OS X Auditor is a python based computer forensics tool. The tool allows analysts to parse and hash artifacts on the running system or a copy of a system to not modify the original evidence. the program will look at:
- the kernel extensions
- the system agents and daemons
- the third party’s agents and daemons
- the old and deprecated system and third party’s startup items
- the users’ agents
- the users’ downloaded files
- the installed applications
It also extracts:
- the users’ quarantined files
- the users’ Safari history, downloads, topsites, HTML5 databases and localstore
- the users’ Firefox cookies, downloads, formhistory, permissions, places and signons
- the users’ Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
- the users’ social and email accounts
- the WiFi access points the audited system has been connected to (and tries to geolocate them)
This beside looking for suspicious keywords in the .plist themselves.
It can verify the reputation of each file on Team Cymru’s MHR,VirusTotal ,Malware.lu or your own local database. You can also aggregate all logs from the following directories /var/log (-> /private/var/log) , /Library/logs , the user’s ~/Library/logs into a zipball.
Finally, the results can be rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep), rendered as a HTML log file or sent to a Syslog server. You can download the tool by following this link.