Some weeks ago I've already written about information gathering on OSX systems, related to the forensic investigation process.

In my previous post, I've suggested OSXCollector as tool for a "light" forensic aquisition.

Today I'd like to share another suggestion, another python script named Venator.

Venator is developed and maintained by Richie Cyrus starting from some requirements:

  • No external dependencies
  • Out of the box support for macOS systems
  • JSON output
  • A simple way to tie events back to a system
  • Provide data that can be enriched with external sources

Venator is a Python tool that meets the requirements mentioned above, all while collecting the following information stored in a single JSON file:

  • Launch Agents launch_agents
  • Launch Daemonslaunch_daemons
  • Chrome, Firefox, Safari Extensions chrome_extensions firefox_extensions safari_extensions
  • Event Taps (keylogger detection) event_taps
  • Installed Applications applications
  • Install History install_history
  • Bash History bash_history
  • Environment Variables environment_variables
  • Cron Jobs cron_jobs
  • Periodic Scripts periodic_scripts
  • Current System Connections established_connections
  • System Information system_info
  • Login Items login_items
  • Gatekeeper gatekeeper_status
  • System Integrity Protection Status sip_status
  • Emond Rules emond_rules

When you execute Venator for the first time, you’ll notice that it requires elevated privileges in order to run. This is needed to parse several artifacts for completeness. In addition, logic is built into the tool such that, if System Integrity Protection is disabled, System Launch Agents, Daemons and Kexts (Kernel Extensions) will be parsed.