OS X Auditor - Mac Forensics Tool

OS X Auditor Forensic Tool

OS X Auditor is a free Mac OS X computer forensics tool. It parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:
  • the kernel extensions
  • the system agents and daemons
  • the third party's agents and daemons
  • the old and deprecated system and third party's startup items
  • the users' agents
  • the users' downloaded files
  • the installed applications

It is capable of extracting the following:
  • the users' quarantined files
  • the users' Safari history, downloads, topsites, LastSession, HTML5 databases and localstore
  • the users' Firefox cookies, downloads, form history, permissions, places, and signons
  • the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
  • the users' social and email accounts
  • the WiFi access points the audited system has been connected to (and tries to geolocate them)

It also looks for suspicious keywords in the .plist themselves.

OS X Auditor can also verify the reputation of each file on:
  • Team Cymru's MHR
  • VirusTotal
  • your own local database

It can aggregate all logs from the following directories into a zipball:
  • /var/log (-> /private/var/log)
  • /Library/logs
  • the user's ~/Library/logs



from Effect Hacking full article here