Our digital forensics lab receives Mac computers for examination more and more often. There are some powerfull forensic suites for OS X analysis, but also there are a lot of very useful open source tools and scripts. One of such scripts is MacMRU-Parser.
Simple, fun audio recording software for Mac OS X using the familiar metaphor of a cassette recorder. TapeDeck TapeDeck is a powerful and fun audio recorder for OS X. Operating System MAC OS, Linux, Windows Item Weight 1.5 pounds Product Dimensions 5.79 x 4 x 1.03 inches Item Dimensions LxWxH 5.79 x 4 x 1.03 inches Flash Memory Size 3 TB Hard Drive Interface Serial ATA-600 Hard Drive Rotational Speed 7200 RPM Manufacturer Toshiba America Information Systems ASIN B013JPLOQQ Is Discontinued By Manufacturer No.
MacMRU-Parser is a Python script written by Sarah Edwards and is available for downlpad from her GitHub. The script is able to parse both new SFL-based MRU plist files and 'older' format plists used in OS X 10.10 and older.
The script should be run on a directory: you can use both a directory with extracted files and, for example, user directory from a mounted image.
Apr 26, 2021 If your Mac is using an earlier version of any Mac operating system, you should install the latest Apple software updates, which can include important security updates and updates for the apps that are installed by macOS, such as Safari, Books, Messages, Mail, Music, Calendar, and Photos. Skim is a PDF reader and note-taker for OS X. It is designed to help you read and annotate scientific papers in PDF, but is also great for viewing any PDF file. Stop printing and start skimming. Explore the links to the left to investigate Skim and consider helping out with the project. Features: Viewing PDFs; Adding and editing notes.
According to Sarah's blog, the script parses the following files:
- /Users//Library/Preferences/.LSShardFileList.plist
- /Users//Library/Preferences/com.apple.finder.plist
- [10.10-] /Users//Library/Preferences/com.apple.recentitems.plist
- [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/.sfl
- [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl
- [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl
- [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl
- [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl
In this example we are going to use this script in Windows environment. Don't forget to install Python before trying to use it!
Ok, the first problem is how to make a Windows system mount an HFS+ partition? There is a solution! The first thing you should do is mounting the whole drive via, for example FTK Imager (read only, of course). After you could use Paragon HFS+ for Windows to access partitions. Now you can browse an HFS+ partition like regular NTFS partition.
The script we are going to use has two dependances: hexdump.py and ccl_bplist.py. Just download both and put them to the same directoty with macMRU.py.
Blocky run (cringe master 64) mac os. Here is how the contents of this folder should look like:
Now start cmd.exe and change directory to the one with the script inside. Start script with the directory of your choice as the argument. In our case we have chosen the user's directory:
Also, you can use '–blob' argument if you want to include binary BLOB hex dump of the Bookmark data.
How often do you examine Mac computers? And what tools do you usually use?
Sfl Mac Os Download
Happy forensicating!
Mac Os Mojave
Authors:
Igor Mikhaylov & Oleg Skulkin
