ma2tl (mac_apt to timeline)
This is a DFIR tool for generating a macOS forensic timeline from the analysis result DBs of mac_apt.
Requirements
- Python 3.7.0 or later
- pytz
- tzlocal
- xlsxwriter
Installation
% git clone https://github.com/mnrkbys/ma2tl.git
Usage
% python ./ma2tl.py -h
usage: ma2tl.py [-h] [-i INPUT] [-o OUTPUT] [-ot OUTPUT_TYPE] [-s START] [-e END] [-t TIMEZONE] [-l LOG_LEVEL] plugin [plugin ...]
Forensic timeline generator using mac_apt analysis results. Supports only SQLite DBs.
positional arguments:
plugin Plugins to run (space separated).
optional arguments:
-h, --help show this help message and exit
-i INPUT, --input INPUT
Path to a folder that contains mac_apt DBs.
-o OUTPUT, --output OUTPUT
Path to a folder to save ma2tl result.
-ot OUTPUT_TYPE, --output_type OUTPUT_TYPE
Specify the output file type: SQLITE, XLSX, TSV (Default: SQLITE)
-s START, --start START
Specify start timestamp. (ex. 2021-11-05 08:30:00)
-e END, --end END Specify end timestamp.
-t TIMEZONE, --timezone TIMEZONE
Specify Timezone: "UTC", "Asia/Tokyo", "US/Eastern", etc (Default: System Local Timezone)
-l LOG_LEVEL, --log_level LOG_LEVEL
Specify log level: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default: INFO)
The following 4 plugins are available:
FILE_DOWNLOAD Extract file download activities.
PERSISTENCE Extract persistence settings.
PROG_EXEC Extract program execution activities.
VOLUME_MOUNT Extract volume mount/unmount activities.
----------------------------------------------------------------------------
ALL Run all plugins
Generated timeline example
Presentation
This tool was published on Japan Security Analyst Conference 2022 (JSAC2022).
Slides are available below:
37 Dec 15, 2022
13 May 24, 2021
2 Oct 11, 2022
259 Dec 28, 2022
26 Nov 30, 2022
8 Jun 28, 2022
23 Nov 21, 2022
5 Nov 04, 2022
22 Dec 07, 2022
206 Dec 31, 2022
0 Sep 13, 2022
4 Nov 30, 2022
3 Feb 09, 2022
2 Feb 16, 2022
2 Jan 09, 2022
32 Nov 23, 2022
2.1k Jan 03, 2023
1 Nov 02, 2021
97 Jan 06, 2023
27 Jun 01, 2022