Home - jjarava/mac-osx-forensics GitHub Wiki

Python scripts to check some Mac OS X files.

• asl.py: Apple System Log parsers (/private/var/log/asl).
  
• bsm.py: Basic Security Module (/private/var/audit/).
  
• kcpass.py: Decrypt the password store in "/etc/kcpassword" when autologin session is enabled.
  
• utmpx.py: UTMPX session file (/private/var/run/utmpx).
  
• cups_ipp.py: CUPS IPP Control files parser.
  
• plist_artifacts.py: Parsing a group of Plist files that contain timestamp values.
  
• plist_user.py: Mac OS X 10.8 and 10.9 users configuration.
  
• mac_recent.py: The last open files with the partial bookmark parsed.

Please, remember that most of them are going to be well developed in the PLASO project (http://plaso.kiddaland.net/).
They are only a proof of concept!!!!

RHUL M.Sc. Information Security dissertation project. Author: Joaquin Moreno Garijo