AutoMacTC : Automated Mac Forensic Triage Collector

AutoMacTC is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis.

The output may provide valuable insights for incident response in a macOS environment. Automactc can be run against a live system or dead disk (as a mounted volume.)

Requirements

  • Python 2.7 (Mac systems ship natively with Python 2.7. Python 3 support will be included in a future update)
  • MacOS target systems, for live collection (successfully tested on macOS major releases 10.11 through 10.14)
  • MacOS analysis systems, for triage against a mounted disk image

Also Read – RBuster : Yet Another Dirbuster

Basic Usage

At its simplest, you can run automactc with the following invocation. Note: automactc requires sudo privileges to run, and should be called specifically from /usr/bin/python2.7 to ensure full functionality.

sudo /usr/bin/python2.7 automactc.py -m all

This will run all modules (-m) with default settings, i.e. – default input directory will be /, or the root of the current volume – default output directory will be ./, or the working directory from which automactc is run (NOT the location of the script) – default prefix for output filenames will be automactc-output – default behavior is to populate a runtime.log for debugging and info – default format for individual artifacts output files is CSV – default CPU priority is set to low – default behavior on completion is to compress all output files to tar.gz

In order to list all available modules and do nothing else, simply run:

automactc.py -l

The inputdir and outputdir can be specified with the -i and -o flags, respectively.

automactc.py -i / -o /automactc_output -m all

Modules can be specified for inclusion or exclusion on a per-module basis. In other words, you can INCLUDE specific modules, such as pslist, bash, and profiler:

automactc.py -m pslist bash profiler

Or, you can exclude specific modules, to run all EXCEPT those specified, such as dirlist and autoruns:

automactc.py -x dirlist autoruns

Output Control

For every module, automactc will generate an output file and populate it with data. The output file format defaults to CSV, but can be toggled to JSON with the -fmt flag. It is not currently possible to specify output format on a per-module basis.

automactc.py -m all -fmt json

Upon successfully populating the output file with data, the file is rolled into a .tar archive that is generated when automactc completes its first module. Upon completion of the last module, automactc will GZIP the .tar archive to .tar.gz.

The name of the tar archive follows the following naming convention:

prefix,hostname,ip,automactc_runtime.tar

The first field, prefix, can be specified at runtime with -p. If unspecified, the prefix is set to automactc-output. The other fields are populated from data gathered at runtime. This is useful when running automactc on several systems for a single incident.

automactc.py -m all -p granny-smith

While the default behavior is to generate a tarball, use of the -nt flag will prevent the creation of a tar archive and will leave the output files as-is in the output directory.

automactc.py -m all -p granny-smith -nt

Current Modules

– pslist (current process list at time of automactc run)
– lsof (current file handles open at time of automactc run)
– netstat (current network connections at time of automactc run)
– asl (parsed Apple System Log (.asl) files)
– autoruns (parsing of various persistence locations and plists)
– bash (parsing bash/.*_history files for all users)
– chrome (parsing chrome visit history and download history)
– coreanalytics (parsing program execution evidence produced by Apple diagnostics)
– dirlist (list hof files and directories across the disk)
– firefox (parsing firefox visit history and download history)
– installhistory (parsing program installation history)
– mru (parsing SFL and MRU plist files)
– quarantines (parsing QuarantineEventsV2 database)
– quicklook (parsing Quicklooks database)
– safari (parsing safari visit history and download history)
– spotlight (parsing user spotlight top searches)
– ssh (parsing known_hosts and authorized_keys files for each user)
syslog (parsing system.log files)
– systeminfo (basic system identification, such as current IP address, serial no, hostname)
– terminalstate (parsing Terminal savedState files)
– users (listing present and deleted users on the system)
– utmpx (listing user sessions on terminals)

Advanced usage

By default, automactc populates verbose debug logging into a file named prefix,hostname,ip,runtime.log. You can disable the generation of this log with:

automactc.py -m all -nl

By default, automactc will print the INFO and ERROR log messages to the console. To run automactc in quiet mode and write NO messages to the console, use -q. INFO messages include program startup messages, one message per module start, and completion/cleanup messages.

