osxcollector: A forensic evidence collection & analysis toolkit for OS X
OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
The collection script runs on a potentially infected machine and outputs a JSON file that describes the target machine. OSXCollector gathers information from plists, SQLite databases, and the local file system.
Armed with the forensic collection, an analyst can answer the question like:
- Is this machine infected?
- How’d that malware get there?
- How can I prevent and detect further infection?
Yelp automates the analysis of most OSXCollector runs converting its output into an easily readable and actionable summary of just the suspicious stuff. Check out OSXCollector Output Filters project to learn how to make the most of the automated OSXCollector output analysis.
Details of Collection
The collector outputs a .tar.gz containing all the collected artifacts. The archive contains a JSON file with the majority of information. Additionally, a set of useful logs from the target system logs are included.
Each line of the JSON file records 1 piece of information. There are some common keys that appear in every JSON record:
osxcollector_incident_id: A unique ID shared by every record.
osxcollector_section: The section or type of data this record holds.
osxcollector_subsection: The subsection or more detailed descriptor of the type of data this record holds.
For records representing files there are a bunch of useful keys:
atime: The file accessed time.
ctime: The file creation time.
mtime: The file modified time.
file_path: The absolute path to the file.
md5: MD5 hash of the file contents.
sha1: SHA1 hash of the file contents.
sha2: SHA2 hash of the file contents.
For records representing downloaded files:
xattr-wherefrom: A list containing the source and referrer URLs for the downloaded file.
xattr-quarantines: A string describing which application downloaded the file.
For records representing a row of an SQLite database:
osxcollector_table_name: The table name the row comes from.
osxcollector_db_path: The absolute path to the SQLite file.
For records that represent data associated with a specific user:
osxcollector_username: The name of the user
OSXCollector attempts to convert timestamps to human-readable date/time strings in the format
YYYY-mm-dd hh:MM:ss. It uses heuristics to automatically identify various timestamps:
- seconds since epoch
- milliseconds since epoch
- seconds since 2001-01-01
- seconds since 1601-01-01
The current version of OSXCollector.
Collects basic information about the system:
- system name
- node name
Collects the Kernel extensions from:
More information about the Max OS X startup can be found here: http://www.malicious-streams.com/article/Mac_OSX_Startup.pdf
Hashes installed applications and gathers install history from:
Quarantines are basically the info necessary to show the ‘Are you sure you wanna run this?’ when a user is trying to open a file downloaded from the Internet. For some more details, checkout the Apple Support explanation of Quarantines:http://support.apple.com/kb/HT3662
This section collects also information from XProtect hash-based malware check for quarantines files. The plist is at:
XProtect also add minimum versions for Internet Plugins. That plist is at:
Hashes all users’ downloaded files from:
Collects following information from Google Chrome web browser:
- Archived History
- Login Data
- Top Sites
- Web Data
This data is extracted from
Collects information from the different SQLite databases in a Firefox profile:
- Form History
- Content Preferences
- Health Report
- Webapps Store
This information is extracted from
For more details about Firefox profile folder see http://kb.mozillazine.org/Profile_folder_-_Firefox
Collects information from the different plists and SQLite databases in a Safari profile:
- Local Storage
Collects information about users’ accounts:
- system admins:
- system users:
- social accounts:
- users’ recent items:
Hashes files in the mail app directories:
Hashes all the files on disk. All of ’em. This does not run by default. It must be triggered with:
$ sudo osxcollector.py -s full_hash
git clone https://github.com/Yelp/osxcollector.git
Copyright (C) 2014 Yelp