AutoMacTC – Automatic Mac Forensic Triage Collector

This can be a modular forensic triage assortment framework designed to get admission to quite a lot of forensic artifacts on macOS, parse them, and provide them in codecs viable for research. The output might supply treasured insights for incident reaction in a macOS surroundings. Automactc will also be run towards a reside device or lifeless disk (as a fixed quantity.)
research programs, for triage towards a fixed disk symbol

Elementary utilization
At its most straightforward, you’ll run automactc with the next invocation. Observe: automactc calls for sudo privileges to run, and must be referred to as in particular from /usr/bin/python2.7 to verify complete capability.

sudo /usr/bin/python2.7 -m all

This may occasionally run all modules (-m) with default settings, i.e. – default enter listing will probably be /, or the foundation of the present quantity – default output listing will probably be ./, or the operating listing from which automactc is administered (NOT the site of the script) – default prefix for output filenames will probably be automactc-output – default conduct is to populate a runtime.log for debugging and information – default structure for particular person artifacts output information is CSV – default CPU precedence is about to low – default conduct on finishing touch is to compress all output information to tar.gz
With the intention to record all to be had modules and do not anything else, merely run: -l

The inputdir and outputdir will also be specified with the -i and -o flags, respectively. -i / -o /automactc_output -m all 

Modules will also be specified for inclusion or exclusion on a per-module foundation. In different phrases, you’ll INCLUDE particular modules, corresponding to pslist, bash, and profiler: -m pslist bash profiler

Or, you’ll exclude particular modules, to run all EXCEPT the ones specified, corresponding to dirlist and autoruns: -x dirlist autoruns

Output Keep watch over
For each and every module, automactc will generate an output report and populate it with information. The output report structure defaults to CSV, however will also be toggled to JSON with the -fmt flag. It’s not these days conceivable to specify output structure on a per-module foundation. -m all -fmt json 

Upon effectively populating the output report with information, the report is rolled right into a .tar archive this is generated when automactc completes its first module. Upon finishing touch of the remaining module, automactc will GZIP the .tar archive to .tar.gz.
The identify of the tar archive follows the next naming conference:


The primary box, prefix, will also be specified at runtime with -p. If unspecified, the prefix is about to automactc-output. The opposite fields are populated from information accrued at runtime. This turns out to be useful when operating automactc on a number of programs for a unmarried incident. -m all -p granny-smith

Whilst the default conduct is to generate a tarball, use of the -nt flag will save you the advent of a tar archive and can go away the output information as-is within the output listing. -m all -p granny-smith -nt 

Present Modules

- pslist (present procedure record at time of automactc run)
- lsof (present report handles open at time of automactc run)
- netstat (present community connections at time of automactc run)
- asl (parsed Apple Machine Log (.asl) information)
- autoruns (parsing of quite a lot of patience places and plists)
- bash (parsing bash/.*_history information for all customers)
- chrome (parsing chrome talk over with historical past and download historical past)
- coreanalytics (parsing program execution proof produced by way of Apple diagnostics)
- dirlist (record hof information and directories around the disk)
- firefox (parsing firefox talk over with historical past and download historical past)
- installhistory (parsing program set up historical past)
- mru (parsing SFL and MRU plist information)
- quarantines (parsing QuarantineEventsV2 database)
- quicklook (parsing Quicklooks database)
- safari (parsing safari talk over with historical past and download historical past)
- highlight (parsing consumer highlight most sensible searches)
- ssh (pars ing known_hosts and authorized_keys information for each and every consumer)
- syslog (parsing device.log information)
- systeminfo (fundamental device id, corresponding to present IP deal with, serial no, hostname)
- terminalstate (parsing Terminal savedState information)
- customers (list provide and deleted customers at the device)
- utmpx (list consumer periods on terminals)

Complicated utilization
Through default, automactc populates verbose debug logging right into a report named prefix,hostname,ip,runtime.log. You’ll be able to disable the era of this log with: -m all -nl

Through default, automactc will print the INFO and ERROR log messages to the console. To run automactc in quiet mode and write NO messages to the console, use -q. INFO messages come with program startup messages, one message in line with module get started, and finishing touch/cleanup messages. -m all -q

To print DEBUG messages to the console in conjunction with INFO and ERROR messages, use the -d flag. -m all -d

Automactc runs with the bottom CPU precedence (niceness) conceivable by way of default. It’s conceivable to disable niceness and run at a standard precedence with the -r flag. -m all -r 

Automactc can be run towards a lifeless disk, if the disk is fixed as a quantity at the research device. As soon as fixed, run automactc with the fitting inputdir (pointing to the Quantity mount level) and -f to toggle forensic mode ON.
NOTE: for a reside device, if you want to accumulate dirlist on fixed peripheral gadgets, you’ll use -f with -i /, else dirlist won’t recurse additional into fixed /Volumes. -i /Volumes/mounted_IMAGE/ -o /trail/to/output -f -m all

Dirlist Arguments

Listing Inclusion/Exclusion
It’s conceivable to restrict dirlist recursion to precise directories with the -Ok flag. Through default, dirlist will try to recurse from the foundation of the inputdir quantity except in a different way specified with this flag. A couple of directories will also be laid out in an area separated record. -m dirlist -Ok /Customers/ /Packages/ /tmp 

Additionally it is conceivable to exclude particular directories from dirlist recursion with the -E flag. -m dirlist -E /trail/to/KnownDevDirectory

