BlueMacTriage is a comprehensive Mac forensics triage bash script designed for Intel-based Macs. This script collects a variety of forensic data from a suspect system to assist in initial forensic investigations.
- Collects detailed system information
- Gathers user and group information
- Captures running processes and network connections
- Lists installed applications
- Collects system logs
- Retrieves browser history (Safari, Chrome, Firefox)
- Identifies persistence mechanisms (LaunchDaemons, LaunchAgents, cron jobs)
- Captures detailed network configurations
- Gathers disk and file system information
- Checks security settings (SIP, FileVault, Gatekeeper)
- Captures clipboard data
- Hashes important binaries and system files
- Zips the collected data and cleans up the temporary directory
Ensure you have root privileges to run the script:
sudo ./macTriage.sh
- Clone the repository:
git clone https://github.com/fulco/BlueMacTriage.git
- Navigate to the repository directory:
cd BlueMacTriage
- Make the script executable:
chmod +x macTriage.sh
Run the script with root privileges:
sudo ./macTriage.sh
The script will create a directory in /tmp
with the collected forensic data. The directory name will include the date and time the script was run, for example: /tmp/mac_forensics_(date +%Y%m%d_%H%M%S)
.
Once the data is collected, the script will zip the directory and save it as /tmp/mac_forensics_(date +%Y%m%d_%H%M%S).zip
. The temporary directory will then be cleaned up.
The script collects and stores data in the following files within the output directory:
system_info.txt
: Detailed system informationusers.txt
: List of usersgroups.txt
: List of groupsuser_details.txt
: Detailed information for each userprocesses.txt
: List of running processesopen_files.txt
: List of open filesnetwork_connections.txt
: Network connectionsinstalled_apps.txt
: List of installed applicationssystem.log
: System logkernel.log
: Kernel loginstall.log
: Install logappfirewall.log
: Application firewall logsecure.log
: Secure logSafari_History
: Safari history filesChrome_History
: Chrome history filesFirefox_History
: Firefox history fileslaunchdaemons.txt
: List of LaunchDaemonslaunchagents.txt
: List of LaunchAgentscrontab.txt
: User's crontabcronjobs.txt
: List of cron jobsnetwork_config.txt
: Network configurationdns_config.txt
: DNS configurationproxy_config.txt
: Proxy configurationdisk_usage.txt
: Disk usagedisk_list.txt
: List of disksdisk_info.txt
: Detailed disk informationsip_status.txt
: System Integrity Protection statusfilevault_status.txt
: FileVault statusgatekeeper_status.txt
: Gatekeeper statusclipboard.txt
: Clipboard databin_hashes.txt
: Hashes of important binaries
Contributions are welcome! Please fork the repository and submit a pull request for any improvements or additional features.
This project is licensed under the MIT License. See the LICENSE file for details.
For any questions or feedback, please reach out to [Fulco] at [security@fulco.net].