OSX Forensics: a brief selection of useful tools

Today I’d like to share a brief list of useful tools I use for OSX analysis.

I’ve already talked about OSX forensics, in a post focused on acquisition workflow. Today, I share a list of tools useful during the analysis process.


Apple Pattern of Life Lazy Output’er (APOLLO)

APOLLO is a tool able to easily correlate multiple databases with hundreds of thousands of records into a timeline that would make the analyst be able to tell what has happened on the device.

Disk-Arbitrator

An OSX forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device

macOS Artifact Parsing Tool

Mac_apt is a tool useful to extract forensic artifacts from disk images or live machines.
It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..)

Mac Locations Scraper

Dump the contents of the location database files on iOS and macOS.

macMRU-Parser

Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format.

OSX Auditor

OSX Auditor is a free Mac OSX computer forensics tool that parses and hashes several artifacts on a running system or a copy of a system

APFS FUSE Driver for Linux

APFS-FUSE is a read-only FUSE driver for the Apple File System.

It also supports software encrypted volumes and fusion drives.

Firmlinks are not supported yet.

Related posts

  1. Android Triage: a really useful forensic tool by Mattia Epifani
  2. How to detect Cobalt Strike Beacons using Volatility
  3. How to process recent Windows 10 memory dumps in Volatility 2
  4. How to extract forensic artifacts from Linux swap
  5. CobaltStrikeScan: identify CobaltStrike beacons in processes memory