Directories
¶
| Path | Synopsis |
|---|---|
|
This module collects App Store installation history and receipt information.
|
This module collects App Store installation history and receipt information. |
|
This module collects and parses logs from Apple System Logs (ASL).
|
This module collects and parses logs from Apple System Logs (ASL). |
|
This module collects and parses audit logs using praudit command over the files in /private/var/audit directory.
|
This module collects and parses audit logs using praudit command over the files in /private/var/audit directory. |
|
This module enumerates autostart locations for plist configuration files, parses them, and checks code signatures on programs that run on login/startup.
|
This module enumerates autostart locations for plist configuration files, parses them, and checks code signatures on programs that run on login/startup. |
|
This module collects and parses browser cookies from Chrome and Firefox.
|
This module collects and parses browser cookies from Chrome and Firefox. |
|
This module reads and parses: - Chrome history database for each user on disk.
|
This module reads and parses: - Chrome history database for each user on disk. |
|
This module collects information about installed Claude MCP servers.
|
This module collects information about installed Claude MCP servers. |
|
This module collects and parses CoreAnalytics artifacts.
|
This module collects and parses CoreAnalytics artifacts. |
|
This module collects: - Cursor extensions installed for each user on disk.
|
This module collects: - Cursor extensions installed for each user on disk. |
|
This module collects and parses Firefox browser history, downloads, and extensions.
|
This module collects and parses Firefox browser history, downloads, and extensions. |
|
This module recursively traverses the file system and captures metadata for files and folders on disk, including: - MD5 and SHA256 hashes - MACB timestamps (Modified, Accessed, Created, Birth) - Extended attributes (quarantine, wherefrom, downloaddate)
|
This module recursively traverses the file system and captures metadata for files and folders on disk, including: - MD5 and SHA256 hashes - MACB timestamps (Modified, Accessed, Created, Birth) - Extended attributes (quarantine, wherefrom, downloaddate) |
|
This module is useful to investigate open files, network connections, and processes that opened them.
|
This module is useful to investigate open files, network connections, and processes that opened them. |
|
This module collects information about network configurations from plist files.
|
This module collects information about network configurations from plist files. |
|
This module is useful to investigate the list of current network connections and their details.
|
This module is useful to investigate the list of current network connections and their details. |
|
This module is useful to investigate the amount of data transferred by processes and network interfaces.
|
This module is useful to investigate the amount of data transferred by processes and network interfaces. |
|
This module intends to collect and parse notifications from NotificationCenter.
|
This module intends to collect and parse notifications from NotificationCenter. |
|
The module is useful to investigate the list of running processes and their details.
|
The module is useful to investigate the list of running processes and their details. |
|
This module collects and parses QuarantineEventsV2 database.
|
This module collects and parses QuarantineEventsV2 database. |
|
This module parses the QuickLook database for each user.
|
This module parses the QuickLook database for each user. |
|
This module collects and parses Safari history, downloads, and extensions.
|
This module collects and parses Safari history, downloads, and extensions. |
|
This module collects and parses Spotlight shortcuts data.
|
This module collects and parses Spotlight shortcuts data. |
|
This module reads and parses: - SSH known_hosts files for each user on disk - SSH authorized_keys files for each user on disk Relevant fields: - src_name: Name of the source file (known_hosts or authorized_keys) - user: Username from the path - bits: Number of bits in the key - fingerprint: SSH key fingerprint - host: Hostname or IP address - keytype: Type of SSH key
|
This module reads and parses: - SSH known_hosts files for each user on disk - SSH authorized_keys files for each user on disk Relevant fields: - src_name: Name of the source file (known_hosts or authorized_keys) - user: Username from the path - bits: Number of bits in the key - fingerprint: SSH key fingerprint - host: Hostname or IP address - keytype: Type of SSH key |
|
This module collects and parses system.log files.
|
This module collects and parses system.log files. |
|
This module collects basic system information to identify the host.
|
This module collects basic system information to identify the host. |
|
Description: This module collects and parses Terminal.app saved state files and terminal histories.
|
Description: This module collects and parses Terminal.app saved state files and terminal histories. |
|
This module is useful to investigate the list of logs from the unified logging system.
|
This module is useful to investigate the list of logs from the unified logging system. |
|
This module collects USB device history from various macOS sources.
|
This module collects USB device history from various macOS sources. |
|
This module enumerates current and deleted user profiles, identifies admin users and last logged in user.
|
This module enumerates current and deleted user profiles, identifies admin users and last logged in user. |
|
This module collects and parses utmpx login records.
|
This module collects and parses utmpx login records. |
|
This module collects: - VSCode extensions installed for each user on disk.
|
This module collects: - VSCode extensions installed for each user on disk. |
Click to show internal directories.
Click to hide internal directories.