osxcollector
osxcollector copied to clipboard
Yelp
A forensic evidence collection & analysis toolkit for OS X
So Apple has once again moved the goal posts... Since Mojave 10.14, "/private/var/db/dslocal/nodes/Default/" cannot be accessed.. sh-3.2# id uid=0(root) gid=0(wheel) sh-3.2# cat /private/var/db/dslocal/nodes/Default/groups/admin.plist cat: /private/var/db/dslocal/nodes/Default/groups/admin.plist: Operation not permitted sh-3.2# ls...
After running script, the end line says output in osxcollect-(Date/Time).targ.gz What directory is this being saved? I assumed it would save to the same directory where I ran the script...
> [ERROR] Unable to read plist: [The file “Info.plist” couldn’t be opened because there is no such file.]. plist_path[/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/CoreSimulator/Profiles/DeviceTypes/iPhone Xʀ.simdevicetype/Contents/Info.plist] - {'osxcollector_incident_id': 'osxcollect-2019_04_09-10_47_54', 'osxcollector_subsection': 'applications', 'osxcollector_section': 'applications'} Info.plist exists at...
I just now see that you forked off of OSXAuditor. They had a feature to compare file reputations against Team Cymru's MHR, VirusTotal, or your own local database. Is this...
Something as good as: ``` shell $ security dump-trust-settings $ security dump-trust-settings -s $ security dump-trust-settings -d ``` would be real nice.
Hello, Almost all of the output shows: [ERROR] failed _log_sqlite_db file is encrypted or is not a database [('osxcollector/osxcollector.py', 1352, '_log_sqlite_db', 'self._raw_log_sqlite_db(sqlite_db_path, ignore)'), ('osxcollector/osxcollector.py', 1328, '_raw_log_sqlite_db', 'cursor.execute(\'SELECT * from sqlite_master...
Issue: As it stands, the system_info collection does not collect or provide the OSX version (e.g., "10.12.4") nor the build version (e.g. "16E195"). Suggestion Solution: Collect hostname and arch from...
OSX Version: 10.12.4 Firefox Version: 52.0.2 (64-bit) Running OSXCollector seems to miss (omit) extraction of the last_visit_date timestamps from Mozilla's places.sqlite database. Example: { "last_visit_date": "", "favicon_id": "", "osxcollector_table_name": "moz_places",...