// artifact family
macos forensics
9 browser-only forensics tools in this catalog group — browse by artifact family when you know the kind of evidence you are working with, not the investigation pattern.
tools in this family
ordered as in the forensics catalog. every tool runs locally — no upload, no account.
- macos plist analyzerdrop any plist file · binary and xml format · parse all types · launchagent daemon detection · preference files · runs locally
- macos launch agent daemon analyzerdrop launchagent or launchdaemon plist files · parse all · persistence map · flag suspicious · command extraction · runs locally
- macos quarantine database analyzerdrop quarantine events sqlite database · files downloaded from internet · original urls · download dates · source applications · runs locally
- macos fsevents analyzerdrop fseventsd files · filesystem activity · file create modify delete rename · timeline · path filter · runs locally
- macos quarantine events parserdrop macOS QuarantineEventsV2 SQLite · parse downloaded files · origin URLs · Gatekeeper events · timestamps · export CSV · runs locally
- hfs+ parserdrop .img/.dd partition · volume header · catalog B-tree · file paths · deleted orphans · mac HFS time · csv json export · runs locally
- macos tcc database forensic analyzerdrop tcc.db sqlite · camera mic screen contacts calendar permissions · sensitive grants · csv export · runs locally
- macos unified log forensic parserdrop log show csv or text export · subsystems and processes · auth and launch events · security timeline · csv export · runs locally
- macos spotlight metadata forensic analyzerdrop spotlight metadata exports or mds_stores database exports · extract file metadata indexed by spotlight · surface files that existed even if deleted · document metadata · author information · runs locally