Through default, the next directories and report are excluded on reside programs:

/.fseventsd (to scale back output verbosity)
/.DocumentRevisions-V100 (to scale back output verbosity)
/.Highlight-V100 (to scale back output verbosity)
/Customers/*/Photos (to keep away from permissions mistakes)
/Customers/*/Library/Application Make stronger/AddressBook (to keep away from permissions mistakes)
/Customers/*/Calendar (to keep away from permissions mistakes)
/Customers/*/Library/Calendars (to keep away from permissions mistakes)
/Customers/*/Library/Personal tastes/ (to keep away from permissions mistakes)

Through default, the next directories are excluded when operating forensic mode towards a fixed symbol:

/.fseventsd (to scale back output verbosity)
/.DocumentRevisions-V100 (to scale back output verbosity)
/.Highlight-V100 (to scale back output verbosity)

Any further directories to exclude will probably be appended to this default record, except you give you the -E no-defaults argument first, through which case best your specified directories will probably be excluded. -m dirlist -E no-defaults /trail/to/KnownDevDirectory

The hashing arguments beneath can be utilized for BOTH dirlist and the autoruns modules.
Through default, the dirlist module will hash information best with the sha256 set of rules. If you want to use each the SHA256 and MD5 algorithms, use -H sha256 md5. If you want to use best md5, use -H md5. If you want to use neither, use -H none. NOTE: Should you run the dirlist module towards a lifeless disk with hashing enabled, this these days takes a LONG time to run. -m dirlist -H sha256 md5

Through default, the dirlist module will best hash information with sizes beneath 10mb. To override this surroundings and hash information beneath a distinct measurement threshold, the brink will also be modified with the -S flag in collection of megabytes. NOTE: expanding the dimensions threshold will most probably build up the period of time it takes to run the dirlist module. As an example, to hash information as much as 15MB: -m dirlist -S 15

Bundles, Signatures, Multithreading
Through default, the dirlist module will NOT recurse into package deal directories, together with the next:

'.app', '.framework','.lproj','.plugin','.kext','.osax','.package deal','.driving force','.wdgt'

To override this surroundings, use the -R flag. NOTE: this produces a some distance upper quantity of output and takes considerably extra time. Those package deal directories will probably be configurable in a long run replace.
Through default, the dirlist module will test codesignatures for all .app, .kext, and .osax information discovered. To stop the dirlist module from checking any code signatures, use the -NC flag. This argument can be utilized for BOTH dirlist and the autoruns modules. -m dirlist -NC

Through default, the dirlist module has been multithreaded to extend processing velocity. Multithreading will also be disabled with the -NM flag. -m dirlist -NM

Assist Menu

utilization: [-m INCLUDE_MODULES [INCLUDE_MODULES ...] | -x
[-i INPUTDIR] [-o OUTPUTDIR] [-p PREFIX] [-f] [-nt] [-nl]
[-fmt {csv,json}] [-np] [-b] [-q | -d]

AutoMacTC: an Automatic macOS forensic triage assortment framework.

module clear out:
module(s) to make use of, use "all" to run all modules, house
separated record best
assumes you wish to have to run all modules EXCEPT the ones
specified right here, house separated record best
-l, --list_modules if flag is equipped, will record to be had modules and
go out.

common arguments:
-h, --help display this assist message and go out
-i INPUTDIR, --inputdir INPUTDIR
enter listing (mount dmg with script and
use -f to research fixed HFS or APFS Quantity)
output listing
-p PREFIX, --prefix PREFIX
prefix to append to tarball and/or output information
-f, --forensic_mode if flag is equipped, will analyze fixed quantity
supplied as inputdir
-nt, --no_tarball if flag is equipped, will NOT package deal output information
into tarball
- nl, --no_logfile if flag is equipped, will NOT generate logfile on disk
-fmt {csv,json}, --output_format {csv,json}
toggle between csv and json output, defaults to csv
-np, --no_low_priority
if flag is equipped, will NOT run automactc with
absolute best niceness (lowest CPU precedence). prime niceness
is default
-b, --multiprocessing
if flag is equipped, WILL multiprocess modules
[WARNING: Experimental!]

console logging verbosity:
-q, --quiet if flag is equipped, will NOT output to console in any respect
-d, --debug allow debug logging to console

particular module arguments:
listing inclusion clear out for dirlist module,
defaults to quantity root, house separated record best
listing and report exclusion clear out for dirlist
module. defaults are laid out in README. house
separated record best. put 'no-defaults' as first merchandise
to overwrite default exclusions after which supply your
personal exclusions
-H DIR_HASH_ALG [DIR_HASH_ALG ...], --dir_hash_alg DIR_HASH_ALG [DIR_HASH_ALG ...]
both sha256 or md5 or each or none, no less than one is
really helpful, defaults to sha256. additionally applies to
autoruns module
report measurement clear out for which information to hash, in
megabytes, defaults to 10MB. additionally applies to autoruns
-R, --dir_recurse_bundles
will absolutely recurse app bundles if flag is equipped.
this takes a lot more time and house
-NC, --dir_no_code_signatures
if flag is equipped, will NOT test code signatures
for app and kext information. additionally applies to autoruns
-NM, --dir_no_multithreading
if flag is equipped, will NOT multithread the dirlist
Obtain Automactc