-
Notifications
You must be signed in to change notification settings - Fork 103
Sample Usage
There are 3 main launch scripts
Script | When to use? |
---|---|
mac_apt.py | Use with full disk/volume images as input |
mac_apt_artifact_only.py | Use with individual artifact files as input. This is when you do not have the full image but you have key files like com.apple.airport.preferences.plist to analyze. (Not every plugin is supported in this mode!) |
mac_apt_mounted_sys_data.py | If you need to run mac_apt on a macOS 10.15 (Catalina) mounted image and you have two mount points (one for SYSTEM volume and other for DATA volume), then use this script. It is the same as mac_apt MOUNTED mode but allows you to specify two separate mounted locations. |
Running the -h option will show you the optional and required parameters.
See output of `-h` option
C:\Users\khatri>python c:\mac_apt\mac_apt.py -h
usage: mac_apt.py [-h] [-o OUTPUT_PATH] [-x] [-c] [-l LOG_LEVEL] [-p PASSWORD]
input_type input_path plugin [plugin ...]
mac_apt is a framework to process forensic artifacts on a Mac OSX system
You are running macOS Artifact Parsing Tool version 0.7.dev
Note: The default output is now sqlite, no need to specify it now
positional arguments:
input_type Specify Input type as either E01, DD, DMG, VMDK, AFF4 or MOUNTED
input_path Path to OSX image/volume
plugin Plugins to run (space separated). FAST will run most plugins
optional arguments:
-h, --help show this help message and exit
-o OUTPUT_PATH, --output_path OUTPUT_PATH
Path where output files will be created
-x, --xlsx Save output in Excel spreadsheet
-c, --csv Save output as CSV files
-l LOG_LEVEL, --log_level LOG_LEVEL
Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)
-p PASSWORD, --password PASSWORD
Personal Recovery Key(PRK) or Password for any user (for decrypting encrypted volume). PRK must be exactly how it was shown to you
The following plugins are available:
APPLIST Reads apps & printers installed and/or available for
each user from appList.dat
ARD Reads ARD (Apple Remote Desktop) cached databases about
app usage
AUTOSTART Retrieves persistent and auto-start programs, daemons,
services
BASICINFO Gets basic machine and OS configuration like SN,
timezone, computer name, last logged in user, FS info,
etc..
BLUETOOTH Parses System Bluetooth Artifacts
CHROME Read Chrome History, Top Sites, Downloads, Tabs/Sessions
and Extension info
COOKIES Reads .binarycookies, .cookies files and HSTS.plist for
each user
DOCKITEMS Reads the Dock plist for every user
DOCUMENTREVISIONS Reads DocumentRevisions database
DOMAINS Get information about ActiveDirectory Domain(s) that
this mac is connected to
FSEVENTS Reads file system event logs (from .fseventsd)
IDEVICEBACKUPS Reads and exports iPhone/iPad backup databases
IDEVICEINFO Reads and exports connected iDevice details
IMESSAGE Parses iMessage conversations, exports messages and
attachments
INETACCOUNTS Reads configured internet account (iCloud, Google,
Linkedin, facebook..) settings used by Mail, Contacts,
Calendar and other apps
INSTALLHISTORY Parses the InstallHistory.plist to get software
installation history
MSOFFICE Reads Word, Excel, Powerpoint and other office
MRU/accessed file paths
NETUSAGE Reads the NetUsage (network usage) database to get
program and other network usage data
NETWORKING Gets network related information - Interfaces, last IP
addresses, MAC address, etc..
NOTES Reads Notes databases
NOTIFICATIONS Reads notification databases
PRINTJOBS Parses CUPS spooled print jobs to get information about
files/commands sent to a printer
QUARANTINE Reads Quarantine V2 databases, and GateKeeper
.LastGKReject file
QUICKLOOK Parses QuickLook Thumbnail Cache data
RECENTITEMS Gets recently accessed Servers, Documents, Hosts,
Volumes & Applications from .plist and .sfl files. Also
gets recent searches and places for each user
SAFARI Gets internet history, downloaded file information,
cookies and more from Safari caches
SAVEDSTATE Gets window titles from Saved Application State info
SCREENTIME Parses application Screen Time data
SPOTLIGHT Reads spotlight indexes (user, volume, iOS)
SPOTLIGHTSHORTCUTS Gets user typed data in the spotlight bar, used to
launch applications and documents
SUDOLASTRUN Gets last time sudo was used and a few other times
earlier (if available)
TERMINALSTATE Reads Terminal saved state files which includes full
text content of terminal windows
TERMSESSIONS Reads Terminal (bash & zsh) sessions & history for every
user
UNIFIEDLOGS Reads macOS unified logging logs from .tracev3 files
USERS Gets local and domain user information like name, UID,
UUID, GID, homedir & Darwin paths. Also extracts auto-
login stored passwords and deleted user info
WIFI Gets wifi network information from the
com.apple.airport.preferences.plist file
----------------------------------------------------------------------------
FAST Runs all plugins except IDEVICEBACKUPS, SPOTLIGHT, UNIFIEDLOGS
ALL Runs all plugins
python mac_apt.py -o C:\output_folder AFF4 C:\evidence\mac.aff4 FAST
The above example will run almost all plugins on the evidence file of type AFF4 located at C:\evidence\mac.aff4 with output going to C:\output_folder. You get sqlite output by default, and can specify additional output types like excel or csv if needed (see below).
Here is how you can run one or more plugins. Let us assume a few parameters to understand this.
Parameter | Desired Value/Type | Command |
---|---|---|
Output path (where output goes) | C:\output | -o C:\output |
Optional Output type(s) | excel | -x |
Input type | E01 image | E01 |
Input image path | C:\sample_images\mojave.E01 | C:\sample_images\mojave.E01 |
Plugins to run | wifi, fsevents, basicinfo | WIFI FSEVENTS BASICINFO |
It is best to write the commands out in this same order as shown below.
python.exe mac_apt.py -o C:\output -x E01 C:\sample_images\mojave.E01 WIFI FSEVENTS BASICINFO
mac_apt.exe -o C:\output -x E01 C:\sample_images\mojave.E01 WIFI FSEVENTS BASICINFO
The below examples exercise some of the other available options.
mac_apt.exe -o C:\output DD C:\sample_images\mojave.dd FAST
Now the same with DEBUG logging for more information (good when investigating bugs)
mac_apt.exe -o C:\output -l DEBUG DD C:\sample_images\mojave.dd FAST
python mac_apt.py -o ~\output -x MOUNTED \ FAST
python mac_apt.py -o ~\output -x MOUNTED ~\mounted\root\ FAST
Here ~\mounted\root\
is the root of the mounted evidence disk.
Getting Started
- Introduction
- Installation
-
Sample Usage
- ios_apt
- Artifact Only Mode
- Mounted System Data Mode
- Interpreting Output
- Issues & Workarounds
Plugins
- AUTOSTART
- BASICINFO
- BLUETOOTH
- DOMAINS
- FSEVENTS
- IDEVICEBACKUPS
- IDEVICEINFO
- IMESSAGE
- INETACCOUNTS
- INSTALLHISTORY
- MSOFFICE
- NETUSAGE
- NETWORKING
- NOTES
- NOTIFICATIONS
- PRINTJOBS
- QUARANTINE
- RECENTITEMS
- SAFARI
- SCREENTIME
- SPOTLIGHT
- SPOTLIGHTSHORTCUTS
- TERMINALSTATE
- TERMSESSIONS
- UNIFIEDLOGS
- USERS
- WIFI
Development
- Write a Plugin
- Plugin Helpers