-
Sarah Edwards (@iamevltwin)
-
Unified Log
-
Persistence
-
Endpoint Security Framework (ESF)
-
Kinga Kieczkowska (@kieczkowska)
- Notification Center Forensics
- Air Drop Forensics
-
Tooling
-
Books
Last active
November 27, 2024 02:37
-
-
Save 0xmachos/6e8b813cffc2035914606bd4cda491d2 to your computer and use it in GitHub Desktop.
If someone wants to learn MacOS IR/forensics what’s the best resource for that?
DSStoreParser (Fixed a bug)
https://github.com/mnrkbys/DSStoreParser/tree/fix_bug_non-ascii
If the Mac computer that you are going to investigate is not shutdown yet, you should collect live information.
TrueTree
https://themittenmac.com/the-truetree-concept/
It can get "true" process tree.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some blogs for mac forensic artifacts
https://www.swiftforensics.com/search?q=macos
More tools
https://github.com/mnrkbys/macosac
Specific artifact parsers
APFS 010 Template for research
https://github.com/ydkhatri/APFS_010
UnifiedLog format
https://github.com/libyal/dtformats/blob/main/documentation/Apple%20Spotlight%20store%20database%20file%20format.asciidoc