mac_apt – macOS Artifact Parsing Tool

0
0

mac_apt is a tool to process Mac computer full disk images and extract data/metadata useful for forensic investigation. It is designed to be cross-platform and uses python libraries that work across mac, linux and windows.

mac_apt is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently used files, Spotlight typed searches..) The framework does the heavy lifting, parsing of disk/volume image and offers a unified output interface, which currently supports writing out data as CSV, Sqlite and Excel formats.

There is an API which plugins can use to access files and folders within the disk image. Currently DD and E01 images are supported. DMG files without compression work too. You can use a mounted image too (with limited support on windows for this feature). We even put in a native HFS parser adding support for lzvn/lzfse compressed files.

mac_apt - macOS Artifact Parsing Tool

mac_apt – macOS Artifact Parsing Tool

Latest version include the following changes:

  • New plugins -iMessage, iNetAccounts, Quarantine, NetUsage
  • Add support for High Sierra’s notifications (db2)
  • Added FrequentlyVisitedSitesCache, NSNavLastRootDirectory & RecentlyClosedTabls.plist parsing to SAFARI plugin
  • Added GotoFieldHistory, RecentMoveCopyDestinations, BulkRename settings to RECENTITEMS plugin
  • Added detection of encrypted volumes and user friendly message
  • Native HFS parser made default, processing is much faster!
  • Fixed Bash sessions exception on some binary UTF8 strings
  • Fixed bugs with MOUNTED option, added more support for mounted disk parsing
  • Fixed Notes bugs – ‘table missing’ bug for High Sierra, long notes related bug
  • Excel sheet with > 1 million records is now handled correctly
  • Several minor fixes

You can read more and download this tool over here: https://github.com/ydkhatri/

Share