[OS X Auditor] free Mac OS X computer forensics tool

ID KITPLOIT:7272177765507328338
Type kitploit
Reporter KitPloit
Modified 2013-09-17T02:06:36


OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:

  • the kernel extensions
  • the system agents and daemons
  • the third party's agents and daemons
  • the old and deprecated system and third party's startup items
  • the users' agents
  • the users' downloaded files
  • the installed applications

It extracts:

  • the users' quarantined files
  • the users' Safari history, downloads, topsites, HTML5 databases and localstore
  • the users' Firefox cookies, downloads, formhistory, permissions, places and signons
  • the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
  • the users' social and email accounts
  • the WiFi access points the audited system has been connected to (and tries to geolocate them)

It also looks for suspicious keywords in the .plist themselves.

It can verify the reputation of each file on:

  • Team Cymru's MHR
  • VirusTotal
  • Malware.lu
  • your own local database

It can aggregate all logs from the following directories into a zipball:

  • /var/log (-> /private/var/log)
  • /Library/logs
  • the user's ~/Library/logs

Finally, the results can be:

  • rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
  • rendered as a HTML log file
  • sent to a Syslog server

Download OS X Auditor