OSXCollector Manual
OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
Forensic Collection
The collection script runs on a potentially infected machine and outputs a JSON file that describes the target machine. OSXCollector gathers information from plists, SQLite databases and the local file system.
Forensic Analysis
Armed with the forensic collection, an analyst can answer the question like:
- Is this machine infected?
- How'd that malware get there?
- How can I prevent and detect further infection?
Yelp automates the analysis of most OSXCollector runs converting its output into an easily readable and actionable summary of
just the suspicious stuff. Check out
OSXCollector Output Filters project to learn how to make the most of the automated OSXCollector output analysis.
Performing Collection
osxcollector.py is a single Python file that runs without any dependencies on a standard OSX machine. This makes it really easy to run collection on any machine - no fussing with brew, pip, config files, or environment variables. Just copy the single file onto the machine and run it:
sudo osxcollector.py is all it takes.
$ sudo osxcollector.py
Wrote 35394 lines.
Output in osxcollect-2014_12_21-08_49_39.tar.gz
If you have just cloned the GitHub repository,
osxcollector.py is inside
osxcollector/ directory, so you need to run it as:
$ sudo osxcollector/osxcollector.py
IMPORTANT: please make sure that
python command on your Mac OS X machine uses the default Python interpreter shipped with the system and is not overridden, e.g. by the Python version installed through brew. OSXCollector relies on a couple of native Python bindings for OS X libraries, which might be not available in other Python versions than the one originally installed on your system. Alternatively, you can run
osxcollector.py explicitly specifying the Python version you would like to use:
$ sudo /usr/bin/python2.7 osxcollector/osxcollector.py
The JSON output of the collector, along with some helpful files like system logs, has been bundled into a .tar.gz for hand-off to an analyst.
osxcollector.py also has a lot of useful options to change how collection works:
-i INCIDENT_PREFIX/--id=INCIDENT_PREFIX: Sets an identifier which is used as the prefix of the output file. The default value is osxcollect.
$ sudo osxcollector.py -i IncontinentSealord
Wrote 35394 lines.
Output in IncontinentSealord-2014_12_21-08_49_39.tar.gz
Get creative with incident names, it makes it easier to laugh through the pain.-p ROOTPATH/--path=ROOTPATH: Sets the path to the root of the filesystem to run collection on. The default value is /. This is great for running collection on the image of a disk.
$ sudo osxcollector.py -p '/mnt/powned'
-s SECTION/--section=SECTION: Runs only a portion of the full collection. Can be specified more than once. The full list of sections and subsections is:
versionsystem_infokextstartup
launch_agentsscripting_additionsstartup_itemslogin_items
applications
applicationsinstall_history
quarantinesdownloads
downloadsemail_downloadsold_email_downloads
chrome
historyarchived_historycookieslogin_datatop_sitesweb_datadatabaseslocal_storagepreferences
firefox
cookiesdownloadsformhistoryhistorysignonspermissionsaddonsextensioncontent_prefshealth_reportwebapps_storejson_files
safari
downloadshistoryextensionsdatabaseslocalstorageextension_files
accounts
system_adminssystem_userssocial_accountsrecent_items
mailfull_hash
$ sudo osxcollector.py -s 'startup' -s 'downloads'
-c/--collect-cookies: Collect cookies' value. By default OSXCollector does not dump the value of a cookie, as it may contain sensitive information (e.g. session id).-l/--collect-local-storage: Collect the values stored in web browsers' local storage. By default OSXCollector does not dump the values as they may contain sensitive information.-d/--debug: Enables verbose output and python breakpoints. If something is wrong with OSXCollector, try this.
$ sudo osxcollector.py -d
Post a Comment