Skip to content

Sample Usage

Yogesh Khatri (@swiftforensics) edited this page Jan 28, 2021 · 15 revisions

There are 3 main mac_apt launch scripts. For ios_apt usage click here.

Script When to use?
mac_apt.py Use with full disk/volume images as input
mac_apt_artifact_only.py Use with individual artifact files as input. This is when you do not have the full image but you have key files like com.apple.airport.preferences.plist to analyze. (Not every plugin is supported in this mode!)
mac_apt_mounted_sys_data.py If you need to run mac_apt on a macOS 10.15 (Catalina) mounted image and you have two mount points (one for SYSTEM volume and other for DATA volume), then use this script. It is the same as mac_apt MOUNTED mode but allows you to specify two separate mounted locations.

Running the -h option will show you the optional and required parameters.

See output of `-h` option
C:\Users\khatri>python c:\mac_apt\mac_apt.py -h
usage: mac_apt.py [-h] [-o OUTPUT_PATH] [-x] [-c] [-l LOG_LEVEL] [-p PASSWORD]
                  input_type input_path plugin [plugin ...]

mac_apt is a framework to process forensic artifacts on a Mac OSX system
You are running macOS Artifact Parsing Tool version 0.7.dev

Note: The default output is now sqlite, no need to specify it now

positional arguments:
  input_type            Specify Input type as either E01, DD, DMG, VMDK, AFF4 or MOUNTED
  input_path            Path to OSX image/volume
  plugin                Plugins to run (space separated). FAST will run most plugins

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT_PATH, --output_path OUTPUT_PATH
                        Path where output files will be created
  -x, --xlsx            Save output in Excel spreadsheet
  -c, --csv             Save output as CSV files
  -l LOG_LEVEL, --log_level LOG_LEVEL
                        Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)
  -p PASSWORD, --password PASSWORD
                        Personal Recovery Key(PRK) or Password for any user (for decrypting encrypted volume). PRK must be exactly how it was shown to you

The following plugins are available:
    APPLIST             Reads apps & printers installed and/or available for
                        each user from appList.dat
    ARD                 Reads ARD (Apple Remote Desktop) cached databases about
                        app usage
    AUTOSTART           Retrieves persistent and auto-start programs, daemons,
                        services
    BASICINFO           Gets basic machine and OS configuration like SN,
                        timezone, computer name, last logged in user, FS info,
                        etc..
    BLUETOOTH           Parses System Bluetooth Artifacts
    CHROME              Read Chrome History, Top Sites, Downloads, Tabs/Sessions
                        and Extension info
    COOKIES             Reads .binarycookies, .cookies files and HSTS.plist for
                        each user
    DOCKITEMS           Reads the Dock plist for every user
    DOCUMENTREVISIONS   Reads DocumentRevisions database
    DOMAINS             Get information about ActiveDirectory Domain(s) that
                        this mac is connected to
    FSEVENTS            Reads file system event logs (from .fseventsd)
    IDEVICEBACKUPS      Reads and exports iPhone/iPad backup databases
    IDEVICEINFO         Reads and exports connected iDevice details
    IMESSAGE            Parses iMessage conversations, exports messages and
                        attachments
    INETACCOUNTS        Reads configured internet account (iCloud, Google,
                        Linkedin, facebook..) settings used by Mail, Contacts,
                        Calendar and other apps
    INSTALLHISTORY      Parses the InstallHistory.plist to get software
                        installation history
    MSOFFICE            Reads Word, Excel, Powerpoint and other office
                        MRU/accessed file paths
    NETUSAGE            Reads the NetUsage (network usage) database to get
                        program and other network usage data
    NETWORKING          Gets network related information - Interfaces, last IP
                        addresses, MAC address, etc..
    NOTES               Reads Notes databases
    NOTIFICATIONS       Reads notification databases
    PRINTJOBS           Parses CUPS spooled print jobs to get information about
                        files/commands sent to a printer
    QUARANTINE          Reads Quarantine V2 databases, and GateKeeper
                        .LastGKReject file
    QUICKLOOK           Parses QuickLook Thumbnail Cache data
    RECENTITEMS         Gets recently accessed Servers, Documents, Hosts,
                        Volumes & Applications from .plist and .sfl files. Also
                        gets recent searches and places for each user
    SAFARI              Gets internet history, downloaded file information,
                        cookies and more from Safari caches
    SAVEDSTATE          Gets window titles from Saved Application State info
    SCREENTIME          Parses application Screen Time data
    SPOTLIGHT           Reads spotlight indexes (user, volume, iOS)
    SPOTLIGHTSHORTCUTS  Gets user typed data in the spotlight bar, used to
                        launch applications and documents
    SUDOLASTRUN         Gets last time sudo was used and a few other times
                        earlier (if available)
    TERMINALSTATE       Reads Terminal saved state files which includes full
                        text content of terminal windows
    TERMSESSIONS        Reads Terminal (bash & zsh) sessions & history for every
                        user
    UNIFIEDLOGS         Reads macOS unified logging logs from .tracev3 files
    USERS               Gets local and domain user information like name, UID,
                        UUID, GID, homedir & Darwin paths. Also extracts auto-
                        login stored passwords and deleted user info
    WIFI                Gets wifi network information from the
                        com.apple.airport.preferences.plist file
    ----------------------------------------------------------------------------
    FAST                Runs all plugins except IDEVICEBACKUPS, SPOTLIGHT, UNIFIEDLOGS
    ALL                 Runs all plugins

Most common use case

python mac_apt.py -o C:\output_folder AFF4 C:\evidence\mac.aff4 FAST
The above example will run almost all plugins on the evidence file of type AFF4 located at C:\evidence\mac.aff4 with output going to C:\output_folder. You get sqlite output by default, and can specify additional output types like excel or csv if needed (see below).

More use cases (and parameters explained)

Here is how you can run one or more plugins. Let us assume a few parameters to understand this.

Parameter Desired Value/Type Command
Output path (where output goes) C:\output -o C:\output
Optional Output type(s) excel -x
Input type E01 image E01
Input image path C:\sample_images\mojave.E01 C:\sample_images\mojave.E01
Plugins to run wifi, fsevents, basicinfo WIFI FSEVENTS BASICINFO

It is best to write the commands out in this same order as shown below.

Using code

python.exe mac_apt.py -o C:\output -x E01 C:\sample_images\mojave.E01 WIFI FSEVENTS BASICINFO

Using compiled executable

mac_apt.exe -o C:\output -x E01 C:\sample_images\mojave.E01 WIFI FSEVENTS BASICINFO

The below examples exercise some of the other available options.

Run most plugins over a DD image, with only sqlite output

mac_apt.exe -o C:\output DD C:\sample_images\mojave.dd FAST

Now the same with DEBUG logging for more information (good when investigating bugs)
mac_apt.exe -o C:\output -l DEBUG DD C:\sample_images\mojave.dd FAST

Using MOUNTED option

Run mac_apt LIVE (no image) to get artifacts from local machine

python mac_apt.py -o ~\output -x MOUNTED \ FAST

Run mac_apt on another disk mounted to local machine

python mac_apt.py -o ~\output -x MOUNTED ~\mounted\root\ FAST
Here ~\mounted\root\ is the root of the mounted evidence disk.

Getting Started

Plugins

Development

  • Write a Plugin
  • Plugin Helpers
Clone this wiki locally