Some weeks ago I've already written about information gathering on OSX systems, related to the forensic investigation process.
In my previous post, I've suggested OSXCollector as tool for a "light" forensic aquisition.
Today I'd like to share another suggestion, another python script named Venator.
Venator is developed and maintained by Richie Cyrus starting from some requirements:
- No external dependencies
- Out of the box support for macOS systems
- JSON output
- A simple way to tie events back to a system
- Provide data that can be enriched with external sources
Venator is a Python tool that meets the requirements mentioned above, all while collecting the following information stored in a single JSON file:
- Launch Agents
- Launch Daemons
- Chrome, Firefox, Safari Extensions
- Event Taps (keylogger detection)
- Installed Applications
- Install History
- Bash History
- Environment Variables
- Cron Jobs
- Periodic Scripts
- Current System Connections
- System Information
- Login Items
- System Integrity Protection Status
- Emond Rules
When you execute Venator for the first time, you’ll notice that it requires elevated privileges in order to run. This is needed to parse several artifacts for completeness. In addition, logic is built into the tool such that, if System Integrity Protection is disabled, System Launch Agents, Daemons and Kexts (Kernel Extensions) will be parsed.