Single Artifact Mode

You do not need a full disk image to parse artifacts. mac_apt can work with individual artifacts (files/folders) as well. This option is when you do not have a full disk image.

Instead of running mac_apt.py, you have to run mac_apt_singleplugin.py. Not all plugins support parsing of individual artifacts (but most do!). To get a list of all supported plugins, run python mac_apt_singleplugin.py -h.

Depending on the plugin, the input options may vary, some require files, others work with folders and there might be more custom options in the future. To learn about plugin specific options, run python mac_apt_singleplugin.py --plugin_help <PLUGIN_NAME>. For example, if you need information on the FSEVENTS plugin, run it as shown below.

$ python mac_apt_singleplugin.py --plugin_help fsevents

Help for Module FSEVENTS (Fsevents)

--------------------------------------------------
Provide the ".fseventsd" folder as input to process. This is located
 at the root of any disk

Getting Started

Introduction
Installation
- Installation-old
Sample Usage
- ios_apt
- Artifact Only Mode
- Mounted System Data Mode
Interpreting Output
Issues & Workarounds
- Plugin Issues

Plugins

AUTOSTART
BASICINFO
BLUETOOTH
DOMAINS
FSEVENTS
IDEVICEBACKUPS
IDEVICEINFO
IMESSAGE
INETACCOUNTS
INSTALLHISTORY
MSOFFICE
NETUSAGE
NETWORKING
NOTES
NOTIFICATIONS
PRINTJOBS
QUARANTINE
RECENTITEMS
SAFARI
SCREENTIME
SPOTLIGHT
SPOTLIGHTSHORTCUTS
TERMINALSTATE
TERMSESSIONS
UNIFIEDLOGS
USERS
WIFI

Development

Write a Plugin
Plugin Helpers

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Single Artifact Mode

Clone this wiki locally