AutoMacTC – Automated Mac Forensic Triage Collector

AutoMacTC is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis. The output may provide valuable insights for incident response in a macOS environment. The tool can be run against a live system or dead disk (as a mounted volume.)

AutoMacTC - Automated Mac Forensic Triage Collector
AutoMacTC – Automated Mac Forensic Triage Collector

The tool support basic and advanced usage while the current module list will collect following information:

  • pslist (current process list at time)
  • lsof (current file handles open at time)
  • netstat (current network connections at time)
  • asl (parsed Apple System Log (.asl) files)
  • autoruns (parsing of various persistence locations and plists)
  • bash (parsing bash/.*_history files for all users)
  • chrome (parsing chrome visit history and download history)
  • coreanalytics (parsing program execution evidence produced by Apple diagnostics)
  • dirlist (list hof files and directories across the disk)
  • firefox (parsing firefox visit history and download history)
  • installhistory (parsing program installation history)
  • mru (parsing SFL and MRU plist files) – quarantines (parsing QuarantineEventsV2 database)
  • quicklook (parsing Quicklooks database)
  • safari (parsing safari visit history and download history)
  • spotlight (parsing user spotlight top searches)
  • ssh (parsing known_hosts and authorized_keys files for each user)
  • syslog (parsing system.log files)
  • systeminfo (basic system identification, such as current IP address, serial no, hostname)
  • terminalstate (parsing Terminal savedState files)
  • users (listing present and deleted users on the system)
  • utmpx (listing user sessions on terminals)

You can read more and download the tool over here: https://github.com/CrowdStrike/automactc

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments