OS X Auditor is a free Mac OS X computer forensics tool. It parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:
- the kernel extensions
- the system agents and daemons
- the third party’s agents and daemons
- the old and deprecated system and third party’s startup items
- the users’ agents
- the users’ downloaded files
- the installed applications
It is capable of extracting the following:
- the users’ quarantined files
- the users’ Safari history, downloads, topsites, LastSession, HTML5 databases and localstore
- the users’ Firefox cookies, downloads, form history, permissions, places, and signons
- the users’ Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
- the users’ social and email accounts
- the WiFi access points the audited system has been connected to (and tries to geolocate them)
It also looks for suspicious keywords in the .plist themselves.
OS X Auditor can also verify the reputation of each file on:
- Team Cymru’s MHR
- VirusTotal
- your own local database
It can aggregate all logs from the following directories into a zipball:
- /var/log (-> /private/var/log)
- /Library/logs
- the user’s ~/Library/logs
And, the results can be rendered as a simple txt log file, or as an HTML log file, or sent to a Syslog server.
Note: It requires Python 2.7.2 (2.7.9 is OK).
