-
Notifications
You must be signed in to change notification settings - Fork 103
Sample Usage
Yogesh Khatri (@swiftforensics) edited this page Jul 26, 2019
·
15 revisions
There are 2 main launch scripts
| Script | When to use? |
|---|---|
| mac_apt.py | Use with full disk/volume images as input |
| mac_apt_artifact_only.py | Use with individual artifact files as input. This is when you do not have the full image but you have key files like com.apple.airport.preferences.plist to analyze. (Not every plugin supports this!) |
Running the -h option will show you the optional and required parameters.
See output of `-h` option
C:\Users\khatri>python c:\mac_apt\mac_apt.py -h
usage: mac_apt.exe [-h] [-o OUTPUT_PATH] [-x] [-c] [-s] [-l LOG_LEVEL] [-u]
input_type input_path plugin [plugin ...]
mac_apt is a framework to process forensic artifacts on a Mac OSX system
You are running macOS Artifact Parsing Tool version 0.4
positional arguments:
input_type Specify Input type as either E01, DD, VMDK or MOUNTED
input_path Path to OSX image/volume
plugin Plugins to run (space separated). 'ALL' will process every available plugin
optional arguments:
-h, --help show this help message and exit
-o OUTPUT_PATH, --output_path OUTPUT_PATH
Path where output files will be created
-x, --xlsx Save output in excel spreadsheet(s)
-c, --csv Save output as CSV files (Default option if no output type selected)
-s, --sqlite Save output in an sqlite database
-l LOG_LEVEL, --log_level LOG_LEVEL
Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)
-u, --use_tsk Use sleuthkit instead of native HFS+ parser (This is slower!)
The following plugins are available:
ALL Processes all plugins
AUTOSTART Retrieves persistent and auto-start programs, daemons,
services
BASHSESSIONS Reads bash (Terminal) sessions & history for every user
BASICINFO Gets basic machine and OS configuration like SN,
timezone, computer name, last logged in user, FS info,
etc..
BLUETOOTH Parses System Bluetooth Artifacts
DOCKITEMS Reads the Dock plist for every user
DOMAINS Get information about ActiveDirectory Domain(s) that
this mac is connected to
FSEVENTS Reads file system event logs (from .fseventsd)
IDEVICEBACKUPS Reads and exports iPhone/iPad backup databases
IDEVICEINFO Reads and exports connected iDevice details
IMESSAGE Parses iMessage conversations, exports messages and
attachments
INETACCOUNTS Reads configured internet account (iCloud, Google,
Linkedin, facebook..) settings used by Mail, Contacts,
Calendar and other apps
INSTALLHISTORY Parses the InstallHistory.plist to get software
installation history
MSOFFICE Reads Word, Excel, Powerpoint and other office
MRU/accessed file paths
NETUSAGE Reads the NetUsage (network usage) database to get
program and other network usage data
NETWORKING Gets network related information - Interfaces, last IP
addresses, MAC address, etc..
NOTES Reads Notes databases
NOTIFICATIONS Reads notification databases
PRINTJOBS Parses CUPS spooled print jobs to get information about
files/commands sent to a printer
QUARANTINE Reads Quarantine V2 databases, and GateKeeper
.LastGKReject file
RECENTITEMS Gets recently accessed Servers, Documents, Hosts,
Volumes & Applications from .plist and .sfl files. Also
gets recent searches and places for each user
SAFARI Gets internet history, downloaded file information,
cookies and more from Safari caches
SPOTLIGHT Reads spotlight indexes on volume
SPOTLIGHTSHORTCUTS Gets user typed data in the spotlight bar, used to
launch applications and documents
UNIFIEDLOGS Reads macOS unified logging logs from .tracev3 files
USERS Gets local and domain user information like name, UID,
UUID, GID, homedir & Darwin paths. Also extracts auto-
login stored passwords and deleted user info
WIFI Gets wifi network information from the
com.apple.airport.preferences.plist file
Here is how you can run one or more plugins. Let us assume a few parameters to understand this.
| Parameter | Desired Value/Type | Command |
|---|---|---|
| Output path (where output goes) | C:\output | -o C:\output |
| Output type(s) | excel & sqlite | -x -s |
| Input type | E01 image | E01 |
| Input image path | C:\sample_images\mojave.E01 | C:\sample_images\mojave.E01 |
| Plugins to run | wifi, fsevents, basicinfo | WIFI FSEVENTS BASICINFO |
It is best to write the commands out in this same order as shown below.
Using code
python.exe mac_apt.py -o C:\output -x -s E01 C:\sample_images\mojave.E01 WIFI FSEVENTS BASICINFO
Using compiled executable
mac_apt.exe -o C:\output -x -s E01 C:\sample_images\mojave.E01 WIFI FSEVENTS BASICINFO
The below examples exercise some of the other available options.
Run all modules over a DD image, with only sqlite output
mac_apt.exe -o C:\output -s DD C:\sample_images\mojave.dd ALL
Now the same with DEBUG logging for more information (good when investigating bugs)
mac_apt.exe -o C:\output -s -l DEBUG DD C:\sample_images\mojave.dd ALL
Getting Started
- Introduction
- Installation
-
Sample Usage
- ios_apt
- Artifact Only Mode
- Mounted System Data Mode
- Interpreting Output
- Issues & Workarounds
Plugins
- AUTOSTART
- BASICINFO
- BLUETOOTH
- DOMAINS
- FSEVENTS
- IDEVICEBACKUPS
- IDEVICEINFO
- IMESSAGE
- INETACCOUNTS
- INSTALLHISTORY
- MSOFFICE
- NETUSAGE
- NETWORKING
- NOTES
- NOTIFICATIONS
- PRINTJOBS
- QUARANTINE
- RECENTITEMS
- SAFARI
- SCREENTIME
- SPOTLIGHT
- SPOTLIGHTSHORTCUTS
- TERMINALSTATE
- TERMSESSIONS
- UNIFIEDLOGS
- USERS
- WIFI
Development
- Write a Plugin
- Plugin Helpers