Skip to content

zmbf0r3ns1cs/mac_int

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Screenshot

macOS Artifact Intelligence Tool

mac_int is an interpretive, modular DFIR intelligence and artifact correlation tool designed to automatically identify patterns and connections between parsed artifact data from the SQLite output of Yogesh Khatri’s open source tool, mac_apt.

Requirements: Python 3.7.3+ 32/64 bit

Background

Users of mac_int will have the ability to utilize pre-researched data interpretation for desired correlations, potentially saving time in a DFIR investigation. Numerous forensic artifacts within macOS can reflect the same event in different ways, allowing the correlation of these related data fragments to be used to provide a better, more fluid story of events that occurred on the system. Calling on the SQLite output of mac_apt, this tool combines previously performed research with user interaction to build a clearly defined timeline - all relevant to the needs specified by the user.

Features

  • Cross-Platform (runs on any OS with Python 3.7.3 and up)
    • Tested on Windows 10, macOS 10.14, & Ubuntu 19
  • Intelligent "connective parsing" from mac_apt SQLite Database output
  • Interpreted data can be displayed via HTML format for ease-of-use and readability

Getting Started

To see all available options, run the following invocation:

Windows

mac_int.py -h 

macOS

python mac_int.py -h

Linux

python3 mac_int.py -h

Example Usage

Below you will find an example of mac_int usage on Windows 10, utilizing the -mv switch to run the Mounted Volumes module with username "justin.boncaldo" and -o to output to a specified directory:

mac_int.py C:\Users\burnh\Desktop\mac_apt\mac_apt02.db justin.boncaldo -o C:\Users\burnh\Desktop\Capstone -mv

Below is an example of mac_int usage on macOS, utilizing the -a and --html switches to run all mac_int modules together with HTML output:

python mac_int.py /Users/zachburnham/Desktop/Capstone/Mac_apt_Output/mac_apt02.db justin.boncaldo -a --html

Current Modules

mac_int operates off pre-defined Python3 scripts that are called upon using command arguments. This list is a constant work in progress; any new module based on mac_apt SQLite output can be created and added to the argument parser for command line accessibility. Below is a working table describing the current modules and their functionality:

Module Description mac_apt Connections (Tables)
MountedVolumes Parse for information pertaining to mounted volumes that are or were on the system, including Names, Creation Dates, First and Last Seen Dates, and Bash Sessions RecentItems, Spotlight-1-store, BashSessions
UserInfo Parse for all related user information on the system, including information such as mounted volumes and installed applications InstallHistory, NetUsage, RecentItems, Safari, Dock Items
InstalledApps A Full and/or User-Based search for updates, downloaded and installed applications with their corresponding network usage InstallHistory, Dock Items, RecentItems, Safari, NetUsage, BashSessions, Quarantine, Spotlight-1-store
InternetSearch Parse for any internet searches that occured, including downloads, frequently visited sites, Safari history, and recently closed tabs Safari, Quarantine
NetworkInfo Parse for any network activity that occured, including info such as WiFi, DHCP, AD, and network usage Domain_ActiveDirectory, WiFi, Network_DHCP, Network_Interfaces, Network_Details
SystemInfo Parse for system information pertaining to the host, including hostname, timezone, model, macOS version, last logged in user, and file system metadata Basic_Info

Code Architecture

mac_int's modules are designed to work by running as individual Python scripts, each querying a designated mac_apt SQLite database file for their respective information and writing the results to individual text files. If the user requests HTML format, mac_int will create temporary JSON files for each module ran and store the results for the HTML script to query. These files will auto-delete from the system upon process completion.

Screenshot

Releases

No releases published

Packages

No packages published

Languages