"mac_apt” is a DFIR (Digital Forensics and Incident Response) tool used to process disk images (or live machines) of Mac systems and extract useful data/metadata for digital forensics. It is a Python-based framework with plugins for analyzing user activities (such as Safari browsing history, network interfaces, recently accessed files and devices).
To install it, first clone the relevant repository, then browse to the project directory, install the required Python packages using "pip", and finally run the application.
mac_apt% git clone https://github.com/ydkhatri/mac_apt.git
mac_apt% cd mac_apt
mac_apt% pip3 install -r requirements
mac_apt% python3 mac_apt.py
When the tool is run for the first time, it is normal to see an error like the following:
This isn't really an error; it's a message indicating that more input needs to be provided to the application. First, let's create a directory where we will collect the results, and then tell “mac_apt” to store the output in that directory, using the current system as input:
mkdir forensic_outpython3 mac_apt.py -o forensic_out -x MOUNTED / FAST
Once the process is complete, the output directory will look like this:
Inside the "Export" directory under this path, you will find subdirectories containing artifacts collected from the system:
The files located in the Firefox directory are as shown in the following image:
In just a few minutes, the "mac_apt" tool analyzed the entire system and prepared the data for analysis that would otherwise take us hours to collect.
Let’s take a closer look at the capabilities of the "mac_apt" tool. First, it’s worth noting that “mac_apt” is a plugin-based application. At the time this course was prepared, the existing plugins for the “mac_apt” tool are shown in the table below:
If you need more details about macOS Forensics , you can check this LetsDefend course:
Furthermore, "mac_apt" can operate not only on live systems but also on any disk image you obtain. It means you can run “mac_apt” on a different system from the one you are investigating and instruct it to collect information from the disk image of the system you are examining. We previously covered how to obtain these disk images.
It's also worth noting that other image formats supported by “mac_apt” include E01, VMDK, and AFF4.
.png)
.png)