Skip to content

silexi/STForensicMacOS

BranchesTags

Repository files navigation

STForensicMacOS - MacOS Forensic Analysis Tool

Python License Platform

A modular forensic analysis tool developed for MacOS systems. Equipped with rapid deployment and system imaging capabilities for incident response.

πŸš€ Features

  • πŸ”§ Modular Architecture: Separate modules for each analysis type
  • ⚑ Quick Setup: Single command installation and execution
  • πŸ“Š Two Analysis Modes: Lite (quick analysis) and Full (complete imaging)
  • πŸ“„ Automatic Reporting: Detailed reports in HTML and JSON formats
  • πŸ” Real-time Analysis: System status and change tracking
  • πŸ”’ Security-Focused: Read-only operations, data integrity preserved

πŸ“‹ Modules

πŸ” System Information

  • Hardware information (CPU, RAM, Disk)
  • Operating system details
  • System configuration
  • Environment variables

πŸ“ Filesystem Analysis

  • Filesystem structure
  • File hashes (MD5, SHA256)
  • Timestamps
  • Deleted file recovery (basic)

🧠 Memory Analysis

  • RAM status and usage
  • Kernel modules
  • Memory mapping
  • Swap status

🌐 Network Analysis

  • Active connections (IPv4/IPv6)
  • Routing table
  • DNS information
  • Firewall rules

πŸ“ Log Analysis

  • System logs
  • Application logs
  • Security logs
  • Crash logs

βš™οΈ Process Analysis

  • Running processes
  • Process details
  • System services
  • Open files

πŸ‘₯ User Analysis

  • User accounts
  • Group information
  • Permission levels
  • Session information

⏰ Timeline Analysis

  • File timeline
  • System events
  • User activities

πŸ› οΈ Installation

Requirements

  • macOS 10.15 or higher
  • Python 3.8+
  • Root/Administrator privileges

Steps

  1. Clone the repository:
git clone https://github.com/silexi/stforensicmacos.git
cd stforensicmacos
  1. Install dependencies:
pip3 install -r requirements.txt
  1. Run:
sudo python3 main.py --mode lite

πŸ“– Usage

Basic Usage

# Quick analysis (Lite mode)
sudo python3 main.py --mode lite --output ./reports

# Full analysis (Full mode)
sudo python3 main.py --mode full --output ./reports

# Run specific modules
sudo python3 main.py --modules system_info,filesystem,network --output ./reports

# Generate HTML report
sudo python3 main.py --mode lite --output ./reports --format html

Command Line Options

python3 main.py [OPTIONS]

Options:
  --mode TEXT           Analysis mode: lite or full [default: lite]
  --modules TEXT        Modules to run (comma-separated)
  --output TEXT         Report output directory [default: ./reports]
  --format TEXT         Report format: json, html [default: json]
  --verbose, -v         Verbose output
  --no-hash             Skip hash calculations
  --config TEXT         Configuration file path
  --help                Show this message

Examples

# Quick system analysis
sudo python3 main.py --mode lite --output ./forensic_reports

# Network analysis only
sudo python3 main.py --modules network --output ./network_analysis

# Full analysis + HTML report
sudo python3 main.py --mode full --output ./full_analysis --format html

# Specific modules with verbose output
sudo python3 main.py --modules system_info,processes,users --verbose --output ./detailed_analysis

πŸ“Š Reports

JSON Report

Structured data format containing all analysis results.

HTML Report

Modern, interactive web-based report:

  • Module-based tables
  • Search and filtering
  • Responsive design
  • Detailed data viewing

πŸ”’ Security

  • Root Privileges: This tool requires root/administrator privileges
  • Read-Only: Original data is never modified
  • Hash Verification: SHA256 hashes for report files
  • Data Integrity: All operations in read-only mode

πŸ—οΈ Project Structure

stforensicmacos/
β”œβ”€β”€ main.py                 # Main application
β”œβ”€β”€ requirements.txt        # Python dependencies
β”œβ”€β”€ README.md              # This file
β”œβ”€β”€ LICENSE                # MIT License
β”œβ”€β”€ .gitignore            # Git ignore rules
β”œβ”€β”€ project_details.json   # Project details
β”œβ”€β”€ roadmap.md            # Development roadmap
β”œβ”€β”€ src/                  # Source code
β”‚   β”œβ”€β”€ core/             # Core modules
β”‚   β”‚   β”œβ”€β”€ config.py     # Configuration management
β”‚   β”‚   β”œβ”€β”€ forensic_engine.py  # Main analysis engine
β”‚   β”‚   └── logger.py     # Logging system
β”‚   β”œβ”€β”€ modules/          # Forensic modules
β”‚   β”‚   β”œβ”€β”€ base_module.py
β”‚   β”‚   β”œβ”€β”€ system_info.py
β”‚   β”‚   β”œβ”€β”€ filesystem.py
β”‚   β”‚   β”œβ”€β”€ memory.py
β”‚   β”‚   β”œβ”€β”€ network.py
β”‚   β”‚   β”œβ”€β”€ logs.py
β”‚   β”‚   β”œβ”€β”€ processes.py
β”‚   β”‚   β”œβ”€β”€ users.py
β”‚   β”‚   └── timeline.py
β”‚   β”œβ”€β”€ reporters/        # Reporters
β”‚   β”‚   β”œβ”€β”€ json_reporter.py
β”‚   β”‚   └── html_reporter.py
β”‚   └── utils/            # Helper functions
β”‚       └── helpers.py
β”œβ”€β”€ static/               # Static files
β”œβ”€β”€ templates/            # HTML templates
└── test_reports/         # Test reports

🀝 Contributing

  1. Fork this repository
  2. Create a feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

πŸ“ License

This project is licensed under the MIT License. See the LICENSE file for details.

⚠️ Disclaimer

This tool is designed for educational and legal forensic analysis purposes only. Users are responsible for complying with local laws and regulations when using this tool.

πŸ“ž Contact

πŸ™ Acknowledgments

This project is inspired by the following open source projects:

⭐ Don't forget to star this project if you like it!

About

Comprehensive modular forensic analysis tool for macOS with real-time system analysis, memory forensics, network investigation, and automated HTML/JSON reporting. Features 8 specialized modules for cybersecurity professionals and incident response teams. Forensic macOS

Topics

python incident-response forensics cybersecurity malware-analysis digital-forensics memory-analysis network-analysis security-tools filesystem-analysis timeline-analysis system-analysis digital-investigation maos macos-forensics

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages