A collection of PowerShell scripts for analyzing macOS Forensic Artifacts
- FSEvent Logs → FSEvents-Analyzer
- LSQuarantine database file(s) → Quarantine-Analyzer
- TCC database file(s) → TCC-Analyzer
- XProtect Behavioral Service database file(s) → XProtect-Analyzer
Note
MacOS-Analyzer-Suite includes all external tools by default.
- Windows PowerShell 5.1 or newer.
-
Download the latest version of the MacOS-Analyzer-Suite from the Releases section.
-
Install ImportExcel PowerShell module to import/export Excel spreadsheets, without Excel.
Install-Module -Name ImportExcel
-
Install Python 3 and add it to your PATH environment variable.
-
Run the specific script in PowerShell (e.g. TCC-Analyzer.ps1).
-
Optional: Edit
Config.jsonto choose your own Excel color scheme.
Open PowerShell and navigate to the directory containing e.g. TCC-Analyzer.ps1 and run the script with following command: .\TCC-Analyzer.ps1
Fig 1: Select your TCC Database file
You can skip the file selection dialog and provide the file path to your log file with following command:
.\TCC-Analyzer.ps1 -Path "$env:USERPROFILE\Desktop\tcc_<USERNAME>"
You can specify the output directory with following command:
.\TCC-Analyzer.ps1 -Path "H:\macos-collector\tcc_<USERNAME>" -OutputDir "H:\MacOS-Analyzer-Suite"
Note
Default output directory is $env:USERPROFILE\Desktop\TCC-Analyzer
The subdirectory 'TCC-Analyzer' is automatically created.
Fig 1: FSEvents-Analyzer
Fig 2: MessageBox
Fig 3: Quarantine-Analyzer
Fig 4: TCC-Analyzer
Fig 5: XProtect-Analyzer
Fig 6: XProtect Behavior Service
Fig 7: Bastion-Rules.xlsx (Stats)
This project is licensed under the MIT License - see the LICENSE file for details.
Aftermath by Jamf Threat Labs
macos-collector by LETHAL-FORENSICS