Tool of the Day: OS X Auditor a Mac OS X Forensic Tool

Home » Tool of the Day: OS X Auditor a Mac OS X Forensic Tool

Tool of the Day: OS X Auditor a Mac OS X Forensic Tool

OS X Auditor - Forensic Tool

The following artifacts on the running system or a copy of a system you want to analyze which are parses and hashes by OSX Auditor:
The kernel extensions
The system agents and daemons
The third party’s agents and daemons
The old and deprecated system and third party’s startup items
The users’ agents
The users’ downloaded files
The installed applications

It extracts:
The users’ quarantined files
The users’ Safari history, downloads, topsites, LastSession, HTML5 databases and localstore
The users’ Firefox cookies, downloads, formhistory, permissions, places and signons
The users’ Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
The users’ social and email accounts
The WiFi access points the audited system has been connected to (and tries to geolocate them)

It also looks for suspicious keywords in the .plist themselves.
It can verify the reputation of each file on:
Team Cymru’s MHR
your own local database

It can aggregate all logs from the following directories into a zipball:
/var/log (-> /private/var/log)
the user’s ~/Library/logs

Finally, the results can be:
rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
rendered as a HTML log file
sent to a Syslog server

How to install
Just copy all files from GitHub.
If you plan to run OS X Auditor on a Mac, you will get a full plist parsing support with the OS X Foundation through pyobjc:
pip install pyobjc

If you can’t install pyobjc or if you plan to run OS X Auditor on another OS than Mac OS X, you may experience some troubles with the plist parsing:
pip install biplist
pip install plist

These dependencies will be removed when a working native plist module will be available in python
How to run
OS X Auditor runs well with python >= 2.7.2 (2.7.9 is OK). It does not run with a different version of python yet (due to the plist nightmare).
OS X Auditor is maintained to work on the lastest OS X version. It will do its best on older OS X versions.
You must run it as root (or via sudo) if you want to use is on a running system, otherwise it won’t be able to access some system and other users’ files.
If you’re using API keys from environment variables (see below), you need to use the sudo -E to use the users environment variables.

Type -h to get all the available options, then run it with the selected options

eg. [sudo -E] python -a -m -l localhashes.db -H log.html

Author of the Tool
Jean-Philippe Teissier – @Jipe_ & al.

Download OS X Auditor

Tool of the Day: OS X Auditor a Mac OS X Forensic Tool Click To Tweet

READ  What is Kodi? and What you need to know about it
Email This Post Email This Post
By | 2017-11-14T12:10:30+00:00 October 26th, 2017|Blog Posts|Comments Off on Tool of the Day: OS X Auditor a Mac OS X Forensic Tool

About the Author: