[OS X Auditor] free Mac OS X computer forensics tool

OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:
  • the kernel extensions
  • the system agents and daemons
  • the third party’s agents and daemons
  • the old and deprecated system and third party’s startup items
  • the users’ agents
  • the users’ downloaded files
  • the installed applications
It extracts:
  • the users’ quarantined files
  • the users’ Safari history, downloads, topsites, HTML5 databases and localstore
  • the users’ Firefox cookies, downloads, formhistory, permissions, places and signons
  • the users’ Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
  • the users’ social and email accounts
  • the WiFi access points the audited system has been connected to (and tries to geolocate them)
It also looks for suspicious keywords in the .plist themselves.
It can verify the reputation of each file on:
  • Team Cymru’s MHR
  • VirusTotal
  • Malware.lu
  • your own local database
It can aggregate all logs from the following directories into a zipball:
  • /var/log (-> /private/var/log)
  • /Library/logs
  • the user’s ~/Library/logs
Finally, the results can be:
  • rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
  • rendered as a HTML log file
  • sent to a Syslog server

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s