Many of you may be familiar with Yogesh Khatri’s revolutionary digital forensics tool, mac_apt. His tool does wonders by parsing macOS image files and outputting valuable artifact data. However, it is very easy for your forensic answers to be lost in the vast amount of information mac_apt provides. A small team, comprised of Zach Burnham (@zmbf0r3ns1cs), Ben Estes, and myself have recently developed a solution by introducing the complimentary command line tool mac_int.
What is it?
In simpler terms, mac_int helps automate the forensic review process! It allows for the output of mac_apt’s SQL database file to be automatically interpreted and presented in a friendly format. You will no longer have to manually look through the various tables and data. Instead, mac_int will look for your evidence data for you, interpret what the data means, and give it back to you in an interactive HTML file or text file(s).
How to use:
Head over to https://github.com/zmbf0r3ns1cs/mac_int to download this open source tool! mac_int is cross-platform so it will work on Windows, Linux, and Mac, however you will need python version 3.7.3 to be installed.
Step 1 mac_apt: Download and run the mac_apt tool against a macOS forensic image, being sure to set the output to an SQL database.
Step 2 mac_int: Launch mac_int.py in the command line and view the help file with “mac_int.py -h”.
Step 3 command: Input your command
Step 4 output: If you specified an html output then launch the html file, otherwise your interpreted data will reside within the various text files within your output directory.
Find more specifics on how to run mac_int with different operating systems on our github page!
How does it work?
A large amount of time was dedicated to reviewing both the forensic artifacts that reside on macOS, and the SQL output of mac_apt. Numerous logics were crafted which allow evidence data to be fed and compared/interpreted on the fly!
mac_int is comprised of multiple modules, each responsible for various logical operations. These modules can do things like display a user’s downloads, internet search activity, volume history, bash sessions, and so on.
Traveling from left to right in the code architecture diagram above, the user interacts directly with mac_int.py through the command line. An output directory, input database file, requested modules, and username are supplied here. An example command:
mac_int.py /Users/zachburnham/Desktop/Capstone/Mac_apt_Output/mac_apt02.db justin.boncaldo -a --html
Each module will then perform its operations individually. First, each module will send a conditioned query request to the mac_apt SQL database output file (yellow), from which it will receive a query response. Then, internal logic is applied to the retrieved values and a text file is written to the output directory. If the –html switch is chosen in the command, then an HTML file will also be produced within the output directory. From here, you can view the interactive output.
An internet connection is not required to produce an html output for mac_int! Once launched, you will be greeted by a system overview panel on the left hand side. This displays information about the system such as your targeted username, the model and OS version, last user to logon to the system, etc. Along the top-center of the screen you will see numerous tabs. Clicking on them will reveal the populated data which has been interpreted from mac_apt’s SQL database.
Thank you for reading, and we hope you enjoy the first version of our tool!
Here are some screenshots of html output examples: