> For the complete documentation index, see [llms.txt](https://pellaeon.gitbook.io/mobile-forensics/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pellaeon.gitbook.io/mobile-forensics/mac/extract.md). # Extract Data for Further Analysis If you have not found anything suspicious on the system but want to investigate further without the system, it is possible to collect interesting forensic data in order to analyze them later using [AutoMacTC](https://www.crowdstrike.com/blog/automating-mac-forensic-triage/). Important note: * This program can extract some private information (such as browser history), keep that in mind while using it. * This program has not been updated since 2021, only supports up to macOS 11. ## Launching AutoMacTC You first need to download AutoMacTC from [the Github repository](https://github.com/CrowdStrike/automactc/archive/master.zip) and extract it. Then you have to launch a terminal, from the menu > `Other` > `Terminal`. To run the program you need to know the path of the extracted AutoMacTC code and run `sudo python /automactc-master/automactc.py -m all`. ![](/files/9FqkvQ2BAm2HwktDQlF3) Running this command with the argument `-m all` will extract all the data available. It is also possible to extract more specific data by passing the name of a specific module. Here is the list of modules from [AutoMacTC documentation](https://www.crowdstrike.com/blog/automating-mac-forensic-triage/) : * pslist : current process list at time of AutoMacTC run * lsof : current file handles open at time of AutoMacTC run * netstat : current network connections at time of AutoMacTC run * asl : parsed Apple System Log (.asl) files * autoruns : parsing of various persistence locations and plists * bash : parsing `bash/.*_history` files for all users * chrome : parsing chrome visit history and download history * coreanalytics : parsing program execution evidence produced by Apple diagnostics * dirlist : list of files and directories across the disk * firefox : parsing firefox visit history and download history * installhistory : parsing program installation history * mru : parsing SFL and MRU plist files * quarantines : parsing QuarantineEventsV2 database * quicklook : parsing Quicklooks database * safari : parsing safari visit history and download history * spotlight : parsing user spotlight top searches * ssh : parsing known\_hosts and authorized\_keys files for each user * syslog : parsing system.log files * systeminfo : basic system identification, such as current IP address, serial no, hostname * users : listing present and deleted users on the system * utmpx : listing user sessions on terminals ## Data Extracted All the data extracted are saved in an archive name `automactc-output,,,.tar.gz`. It contains csv files with results for all modules executed. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://pellaeon.gitbook.io/mobile-forensics/mac/extract.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.