Skip to content

Artifact Only Mode

Jump to bottom
Yogesh Khatri (@swiftforensics) edited this page Jan 28, 2021 · 5 revisions

Use this tool when you don't have a full disk/volume image. Let's say you've only gathered files and folders for certain artifacts of interest. In that case, this is the tool for you. For example, let's say you only pulled out the spotlight folder or the Notes Sqlite database (ideally its folder, so you get all accompanying -wal or -journal files too), and you want to just process that specific artifact.

Usage

Here is the basic syntax.
mac_apt_artifact_only.exe -i INPUT_PATH -o OUTPUT_PATH PLUGIN_NAME

Running the -h option will show you the optional and required parameters, as well as all available plugins.

See output of mac_apt_artifact_only -h option 
C:\> mac_apt_artifact_only.exe -h
usage: mac_apt_artifact_only.exe [-h] [-i INPUT_PATH [INPUT_PATH ...]]
                                 [-o OUTPUT_PATH] [-x] [-c] [-l LOG_LEVEL]
                                 [--plugin_help]
                                 plugin

mac_apt is a framework to process macOS forensic artifacts
You are running macOS Artifact Parsing Tool - Artifact Only mode version 0.9

Note: The default output is now sqlite, no need to specify it now

positional arguments:
  plugin                Plugin to run

optional arguments:
  -h, --help            show this help message and exit
  -i INPUT_PATH [INPUT_PATH ...], --input_path INPUT_PATH [INPUT_PATH ...]
                        Path to input file(s)
  -o OUTPUT_PATH, --output_path OUTPUT_PATH
                        Path where output files will be created
  -x, --xlsx            Save output in excel spreadsheet(s)
  -c, --csv             Save output as CSV files
  -l LOG_LEVEL, --log_level LOG_LEVEL
                        Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)
  --plugin_help         Plugin usage info

The following 30 plugins are available:
    APPLIST             Reads apps & printers installed and/or available for
                        each user from appList.dat
    ARD                 Reads ARD (Apple Remote Desktop) cached databases about
                        app usage
    CHROME              Read Chrome History, Top Sites, Downloads, Tabs/Sessions
                        and Extension info
    BLUETOOTH           Parses System Bluetooth Artifacts
    COOKIES             Reads .binarycookies, .cookies files and HSTS.plist for
                        each user
    DOCKITEMS           Reads the Dock plist for every user
    DOCUMENTREVISIONS   Reads DocumentRevisions database
    DOMAINS             Get information about ActiveDirectory Domain(s) that
                        this mac is connected to
    FSEVENTS            Reads file system event logs (from .fseventsd)
    IDEVICEBACKUPS      Reads and exports iPhone/iPad backup databases
    IDEVICEINFO         Reads and exports connected iDevice details
    IMESSAGE            Parses iMessage conversations, exports messages and
                        attachments
    INETACCOUNTS        Reads configured internet account (iCloud, Google,
                        Linkedin, facebook..) settings used by Mail, Contacts,
                        Calendar and other apps
    INSTALLHISTORY      Parses the InstallHistory.plist to get software
                        installation history
    MSOFFICE            Reads Word, Excel, Powerpoint and other office
                        MRU/accessed file paths
    NETUSAGE            Reads the NetUsage (network usage) database to get
                        program and other network usage data
    NOTES               Reads Notes databases
    NOTIFICATIONS       Reads notification databases
    PRINTJOBS           Parses CUPS spooled print jobs to get information about
                        files/commands sent to a printer
    QUARANTINE          Reads Quarantine V2 databases, and GateKeeper
                        .LastGKReject file
    QUICKLOOK           Parses QuickLook Thumbnail Cache data
    RECENTITEMS         Gets recently accessed Servers, Documents, Hosts,
                        Volumes & Applications from .plist and .sfl files. Also
                        gets recent searches and places for each user
    SAFARI              Gets internet history, downloaded file information,
                        cookies and more from Safari caches
    SCREENTIME          Parses application Screen Time data
    SPOTLIGHT           Reads spotlight indexes (user, volume, iOS)
    SPOTLIGHTSHORTCUTS  Gets user typed data in the spotlight bar, used to
                        launch applications and documents
    SUDOLASTRUN         Gets last time sudo was used and a few other times
                        earlier (if available)
    TERMINALSTATE       Reads Terminal saved state files which includes full
                        text content of terminal windows
    USERS               Gets local and domain user information like name, UID,
                        UUID, GID, homedir & Darwin paths. Also extracts auto-
                        login stored passwords and deleted user info
    WIFI                Gets wifi network information from the
                        com.apple.airport.preferences.plist file

Use cases (and parameters explained)

Here is how you can run a plugin. Let us assume a few parameters to understand this. You can only run a single plugin at a time.

Parameter Desired Value/Type Command
Input path W:\notes\NoteStore.sqlite -i W:\notes\NoteStore.sqlite
Output path (where output goes) C:\output -o C:\output
Optional Output type(s) excel -x
Optional Log type debug -l DEBUG
Plugin to run notes NOTES

It is best to write the commands out in this same order as shown below.
mac_apt_artifact_only.exe -i W:\notes\NoteStore.sqlite -o C:\output -x -l DEBUG NOTES

Using plugin_help

Most plugins will give you some information about the kind and location of file(s) that they need to run. This can be obtained using the --plugin_help option. For example, if you need to know about NOTES, run the following command:

mac_apt_artifact_only.exe --plugin_help NOTES

Help for Module NOTES (Notes)

--------------------------------------------------
Provide one or more Notes sqlite databases as input to process. These are
typically located at ~/Library/Containers/com.apple.Notes/Data/Library/Notes/
or ~/Library/Group Containers/group.com.apple.notes/

Example running the SPOTLIGHT plugin

For this plugin, pull out the entire spotlight folder, then point script to either store.db or .store.db. You can get this information from --plugin_help as shown above too!

mac_apt_artifact_only.exe -i W:\spot_test\index.spotlightV2\.store.db -o N:\delme SPOTLIGHT
Output path was : N:\delme
MAIN-INFO-Started macOS Artifact Parsing Tool - Artifact Only mode, version 0.9
MAIN-INFO-Dates and times are in UTC unless the specific artifact being parsed saves it as local time!
MAIN-INFO---------------------------------------------------
MAIN-INFO-Running plugin SPOTLIGHT
MAIN-INFO---------------------------------------------------
MAIN.SPOTLIGHT-INFO-Module Started as standalone
MAIN.SPOTLIGHT-INFO-Now processing file W:\spot_test\index.spotlightV2\.store.db
MAIN.SPOTLIGHT-INFO-Processing W:\spot_test\index.spotlightV2\.store.db

  ... output truncated ...

MAIN.HELPERS.SPOTLIGHT_FILTER-INFO-12 views added for table Spotlight-.store.db
MAIN-INFO---------------------------------------------------
MAIN-INFO-Finished in time = 00:00:00
MAIN-INFO-Review the Log file and report any ERRORs or EXCEPTIONS to the developers

Getting Started

Plugins

Development

  • Write a Plugin
  • Plugin Helpers
Clone this wiki locally