At SUMURI, we use various tools to conduct Mac examinations. It is not uncommon for us to use our RECON software, open source, or other low-cost tools to get the job done. In our Mac Forensics courses, we climb onto our tool-agnostic soapbox and preach examining a Mac with another Mac, but we also showcase using low-cost and open-source tools. This leads us to this month’s blog topic, Open-Source Tools.
Open-source tools and scripts have become an essential resource for forensic examiners in Digital Forensics and Incident Response (DFIR), providing a cost-effective and flexible alternative to commercial forensic tools. This post focuses on using open-source tools specifically for Mac Forensics, highlighting a few tools that can target macOS and its artifacts.
One of the most significant advantages of open source tools (OST) is the community-driven nature of their development. Developers create these tools to extract, process, and analyze specific data, then share them with the DFIR community, who offer comments, suggestions, and assistance, leading to the refinement of a more robust tool.
OSTs are cost-effective as they are free to use and distribute, providing an excellent resource for digital forensic investigators who may not have access to expensive proprietary tools. Moreover, open-source tools are often designed to work cross-platform, making them more versatile than their proprietary counterparts.
However, one disadvantage is maintaining the open-source tools over time. For the most part, the OST developers create their tools on their own time, which can be a considerable undertaking. Updating those tools can be labor intensive, especially with significant changes to file systems, operating systems, and artifacts. Just look at the macOS over the last year or two.
Another challenge is some examiners don’t have experience in the command line or compiling software, which is sometimes required. Then you have the various languages used to develop the tools, such as Python and Perl, and one I just ran into for the first time, Rust. Without that CLI or some programming experience, OSTs can sometimes be challenging, resulting in a steep learning curve.
Below are some of my favorite Mac OSTs, as well as a few that I am currently exploring:
mac_apt – Yogesh Khatari’s mac_apt is a find-all evidence tool for Mac Forensics. It allows users to process a Mac forensic image using various plugins that target different artifacts. Digital forensics examiners looking to triage a macOS system quickly can benefit significantly from this powerful tool. However, installation can be tricky, and it has not been updated recently.
https://github.com/ydkhatri/mac_apt
APOLLO – Developed by Sarah Edwards a few years ago, Apple Pattern of Life Lazy Output’er (APOLLO) targets multiple iOS and Mac databases to extract information and build it into a timeline that examiners can quickly review. APOLLO is a fast, standalone tool that extracts a significant amount of data and places it quickly into the hands of examiners. Unfortunately, the tool has not been updated in a while, so it’s crucial to validate the findings to ensure everything is functioning correctly. Hopefully, an update will be available in the future.
https://github.com/mac4n6/APOLLO
macos_fseventsd parser – This tool parses fseventsd logs on either a live Mac or a folder containing extracted log files. The parser extracts the entries from the log files and presents them in CSV and JSON files for review. This is a great standalone tool that works well.
https://github.com/puffyCid/macos-fseventsd
Currently, I am exploring and testing the following tools:
imessage_reader – This tool parses the chat.db file and provides the output in a CSV or SQLite db file. The developer is still working on adding the ability to show attachments. Currently, it only targets the local Mac’s chat.db file, and I have requested the ability to select the location of the db file in order to parse those from a forensic image or another Mac.
https://github.com/niftycode/imessage_reader
macosac – This tool is useful for collecting macOS artifacts for potential compromise investigations. The tool extracts specific artifacts to a DMG file, which can be analyzed using other tools. There is an .ini file with the configuration for the file search and extraction. If necessary, it appears the .ini file can be modified to fit specific targeting needs.
https://github.com/mnrkbys/macosac
FSEvents Parser-rs – This tool also parses fseventsd logs on either a live Mac or a folder containing extracted log files. The parser extracts the entries from the log files and presents them in CSV, JSON, or SQLite files for review. I think including the SQLite db file is a great benefit. This tool is stable and works quickly to get the examiner the data for review.
https://github.com/Houwenda/FSEventsParser-rs
OSTs offer multiple advantages in digital forensics, including cost-effectiveness, versatility, and collaborative development. Still, they also come with their own challenges, such as the lack of official support and, in many instances, longevity, especially for Mac tools. Ultimately, whether or not to use OSTs in digital forensics depends on the examiner’s needs and resources, as well as the specific tool.
In our MFSC-201 course, we showcase some of our favorite OSTs and run students through practical exercises to familiarize them with how the tools work and their potential in our examinations. All of our Mac Forensics training is vendor-neutral and tool agnostic. SUMURI believes in teaching you how to conduct Mac Forensics using native, free, or low-cost tools. Attend our MFSC-101 and MFSC-201 and take your Mac Fu to the next level.