automactc.py -m all -q

To print DEBUG messages to the console along with INFO and ERROR messages, use the -d flag.

automactc.py -m all -d

Automactc runs with the lowest CPU priority (niceness) possible by default. It is possible to disable niceness and run at a normal priority with the -r flag.

automactc.py -m all -r

Automactc can also be run against a dead disk, if the disk is mounted as a volume on the analysis system. Once mounted, run automactc with the appropriate inputdir (pointing to the Volume mount point) and -f to toggle forensic mode ON.

NOTE: for a live system, if you wish to collect dirlist on mounted peripheral devices, you can use -f with -i /, else dirlist will not recurse further into mounted /Volumes.

automactc.py -i /Volumes/mounted_IMAGE/ -o /path/to/output -f -m all

Dirlist Arguments

Directory Inclusion/Exclusion

It is possible to limit dirlist recursion to specific directories with the -K flag. By default, dirlist will attempt to recurse from the root of the inputdir volume unless otherwise specified with this flag. Multiple directories can be specified in a space separated list.

automactc.py -m dirlist -K /Users/ /Applications/ /tmp

It is also possible to exclude specific directories from dirlist recursion with the -E flag.

automactc.py -m dirlist -E /path/to/KnownDevDirectory

By default, the following directories and file are excluded on live systems:

/.fseventsd (to reduce output verbosity)
/.DocumentRevisions-V100 (to reduce output verbosity)
/.Spotlight-V100 (to reduce output verbosity)
/Users/*/Pictures (to avoid permissions errors)
/Users/*/Library/Application Support/AddressBook (to avoid permissions errors)
/Users/*/Calendar (to avoid permissions errors)
/Users/*/Library/Calendars (to avoid permissions errors) /Users/*/Library/Preferences/com.apple.AddressBook.plist (to avoid permissions errors)

By default, the following directories are excluded when running forensic mode against a mounted image:

/.fseventsd (to reduce output verbosity)
/.DocumentRevisions-V100 (to reduce output verbosity)
/.Spotlight-V100 (to reduce output verbosity)

Any additional directories to exclude will be appended to this default list, unless you provide the -E no-defaults argument first, in which case only your specified directories will be excluded.

automactc.py -m dirlist -E no-defaults /path/to/KnownDevDirectory

Hashing

The hashing arguments below can be used for BOTH dirlist and the autoruns modules.

By default, the dirlist module will hash files only with the sha256 algorithm. If you wish to use both the SHA256 and MD5 algorithms, use -H sha256 md5. If you wish to use only md5, use -H md5. If you wish to use neither, use -H none. NOTE: If you run the dirlist module against a dead disk with hashing enabled, this currently takes a LONG time to run.

automactc.py -m dirlist -H sha256 md5

By default, the dirlist module will only hash files with sizes under 10mb. To override this setting and hash files under a different size threshold, the threshold can be changed with the -S flag in number of megabytes. NOTE: increasing the size threshold will likely increase the amount of time it takes to run the dirlist module. For example, to hash files up to 15MB:

automactc.py -m dirlist -S 15

Bundles, Signatures, Multithreading

By default, the dirlist module will NOT recurse into bundle directories, including the following:

‘.app’, ‘.framework’,’.lproj’,’.plugin’,’.kext’,’.osax’,’.bundle’,’.driver’,’.wdgt’

To override this setting, use the -R flag. NOTE: this produces a far higher volume of output and takes significantly more time. These bundle directories will be configurable in a future update.

