Extract Data for Further Analysis

PreviousReview XProtect Logs NextChecking Smartphones

Last updated 1 year ago

Extract Data for Further Analysis

If you have not found anything suspicious on the system but want to investigate further without the system, it is possible to collect interesting forensic data in order to analyze them later using .

Important note:

This program can extract some private information (such as browser history), keep that in mind while using it.
This program has not been updated since 2021, only supports up to macOS 11.

Launching AutoMacTC

You first need to download AutoMacTC from and extract it.

Then you have to launch a terminal, from the menu > Other > Terminal. To run the program you need to know the path of the extracted AutoMacTC code and run sudo python <PATH>/automactc-master/automactc.py -m all.

pslist : current process list at time of AutoMacTC run
lsof : current file handles open at time of AutoMacTC run
netstat : current network connections at time of AutoMacTC run
asl : parsed Apple System Log (.asl) files
autoruns : parsing of various persistence locations and plists
bash : parsing bash/.*_history files for all users
chrome : parsing chrome visit history and download history
coreanalytics : parsing program execution evidence produced by Apple diagnostics
dirlist : list of files and directories across the disk
firefox : parsing firefox visit history and download history
installhistory : parsing program installation history
mru : parsing SFL and MRU plist files
quarantines : parsing QuarantineEventsV2 database
quicklook : parsing Quicklooks database
safari : parsing safari visit history and download history
spotlight : parsing user spotlight top searches
ssh : parsing known_hosts and authorized_keys files for each user
syslog : parsing system.log files
systeminfo : basic system identification, such as current IP address, serial no, hostname
users : listing present and deleted users on the system
utmpx : listing user sessions on terminals

Data Extracted

All the data extracted are saved in an archive name automactc-output,<computername>,<ipaddress>,<date>.tar.gz. It contains csv files with results for all modules executed.

PreviousReview XProtect Logs NextChecking Smartphones

Last updated 1 year ago

If you have not found anything suspicious on the system but want to investigate further without the system, it is possible to collect interesting forensic data in order to analyze them later using .

Important note:

This program can extract some private information (such as browser history), keep that in mind while using it.
This program has not been updated since 2021, only supports up to macOS 11.

Launching AutoMacTC

You first need to download AutoMacTC from and extract it.

Running this command with the argument -m all will extract all the data available. It is also possible to extract more specific data by passing the name of a specific module. Here is the list of modules from :

pslist : current process list at time of AutoMacTC run
lsof : current file handles open at time of AutoMacTC run
netstat : current network connections at time of AutoMacTC run
asl : parsed Apple System Log (.asl) files
autoruns : parsing of various persistence locations and plists
bash : parsing bash/.*_history files for all users
chrome : parsing chrome visit history and download history
coreanalytics : parsing program execution evidence produced by Apple diagnostics
dirlist : list of files and directories across the disk
firefox : parsing firefox visit history and download history
installhistory : parsing program installation history
mru : parsing SFL and MRU plist files
quarantines : parsing QuarantineEventsV2 database
quicklook : parsing Quicklooks database
safari : parsing safari visit history and download history
spotlight : parsing user spotlight top searches
ssh : parsing known_hosts and authorized_keys files for each user
syslog : parsing system.log files
systeminfo : basic system identification, such as current IP address, serial no, hostname
users : listing present and deleted users on the system
utmpx : listing user sessions on terminals

Data Extracted

All the data extracted are saved in an archive name automactc-output,<computername>,<ipaddress>,<date>.tar.gz. It contains csv files with results for all modules executed.