OSX Forensics: a brief selection of useful tools

Today I’d like to share a brief list of useful tools I use for OSX analysis.

I’ve already talked about OSX forensics, in a post focused on acquisition workflow. Today, I share a list of tools useful during the analysis process.


Apple Pattern of Life Lazy Output’er (APOLLO)

APOLLO is a tool able to easily correlate multiple databases with hundreds of thousands of records into a timeline that would make the analyst be able to tell what has happened on the device.

Disk-Arbitrator

An OSX forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device

macOS Artifact Parsing Tool

Mac_apt is a tool useful to extract forensic artifacts from disk images or live machines.
It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..)

Mac Locations Scraper

Dump the contents of the location database files on iOS and macOS.

macMRU-Parser

Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format.

OSX Auditor

OSX Auditor is a free Mac OSX computer forensics tool that parses and hashes several artifacts on a running system or a copy of a system

APFS FUSE Driver for Linux

APFS-FUSE is a read-only FUSE driver for the Apple File System.

It also supports software encrypted volumes and fusion drives.

Firmlinks are not supported yet.

Related posts

  1. How to detect Cobalt Strike Beacons using Volatility
  2. How to process recent Windows 10 memory dumps in Volatility 2
  3. How to extract forensic artifacts from Linux swap
  4. CobaltStrikeScan: identify CobaltStrike beacons in processes memory
  5. How to extract sysdiagnose logs for forensic purposes on iOS