Reads the QuickLook index.sqlite and carves thumbnails from thumbnails.data Parses CUPS spooled print jobs to get information about files/commands sent to a printer Reads mac notification data for each user Interfaces, last IP address, MAC address, DHCP. Read network usage data statistics per application Reads Word, Excel, Powerpoint and other office MRU/accessed file paths Retrieve configured internet accounts (iCloud, Google, Linkedin, facebook.) Reads and exports connected iDevice details Reads and exports iPhone/iPad backup databases cookies files and ist for each userĪctive Directory Domain(s) that the mac is connected to Read Chrome History, Top Sites, Downloads and Extension info Retrieves programs, daemons, services set to start at boot/loginīasic machine & OS configuration like SN, timezone, computer name, last logged in user, HFS info
Reads ARD (Apple Remote Desktop) cached databases about app usage Reads apps & printers installed and/or available for each user from appList.dat ✔️ AFF4 images (including macquisition created) are supported Available Plugins (artifacts parsed) ✔️ macOS Catalina (10.15+) separately mounted SYSTEM & DATA volumes now supported ✔️ Encrypted 🔒 APFS images can now be processed using password/recovery-key 🔑 ✔️ Introducing ios_apt for processing iOS/ipadOS images ✔️ Support for macOS Big Sur Sealed volumes (11.0) ✔️ ios_apt can read GrayKey extracted file system ✔️ Can read Axiom created targeted collection zip files Reads the Spotlight database and Unified Logging (tracev3) files.zlib, lzvn, lzfse compressed files are supported!.Analyzed files/artifacts are exported for later review.Works on E01, VMDK, AFF4, DD, split-DD, DMG (no compression), SPARSEIMAGE & mounted images.Cross platform (no dependency on pyobjc).Requirements: Python 3.7 or above (32/64 bit) Features
Mac_apt now also includes ios_apt, for processing ios images. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes. Mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images ( or live machines) and extract data/metadata useful for forensic investigation. Mac_apt - macOS (and iOS) Artifact Parsing Tool
0 kommentar(er)
