The Mac Triage Tool is a forensic collection script designed for digital forensics and security investigations.
Inspired by how KAPE works, it efficiently extracts critical macOS system artifacts while preserving the original file system structure, making forensic analysis and parsing seamless.
This tool collects FSEvents, Spotlight, Unified Logs, user artifacts, system logs and many more, ensuring comprehensive data acquisition for forensic investigators and security professionals.
✔️ Forensic Data Collection – Extracts key macOS artifacts, including:
- FSEvents, Unified Logs, Spotlight, KnowledgeC and .DS_Store
- User artifacts (.bash_history, .zsh_history, SSH keys, documents, desktops)
- System logs and preferences
- Library artifacts (Application Support, LaunchDaemons, Preferences)
✔️ Maintains macOS File Structure – Collecting essential artifacts while preserving the macOS file system structure. 📂
✔️ Full File System Listing – Generates a comprehensive inventory of All System Files.
✔️ Efficient & Modular Design – Easily customizable for new forensic targets
✔️ Automated Compression & Cleanup – Packs collected artifacts into a .zip file. Removes temporary files after data collection 🧹
✔️ Compatible with Most macOS Versions – Designed to function reliably across different macOS versions, despite variations in artifact locations.
Clone the repository and run the script:
git clone https://github.com/a1l4m/Mac-Triage.git
cd Mac-Triage
chmod +x Mac-Triage.sh
sudo bash Mac-Triage.sh
🔹 Root permissions are required for full forensic collection.
🔹 The script will collect system artifacts, store them in a structured directory, and compress everything into a .zip archive.
After execution, the output structure will be something like this:
📁 [Hostname_YMD_HMS].zip/
│── 📁 [Hostname-Triage]/
│ │── 📁 Private/
│ │ ├── 📁 etc/
│ │ ├── 📁 var/
│ │ │ ├── 📁 db/
│ │ │ ├── 📁 log/
│ │ │ ├── 📁 root/
│ │ │ ├── 📁 tmp/
│ │── 📁 Users/
│ │ ├── 📁 User1/
│ │ │ ├── 📄 .bash_history
│ │ │ ├── 📄 .zsh_history
│ │ │ ├── 📁 .ssh
│ │ │ ├── 📄 .sh_history
│ │ │ ├── 📄 .DS_Store
│ │ │ ├── 📁 .zsh_sessions/
│ │ │ ├── 📁 .bash_sessions/
│ │ │ ├── 📁 Documents/
│ │ │ ├── 📁 Desktop/
│ │ │ ├── 📁 Library/
│ │ ├── 📁 User2/
│ │── 📁 UnifiedLogs/
│ │── 📁 Spotlight/
│ │── 📁 FSEvents/
│ │── 📁 Library/
│ │ ├── 📁 Application Support/
│ │ ├── 📁 LaunchDaemons/
│ │ ├── 📁 Logs/
│ │ ├── 📁 Preferences/
│ │── 📁 System/
│ │ ├── 📁 Library/
│ │ ├────── 📄 CoreServices/SystemVersion.plist
│ ├── 📄 Full_File_Listing.txt
│ ├── 📄 [Hostname_YMD_HMS]_Processing_Details.txt
│ ├── 📄 [Hostname_YMD_HMS]_File_Hashes.txt
All actions and errors are logged in:
Processing_Details.txt
-
Khaled Allam - aka a1l4m
-
Ahmed Mahmoud - aka M4shl3
Contributions are welcome!
- Fork the repository
- Create a new branch (
git checkout -b feature-new-feature) - Commit your changes (
git commit -m "Add new feature") - Push to the branch (
git push origin feature-new-feature) - Open a Pull Request 🚀
As we don't like to reinvent the wheel, some parts of our code and structure were taken from the open-source project by Brimor Labs named Live Response Collection. We would like to give them credit for their contribution to the forensic community.
This project is open-source and available under the GPL License.