OSXCollector

OSXCollector is a toolkit designed for the collection and analysis of forensic evidence specifically for OSX systems.

The collection script operates on a potentially infected machine and generates a JSON file that details the target machine. OSXCollector collects data from plists, SQLite databases, and the local file system. With the forensic collection in hand, an analyst can address questions such as: Is this machine infected? How did that malware arrive? What steps can I take to prevent and detect future infections? Yelp automates the analysis of most OSXCollector runs, transforming its output into a clear and actionable summary that highlights only the suspicious elements. To maximize the benefits of automated OSXCollector output analysis, check out the OSXCollector Output Filters project. The osxcollector.py is a single Python file that operates without any dependencies on a standard OSX machine, making it incredibly simple to execute the collection on any machine—no need to deal with brew, pip, configuration files, or environment variables. Just copy the single file onto the machine and run it: executing 'sudo osxcollector.py' is all it takes. For example: $ sudo osxcollector.py Wrote 35394 lines. Output in osx.