Venator: information gathering on OSX systems
Some weeks ago I've already written about information gathering on OSX systems, related to the forensic investigation process.
In my previous post, I've suggested OSXCollector as tool for a "light" forensic aquisition.
Today I'd like to share another suggestion, another python script named Venator.
Venator is developed and maintained by Richie Cyrus starting from some requirements:
- No external dependencies
- Out of the box support for macOS systems
- JSON output
- A simple way to tie events back to a system
- Provide data that can be enriched with external sources
Venator is a Python tool that meets the requirements mentioned above, all while collecting the following information stored in a single JSON file:
- Launch Agents
launch_agents
- Launch Daemons
launch_daemons
- Chrome, Firefox, Safari Extensions
chrome_extensions
firefox_extensions
safari_extensions
- Event Taps (keylogger detection)
event_taps
- Installed Applications
applications
- Install History
install_history
- Bash History
bash_history
- Environment Variables
environment_variables
- Cron Jobs
cron_jobs
- Periodic Scripts
periodic_scripts
- Current System Connections
established_connections
- System Information
system_info
- Login Items
login_items
- Gatekeeper
gatekeeper_status
- System Integrity Protection Status
sip_status
- Emond Rules
emond_rules
When you execute Venator for the first time, you’ll notice that it requires elevated privileges in order to run. This is needed to parse several artifacts for completeness. In addition, logic is built into the tool such that, if System Integrity Protection is disabled, System Launch Agents, Daemons and Kexts (Kernel Extensions) will be parsed.