Our digital forensics lab receives Mac computers for examination more and more often. There are some powerfull forensic suites for OS X analysis, but also there are a lot of very useful open source tools and scripts. One of such scripts is MacMRU-Parser.
MacMRU-Parser is a Python script written by Sarah Edwards and is available for downlpad from her GitHub. The script is able to parse both new SFL-based MRU plist files and “older” format plists used in OS X 10.10 and older.
The script should be run on a directory: you can use both a directory with extracted files and, for example, user directory from a mounted image.
According to Sarah’s blog, the script parses the following files:
- [10.10-] /Users/<username>/Library/Preferences/com.apple.recentitems.plist
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/<bundle_id>.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl
In this example we are going to use this script in Windows environment. Don’t forget to install Python before trying to use it!
Ok, the first problem is how to make a Windows system mount an HFS+ partition? There is a solution! The first thing you should do is mounting the whole drive via, for example FTK Imager (read only, of course). After you could use Paragon HFS+ for Windows to access partitions. Now you can browse an HFS+ partition like regular NTFS partition.
Here is how the contents of this folder should look like:
Now start cmd.exe and change directory to the one with the script inside. Start script with the directory of your choice as the argument. In our case we have chosen the user’s directory:
Also, you can use “–blob” argument if you want to include binary BLOB hex dump of the Bookmark data.
How often do you examine Mac computers? And what tools do you usually use?