By default, the dirlist module will check codesignatures for all .app, .kext, and .osax files found. To prevent the dirlist module from checking any code signatures, use the -NC flag. This argument can be used for BOTH dirlist and the autoruns modules.

automactc.py -m dirlist -NC

By default, the dirlist module has been multithreaded to increase processing speed. Multithreading can be disabled with the -NM flag.

automactc.py -m dirlist -NM

Help Menu

usage: automactc.py [-m INCLUDE_MODULES [INCLUDE_MODULES …] | -x
EXCLUDE_MODULES [EXCLUDE_MODULES …] | -l] [-h]
[-i INPUTDIR] [-o OUTPUTDIR] [-p PREFIX] [-f] [-nt] [-nl]
[-fmt {csv,json}] [-np] [-b] [-q | -d]
[-K DIR_INCLUDE_DIRS [DIR_INCLUDE_DIRS …]]
[-E DIR_EXCLUDE_DIRS [DIR_EXCLUDE_DIRS …]]
[-H DIR_HASH_ALG [DIR_HASH_ALG …]]
[-S DIR_HASH_SIZE_LIMIT] [-R] [-NC] [-NM]
AutoMacTC: an Automated macOS forensic triage collection framework.
module filter:
-m INCLUDE_MODULES [INCLUDE_MODULES …], –include_modules INCLUDE_MODULES [INCLUDE_MODULES …]
module(s) to use, use “all” to run all modules, space
separated list only
-x EXCLUDE_MODULES [EXCLUDE_MODULES …], –exclude_modules EXCLUDE_MODULES [EXCLUDE_MODULES …]
assumes you want to run all modules EXCEPT those
specified here, space separated list only
-l, –list_modules if flag is provided, will list available modules and
exit.
general arguments:
-h, –help show this help message and exit
-i INPUTDIR, –inputdir INPUTDIR
input directory (mount dmg with mountdmg.sh script and
use -f to analyze mounted HFS or APFS Volume)
-o OUTPUTDIR, –outputdir OUTPUTDIR
output directory
-p PREFIX, –prefix PREFIX
prefix to append to tarball and/or output files
-f, –forensic_mode if flag is provided, will analyze mounted volume
provided as inputdir
-nt, –no_tarball if flag is provided, will NOT package output files
into tarball
-nl, –no_logfile if flag is provided, will NOT generate logfile on disk
-fmt {csv,json}, –output_format {csv,json}
toggle between csv and json output, defaults to csv
-np, –no_low_priority
if flag is provided, will NOT run automactc with
highest niceness (lowest CPU priority). high niceness
is default
-b, –multiprocessing
if flag is provided, WILL multiprocess modules
[WARNING: Experimental!]
console logging verbosity:
-q, –quiet if flag is provided, will NOT output to console at all
-d, –debug enable debug logging to console
specific module arguments:
-K DIR_INCLUDE_DIRS [DIR_INCLUDE_DIRS …], –dir_include_dirs DIR_INCLUDE_DIRS [DIR_INCLUDE_DIRS …]
directory inclusion filter for dirlist module,
defaults to volume root, space separated list only
-E DIR_EXCLUDE_DIRS [DIR_EXCLUDE_DIRS …], –dir_exclude_dirs DIR_EXCLUDE_DIRS [DIR_EXCLUDE_DIRS …]
directory and file exclusion filter for dirlist
module. defaults are specified in README. space
separated list only. put ‘no-defaults’ as first item
to overwrite default exclusions and then provide your
own exclusions
-H DIR_HASH_ALG [DIR_HASH_ALG …], –dir_hash_alg DIR_HASH_ALG [DIR_HASH_ALG …]
either sha256 or md5 or both or none, at least one is
recommended, defaults to sha256. also applies to
autoruns module
-S DIR_HASH_SIZE_LIMIT, –dir_hash_size_limit DIR_HASH_SIZE_LIMIT
file size filter for which files to hash, in
megabytes, defaults to 10MB. also applies to autoruns
module
-R, –dir_recurse_bundles
will fully recurse app bundles if flag is provided.
this takes much more time and space
-NC, –dir_no_code_signatures
if flag is provided, will NOT check code signatures
for app and kext files. also applies to autoruns
module
-NM, –dir_no_multithreading
if flag is provided, will NOT multithread the dirlist
module

R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago