Kali Linux

Ma2Tl : macOS Forensic Timeline Generator Using The Analysis Result DBs Of Mac_Apt

Ma2Tl is a DFIR tool for generating a macOS forensic timeline from the analysis result DBs of mac_apt.

Requirements

  • Python 3.7.0 or later
  • pytz
  • tzlocal
  • xlsxwriter

Installation

% git clone https://github.com/mnrkbys/ma2tl.git

Usage

% python ./ma2tl.py -h
usage: ma2tl.py [-h] [-i INPUT] [-o OUTPUT] [-ot OUTPUT_TYPE] [-s START] [-e END] [-t TIMEZONE] [-l LOG_LEVEL] plugin [plugin …]
Forensic timeline generator using mac_apt analysis results. Supports only SQLite DBs.
positional arguments:
plugin Plugins to run (space separated).
optional arguments:
-h, –help show this help message and exit
-i INPUT, –input INPUT
Path to a folder that contains mac_apt DBs.
-o OUTPUT, –output OUTPUT
Path to a folder to save ma2tl result.
-ot OUTPUT_TYPE, –output_type OUTPUT_TYPE
Specify the output file type: SQLITE, XLSX, TSV (Default: SQLITE)
-s START, –start START
Specify start timestamp. (ex. 2021-11-05 08:30:00)
-e END, –end END Specify end timestamp.
-t TIMEZONE, –timezone TIMEZONE
Specify Timezone: “UTC”, “Asia/Tokyo”, “US/Eastern”, etc (Default: System Local Timezone)
-l LOG_LEVEL, –log_level LOG_LEVEL
Specify log level: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default: INFO)
The following 4 plugins are available:
FILE_DOWNLOAD Extract file download activities.
PERSISTENCE Extract persistence settings.
PROG_EXEC Extract program execution activities.
VOLUME_MOUNT Extract volume mount/unmount activities.
—————————————————————————-
ALL Run all plugins

Generated timeline example

R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago