macOS Artifact Intelligence Tool
Collaborators: Justin Boncaldo & Ben Estes
mac_int is an interpretive, modular DFIR intelligence and artifact correlation tool designed to automatically identify patterns and connections between parsed artifact data from the SQLite output of Yogesh Khatri’s open source tool, mac_apt.
This college capstone project is aimed to aid investigators by adding intelligence to an already established portion of investigations involving macOS machines. Automatically identifying connections between multiple evidence points can save valuable time, and ensure all evidence is being considered properly and thoroughly; automating the forensic review process with data interpretation.
Our hope is that the logic within this tool is just the beginning of an even bigger discussion concerning macOS forensics.
- Python 3.7.3+
- Tested on Windows 10, macOS 10.14, and Ubuntu 19
- mac_apt SQLite Output
- Tool found at https://github.com/ydkhatri/mac_apt
Users of mac_int will have the ability to utilize pre-researched data interpretation for desired correlations, potentially saving time in a DFIR investigation. Numerous forensic artifacts within macOS can reflect the same event in different ways, allowing the correlation of these related data fragments to be used to provide a better, more fluid story of events that occurred on the system. Calling on the SQLite output of mac_apt, mac_int will combine previously performed research and user interaction to build a clearly defined timeline, all relevant to the needs specified by the user.
- Cross-Platform (runs on any OS with Python 3.7.3 and up)
- Intelligent “connective parsing” from mac_apt SQLite Database output
- Interpreted data can be displayed via HTML format for ease-of-use and readability
To see all available options, run the following invocation:
python mac_int.py -h
python3 mac_int.py -h
Below you will find an example of mac_int usage on Windows 10, utilizing the
-mv switch to run the Mounted Volumes module with username “justin.boncaldo” and
-o to output to a specified directory:
mac_int.py C:\Users\burnh\Desktop\mac_apt\mac_apt02.db justin.boncaldo -o C:\Users\burnh\Desktop\Capstone -mv
Below is an example of mac_int usage on macOS, utilizing the
--html switches to run all mac_int modules together with HTML output:
python mac_int.py /Users/zachburnham/Desktop/Capstone/Mac_apt_Output/mac_apt02.db justin.boncaldo -a --html
mac_int operates off pre-defined Python3 scripts that are called upon using command arguments. This list is a constant work in progress – any new module based on mac_apt SQLite output can be created and added to the argument parser for command line accessibility. Below is a working table describing the current modules and their functionality:
|MountedVolumes||Parse for information pertaining to mounted volumes that are or were on the system, including Names, Creation Dates, First and Last Seen Dates, and Bash Sessions|
|UserInfo||Parse for all related user information on the system, including information such as mounted volumes and installed applications|
|InstalledApps||A Full and/or User-Based search for updates, downloadedand installed applications with their corresponding network usage|
|InternetSearch||Parse for any internet searches that occured, including downloads, frequently visited sites, Safari history, and recently closed tabs|
|NetworkInfo||Parse for any network activity that occured, including info such as WiFi, DHCP, AD, and network usage|
|SystemInfo||Parse for system information pertaining to the host, including hostname, timezone, model, macOS version, last logged in user, and file system metadata|
mac_int’s modules are designed to work by running as individual Python scripts, each querying a designated mac_apt SQLite database file for their respective information and writing the results to individual text files. If the user requests HTML format, mac_int will create temporary JSON files for each module that was run to store information for the HTML script to query. These files will auto-delete from the system upon process completion.
Chain reactions of data alterations often occur from typical events on a system. This means that certain user-inspired events result in multiple “hidden” records being kept. Our tool, mac_int, will automatically analyze these likely-related events from mac_apt SQLite Output and use them to provide a better interpretation of a system’s timeline.