Jump to letter: [
2ABCDEFGHJKLMNOPQRSTUVWXYZ
]
mac_apt - Mac OS Artifact Parsing Tool
- Description:
mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract
data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari
internet history, Network interfaces, Recently accessed files & volumes, ..)
mac_apt now also includes ios_apt, for processing ios images.
Requirements: Python 3.7 or above (32/64 bit)
Features
* Cross platform (no dependency on pyobjc)
* Works on E01, VMDK, AFF4, DD, split-DD, DMG (no compression), SPARSEIMAGE & mounted images
* XLSX, CSV, TSV, Sqlite outputs
* Analyzed files/artifacts are exported for later review
* zlib, lzvn, lzfse compressed files are supported!
* Native HFS & APFS parser
* Reads the Spotlight database and Unified Logging (tracev3) files
Latest
* Can read Axiom created targeted collection zip files
* ios_apt can read GrayKey extracted file system
* Can read RECON created .sparseimage files
* Support for macOS Big Sur Sealed volumes (11.0)
* Introducing ios_apt for processing iOS/ipadOS images
* FAST mode
* Encrypted APFS images can now be processed using password/recovery-key
* macOS Catalina (10.15+) separately mounted SYSTEM & DATA volumes now supported
* AFF4 images (including macquisition created) are supported
Packages