Ma2Tl is a DFIR tool for generating a macOS forensic timeline from the analysis result DBs of mac_apt.
% git clone https://github.com/mnrkbys/ma2tl.git
% python ./ma2tl.py -h
usage: ma2tl.py [-h] [-i INPUT] [-o OUTPUT] [-ot OUTPUT_TYPE] [-s START] [-e END] [-t TIMEZONE] [-l LOG_LEVEL] plugin [plugin …]
Forensic timeline generator using mac_apt analysis results. Supports only SQLite DBs.
positional arguments:
plugin Plugins to run (space separated).
optional arguments:
-h, –help show this help message and exit
-i INPUT, –input INPUT
Path to a folder that contains mac_apt DBs.
-o OUTPUT, –output OUTPUT
Path to a folder to save ma2tl result.
-ot OUTPUT_TYPE, –output_type OUTPUT_TYPE
Specify the output file type: SQLITE, XLSX, TSV (Default: SQLITE)
-s START, –start START
Specify start timestamp. (ex. 2021-11-05 08:30:00)
-e END, –end END Specify end timestamp.
-t TIMEZONE, –timezone TIMEZONE
Specify Timezone: “UTC”, “Asia/Tokyo”, “US/Eastern”, etc (Default: System Local Timezone)
-l LOG_LEVEL, –log_level LOG_LEVEL
Specify log level: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default: INFO)
The following 4 plugins are available:
FILE_DOWNLOAD Extract file download activities.
PERSISTENCE Extract persistence settings.
PROG_EXEC Extract program execution activities.
VOLUME_MOUNT Extract volume mount/unmount activities.
—————————————————————————-
ALL Run all plugins
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…
Simple golang webserver that listens for basic auth or post requests and sends a notification…
Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…
Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…
All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…
Got it! Below is the updated README.md file with instructions for downloading the project on…