Jump to content
Fi8sVrs

OSXAuditor - Free Mac OS X Computer Forensics Tool

Recommended Posts

  • Active Members

DesignAndCapabilities_v0.4.png

 

OS X Auditor is a free Mac OS X computer forensics tool.

OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:

  • the kernel extensions
  • the system agents and daemons
  • the third party's agents and daemons
  • the old and deprecated system and third party's startup items
  • the users' agents
  • the users' downloaded files
  • the installed applications

It extracts:

  • the users' quarantined files
  • the users' Safari history, downloads, topsites, LastSession, HTML5 databases and localstore
  • the users' Firefox cookies, downloads, formhistory, permissions, places and signons
  • the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
  • the users' social and email accounts
  • the WiFi access points the audited system has been connected to (and tries to geolocate them)

It also looks for suspicious keywords in the .plist themselves.

It can verify the reputation of each file on:

  • Team Cymru's MHR
  • VirusTotal
  • your own local database

It can aggregate all logs from the following directories into a zipball:

  • /var/log (-> /private/var/log)
  • /Library/logs
  • the user's ~/Library/logs

Finally, the results can be:

  • rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
  • rendered as a HTML log file
  • sent to a Syslog server

 

Author

Jean-Philippe Teissier - @Jipe_ & al.

 

Support

OS X Auditor started as a week-end project and is now barely maintained. It has been forked by the great guys @ Yelp who created osxcollector.

If you are looking for a production / corporate solution I do recommend you to move to osxcollector (https://github.com/Yelp/osxcollector)

 

How to install

Just copy all files from GitHub.

 

Dependencies

If you plan to run OS X Auditor on a Mac, you will get a full plist parsing support with the OS X Foundation through pyobjc:

pip install pyobjc

If you can't install pyobjc or if you plan to run OS X Auditor on another OS than Mac OS X, you may experience some troubles with the plist parsing:

pip install biplist
pip install plist

These dependencies will be removed when a working native plist module will be available in python

 

How to run

  • OS X Auditor runs well with python >= 2.7.2 (2.7.9 is OK). It does not run with a different version of python yet (due to the plist nightmare)
  • OS X Auditor is maintained to work on the lastest OS X version. It will do its best on older OS X versions.
  • You must run it as root (or via sudo) if you want to use is on a running system, otherwise it won't be able to access some system and other users' files
  • If you're using API keys from environment variables (see below), you need to use the sudo -E to use the users environment variables

Type osxauditor.py -h to get all the available options, then run it with the selected options

 

eg.

[sudo -E] python osxauditor.py -a -m -l localhashes.db -H log.html

 

Setting Environment Variables

VirusTotal API:

export VT_API_KEY=aaaabbbbccccddddeeee

Changelog

 

 

Download: OSXAuditor-master.zip

or

git clone https://github.com/jipegit/OSXAuditor.git

 

Source: https://github.com/jipegit/OSXAuditor

  • Like 1
  • Upvote 3
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...