and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..)
Features:
- Cross-platform (no dependency on pyobjc)
- Works on E01, DD, split-DD, DMG (no compression) & mounted images (good for nix, limited support on windows)
- XLSX, CSV, Sqlite outputs
- Analyzed files/artifacts are exported for later review
- zlib, lzvn, lzfse compressed files are supported!
- APFS is now supported, you can process HighSierra images now!
| Available Plugins (artifacts parsed) | Description |
|---|---|
| WIFI | Gets wifi network information |
| BASICINFO | Basic machine & OS configuration like SN, timezone, computer name, last logged in user, HFS info |
| BASHSESSIONS | Reads bash (Terminal) sessions & history for every user |
| DOMAINS | Active Directory Domain(s) that the mac is connected to |
| FSEVENTS | Reads file system event logs (from .fseventsd) |
| IMESSAGE | Read iMessage chats |
| INETACCOUNTS | Retrieve configured internet accounts (iCloud, Google, Linkedin, facebook..) |
| INSTALLHISTORY | Software Installation History |
| NETUSAGE | Read network usage data statistics per application |
| NETWORKING | Interfaces, last IP address, MAC address, DHCP .. |
| NOTES | Reads notes databases |
| NOTIFICATIONS | Reads mac notification data for each user |
| PRINTJOBS | Parses CUPS spooled print jobs to get information about files/commands sent to a printer |
| QUARANTINE | Reads the quarantine database and .LastGKReject file |
| RECENTITEMS | Recently accessed Servers, Documents, Hosts, Volumes & Applications from .plist and .sfl files. Also gets recent searches and places for each user |
| SAFARI | Internet history, downloaded file information, cookies and more from Safari caches |
| SPOTLIGHT | Reads the spotlight index databases |
| SPOTLIGHTSHORTCUTS | User typed data in the spotlight bar & targeted document/app |
| USERS | Local & Domain user information – name, UID, UUID, GID, account creation & password set dates, pass hints, homedir & Darwin paths |
Changelog v1.5.8
- More locations added to fetch serial number
- Ventura (macOS 13) support including reading RSR
- Docker support added
- Support for SNSS v3 for chromium browsers
- Extended CHROME to CHROMIUM covering more CHROMIUM based browsers
- Added plugin FIREFOX
- Better profile detection for CHROMIUM browsers
- Update AUTOSTART for macOS 13
- Update spotlight database paths for new ones on macOS 12+
- Support for parsing very old Spotlight v1 store.db files
- Python 3.10 support and binaries compiled with 3.10
Bug fixes
- Many minor bugs fixed
- Better handling of broken XML issues in certain plists
- Better fsevents reading, some data was skipped at times
- LZVN bug fixed
- Reading of the correct boot container (if multiple) and parsing the OS one
Download && Tutorial
Copyright (c) 2017 Yogesh Khatri
