OSX Forensics: a brief selection of useful tools
Today I’d like to share a brief list of useful tools I use for OSX analysis.
I’ve already talked about OSX forensics, in a post focused on acquisition workflow. Today, I share a list of tools useful during the analysis process.
APOLLO is a tool able to easily correlate multiple databases with hundreds of thousands of records into a timeline that would make the analyst be able to tell what has happened on the device.
An OSX forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
Mac_apt is a tool useful to extract forensic artifacts from disk images or live machines.
It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..)
Dump the contents of the location database files on iOS and macOS.
Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format.
OSX Auditor is a free Mac OSX computer forensics tool that parses and hashes several artifacts on a running system or a copy of a system
APFS-FUSE is a read-only FUSE driver for the Apple File System.
It also supports software encrypted volumes and fusion drives.
Firmlinks are not supported yet.