https://github.com/bolodev/osxripper

Tool to rip system and user data from OSX and macOS
https://github.com/bolodev/osxripper

dfir forensics macos osx

Last synced: 9 months ago
JSON representation

Tool to rip system and user data from OSX and macOS

• Host: GitHub
• URL: https://github.com/bolodev/osxripper
• Owner: bolodev
• License: gpl-3.0
• Created: 2020-07-11T20:14:54.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2022-12-06T16:49:02.000Z (over 3 years ago)
• Last Synced: 2025-01-29T13:36:49.781Z (over 1 year ago)
• Topics: dfir, forensics, macos, osx
• Language: Python
• Homepage:
• Size: 315 KB
• Stars: 16
• Watchers: 1
• Forks: 3
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# OSXRipper

[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/bolodev/osxripper.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/bolodev/osxripper/context:python)

OSXRipper is a tool to gather system and user information from OSX file systems. Currently it is supporting OSX versions 10.6 - 10.15 (Snow Leopard to Catalina).

#### Alternatives to OSXRipper

Apple Pattern of Life Lazy Output'er (APOLLO)

- https://github.com/mac4n6/APOLLO


MAC APT

- https://github.com/ydkhatri/mac_apt


OSX Auditor

- https://github.com/jipegit/OSXAuditor


iParser

- http://az4n6.blogspot.co.uk/2012/08/automated-plist-parser.html


- https://github.com/mdegrazia/iParser

Mac Plist Ripper

- https://bitbucket.org/chrishargreaves/mac_plist_ripper

If anyone knows of alternatives I would be more than happy to add them here.

#### Uses the CCL Forensics BPlist parser

https://github.com/cclgroupltd/ccl-bplist

__Prereqs__


Assumes at least Python 3.4.3 is installed

#### Usage

python3 osxripper.py --help

__Options__


-h, --help                       Show help message and exit


-i DIRECTORY, --input=DIRECTORY  input directory


-o DIRECTORY, --output=DIRECTORY output directory


-l, --list List the available plugins


-s, --summary                    Run Summary plugin only


__Notes__


N.B. if run on Linux and OSX systems user may have to escalate privileges to root


N.B. the output directory must exist

__On OSX:__


sudo python3 osxripper.py -i /Volumes/my_mounted_volume -o /Users/username/Desktop/my_analysis


__On Linux:__


sudo python3 osxripper.py -i /mnt/hfs_mount -o /home/username/my_analysis


N.B. if kpartx used to mount the image the input path may be /media/...


__On Windows:__


python.exe osxripper.py -i X:\extracted_files_root -o C:\Users\username\Desktop\my_analysis


#### Plugin Development Guide

Check the Wiki page for getting started with plugin development or make use of existing plugins under __plugins/osx__