{"id":19390603,"url":"https://github.com/mandiant/ardvark","last_synced_at":"2025-04-24T00:31:25.150Z","repository":{"id":140857601,"uuid":"214018705","full_name":"mandiant/ARDvark","owner":"mandiant","description":"ARDvark parses the Apple Remote Desktop (ARD) files to pull out application usage, user activity, and filesystem listings.","archived":true,"fork":false,"pushed_at":"2023-06-01T13:20:37.000Z","size":12,"stargazers_count":36,"open_issues_count":0,"forks_count":13,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-13T12:32:17.031Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mandiant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-10-09T20:36:28.000Z","updated_at":"2025-02-04T11:36:56.000Z","dependencies_parsed_at":"2023-05-04T22:23:33.682Z","dependency_job_id":"7eff6ee1-532d-4d7b-a875-b25da05a2b8a","html_url":"https://github.com/mandiant/ARDvark","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FARDvark","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FARDvark/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FARDvark/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FARDvark/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mandiant","download_url":"https://codeload.github.com/mandiant/ARDvark/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250539395,"owners_count":21447301,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T10:22:08.724Z","updated_at":"2025-04-24T00:31:21.753Z","avatar_url":"https://github.com/mandiant.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# :apple: ARDvark \n\nARDvark parses the Apple Remote Desktop (ARD) database file, and associated cache files to pull out application usage, user activity, and filesystem listing\\\nThe ARD database contains information about all systems within an ARD deployment in an enterprise.\n\n## ARD Artifacts to Parse\nThe ARD database file collects user login activity and detailed application usage from all reporting ARD client systems.\nThis information been confirmed for macOS 10.14 (Mojave). \n\nThe ARD database file (\"RMDB\") is located at the following location and is only populated on ARD administrator systems:\\\n`/private/var/db/RemoteManagement/RMDB/rmdb.sqlite3`\n\nThe following plist files exist on ARD client systems and contain cached user activity and application usage that is eventually written to the RMDB:\n1.  `/private/var/db/RemoteManagement/caches/UserAcct.tmp`\n2.  `/private/var/db/RemoteManagement/caches/AppUsage.plist`\n\nThe `/private/var/db/RemoteManagement/caches/filesystem.cache` file is a database that contains a complete file listing of the ARD client system.\\\n\nThe plists are also forwarded to the ARD ADMIN SYSTEM and are stored in subdirectories within the `/private/var/db/RemoteManagement/ClientCaches` directory. \nThe plists are renamed to the reporting client system's MAC address. For example:\n1. `/private/var/db/RemoteManagement/ClientCaches/ApplicationUsage/{macaddress}` -\u003e AppUsage.plist files sent by all ARD CLIENT SYSTEMS\n2. `/private/var/db/RemoteManagement/ClientCaches/UserAccounting/{macaddress}` -\u003e UserAcct.tmp files sent by all ARD CLIENT SYSTEMS\n3. `/private/var/db/RemoteManagement/ClientCaches/SoftwareInfo/{macaddress}` -\u003e filesystem.cache files sent by all ARD CLIENT SYSTEMS\n\n## ARDvark Results\nARDvark can provide the following information:\\\nApplication Usage:\n* Host name (RMDB only)\n* MAC address (RMDB only)\n* Application path\n* Application name\n* Launch time\n* Frontmost time\n* End time\n* User\n* Last report time\n* Whether or not the application was running at the time of last report to the ARD admin system\n\nUser Activity:\n* Host name (RMDB only)\n* MAC address (RMDB only)\n* Last report time\n* Username\n* Login type\n* Login time\n* Logout time\n* Source system (not consistently present)\n\n\n## Usage\n`ardvark.py [-h] [-d rmdb.sqlite3] [-u UserAcct.tmp] [-a AppUsage.plist] [-f filesystem.cache]`\n\nNOTE: Due to the size of the rmdb.sqlite3 and filesystem.cache files, parsing isn't instantaneous. Please be patient.\n\n#### Parsing RMDB:\n`ardvark.py -d rmdb.sqlite`\\\nThis will produce 2 output files in your working directory:\n* AppUsageRMDB.csv\n* UserActivityRMDB.csv\n\n#### Parsing User Activity files:\n`ardvark.py -u UserAcct.tmp`\\\nARDvark will accept UserAcct.tmp files from client systems, or the files under `/private/var/db/RemoteManagement/ClientCaches/UserAccounting` \non ARD administrator system.\\\nThis will produce 1 output file in your working directory:\n* UserActivityPlist.csv\n\n#### Parsing AppUsage.plist files:\n`ardvark.py -u AppUsage.plist`\\\nARDvark will accept AppUsage.plist files from client systems, or the files under `private/var/db/RemoteManagement/ClientCaches/ApplicationUsage`\non ARD administrator system.\\\nThis will produce 1 output file in your working directory:\n* AppUsagePlist.csv\n\n#### Parsing filesystem.cache files:\n`ardvark.py -f filesystem.cache`\\\nThis will produce 1 output file in your working directory:\n* fscache.txt\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fardvark","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmandiant%2Fardvark","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fardvark/lists"}