mac_int

macOS Artifact Intelligence Tool

Collaborators: Justin Boncaldo & Ben Estes

Available on GitHub

Background

mac_int is an interpretive, modular DFIR intelligence and artifact correlation tool designed to automatically identify patterns and connections between parsed artifact data from the SQLite output of Yogesh Khatri’s open source tool, mac_apt.

This college capstone project is aimed to aid investigators by adding intelligence to an already established portion of investigations involving macOS machines. Automatically identifying connections between multiple evidence points can save valuable time, and ensure all evidence is being considered properly and thoroughly; automating the forensic review process with data interpretation.

Our hope is that the logic within this tool is just the beginning of an even bigger discussion concerning macOS forensics.

Requirements:

Features

Users of mac_int will have the ability to utilize pre-researched data interpretation for desired correlations, potentially saving time in a DFIR investigation. Numerous forensic artifacts within macOS can reflect the same event in different ways, allowing the correlation of these related data fragments to be used to provide a better, more fluid story of events that occurred on the system. Calling on the SQLite output of mac_apt, mac_int will combine previously performed research and user interaction to build a clearly defined timeline, all relevant to the needs specified by the user.

  • Cross-Platform (runs on any OS with Python 3.7.3 and up)
  • Intelligent “connective parsing” from mac_apt SQLite Database output
  • Interpreted data can be displayed via HTML format for ease-of-use and readability

Getting Started

To see all available options, run the following invocation:

Windows

mac_int.py -h

macOS

python mac_int.py -h

Linux

python3 mac_int.py -h
Example Usage

Below you will find an example of mac_int usage on Windows 10, utilizing the -mv switch to run the Mounted Volumes module with username “justin.boncaldo” and -o to output to a specified directory:

mac_int.py C:\Users\burnh\Desktop\mac_apt\mac_apt02.db justin.boncaldo -o C:\Users\burnh\Desktop\Capstone -mv

Below is an example of mac_int usage on macOS, utilizing the -a and --html switches to run all mac_int modules together with HTML output:

python mac_int.py /Users/zachburnham/Desktop/Capstone/Mac_apt_Output/mac_apt02.db justin.boncaldo -a --html
  • Mounted Volume Information
  • Installed Applications
  • Network Information
  • User Specific Downloads
  • User Specific Applications
  • User Specific Bash Sessions

Current Modules

mac_int operates off pre-defined Python3 scripts that are called upon using command arguments. This list is a constant work in progress – any new module based on mac_apt SQLite output can be created and added to the argument parser for command line accessibility. Below is a working table describing the current modules and their functionality:

ModuleDescription
MountedVolumesParse for information pertaining to mounted volumes that are or were on the system, including Names, Creation Dates, First and Last Seen Dates, and Bash Sessions
UserInfoParse for all related user information on the system, including information such as mounted volumes and installed applications
InstalledAppsA Full and/or User-Based search for updatesdownloadedand installed applications with their corresponding network usage
InternetSearchParse for any internet searches that occured, including downloads, frequently visited sites, Safari history, and recently closed tabs
NetworkInfoParse for any network activity that occured, including info such as WiFi, DHCP, AD, and network usage
SystemInfoParse for system information pertaining to the host, including hostname, timezone, model, macOS version, last logged in user, and file system metadata

Code Architecture

mac_int’s modules are designed to work by running as individual Python scripts, each querying a designated mac_apt SQLite database file for their respective information and writing the results to individual text files. If the user requests HTML format, mac_int will create temporary JSON files for each module that was run to store information for the HTML script to query. These files will auto-delete from the system upon process completion.

TL;DR

Chain reactions of data alterations often occur from typical events on a system. This means that certain user-inspired events result in multiple “hidden” records being kept. Our tool, mac_int, will automatically analyze these likely-related events from mac_apt SQLite Output and use them to provide a better interpretation of a system’s timeline.

Our tool and its code can be found for free on GitHub here.