OSXCollector – Forensic Evidence Collection Toolkit

OSXCollector is a forensic evidence collection & analysis toolkit for OSX.The collection script runs on a potentially infected machine and outputs a JSON file that describes the target machine. OSXCollector gathers information from plists, SQLite databases and the local file system this to answer the following questions:

  • is this machine infected?
  • How’d that malware get there?
  • How can I prevent and detect further infection?
OSXCollector - Forensic Evidence Collection & Analysis Toolkit

OSXCollector – Forensic Evidence Collection & Analysis Toolkit

The detail and information collected by the tool include the file records , SQLite records, Timestamps and it will cover the following sections:

  • startup sections (collects information about the launchagents, launchdaemons, scriptingadditions, startupItems and other login items)
  • system info sections (system name, node name ,release, version,machine)
  • applications sections (Hashes installed applications and gathers install history)
  • quarantine sections ( Quarantines are basically the info necessary to show the ‘Are you sure you wanna run this?’ when a user is trying to open a file downloaded from the Internet.)
  • download sections (Hashes all users’ downloaded files)
  • browsers sections for Chrome , Firefox and safari (History ,Archived History, Cookies, Extensions, Login Data, Top Sites,Web Data
  • accounts sections (Collects information about users’ accounts)
  • mail section (Hashes files in the mail app directories)
  • full hash section (Hashes all the files on disk)

You can read more and download this tool over here: https://github.com/Yelp/

Notify of
Inline Feedbacks
View all comments