[addtool] OSXAuditor

[gwen001]

[tags]forensic,ios[/tags] [short_descr]Free Mac OS X computer forensics tool.[/short_descr] [link] https://github.com/jipegit/OSXAuditor [/link] [long_descr] OS X Auditor is a free Mac OS X computer forensics tool.

OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:

• the kernel extensions
• the system agents and daemons
• the third party's agents and daemons
• the old and deprecated system and third party's startup items
• the users' agents
• the users' downloaded files
• the installed applications

It extracts:

• the users' quarantined files
• the users' Safari history, downloads, topsites, LastSession, HTML5 databases and localstore
• the users' Firefox cookies, downloads, formhistory, permissions, places and signons
• the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
• the users' social and email accounts
• the WiFi access points the audited system has been connected to (and tries to geolocate them)

It also looks for suspicious keywords in the .plist themselves.

It can verify the reputation of each file on:

• Team Cymru's MHR
• VirusTotal
• your own local database

It can aggregate all logs from the following directories into a zipball:

• /var/log (-> /private/var/log)
• /Library/logs
• the user's ~/Library/logs

Finally, the results can be:

• rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
• rendered as a HTML log file
• sent to a Syslog server [/long_descr] [image] https://raw.githubusercontent.com/gwen001/offsectools_www/main/tmp/9bf16c3c2245560e7e1d073bc664866d.png [/image]

[gwen001]

Issue correctly handled, tool is waiting for human validation.

[gwen001]

Tool has been accepted by the team: https://offsec.tools/tool/osxauditor

Thank you for your contribution!