Releases: ydkhatri/mac_apt
Releases · ydkhatri/mac_apt
20210506
Changes in this release
- Support for Graykey extracted filesystem (only /private/var)
- Add parsing of com.apple.wifi.known-networks.plist
- Add parsing of wifi backup plist com.apple.airport.preferences.plist.backup
- Add tab closed date to Safari LastSession output
- Fixed another bug that prevented APFS decryption in some disks due to not checking UUIDs when searching for Volume Keybag
- Fixed minor bug with Safari plugin for ios
- Fixed bug with ios_apt app_group parsing
20210228
Changes in this release
- Add option for specifying password in file (-pf), because passwords on command line that have special chars like \ or ^ have problems
- Fixed a bug that prevented APFS decryption in some disks
- Skip reading deleted apfs blocks to prevent stale/bad data
- Fixed a bug in iDeviceBackups plugin
20210210
Changes in this release
- Code updated for Python 3.9, windows dep. libs compiled for 3.9 (lot faster than prev. python versions!)
- RECON (by Sumuri) created .sparseimage files are now supported
- Add CloudTabs, BrowserState.db parsing to SAFARI
- Fixes exported folder structure for idevicebackups
- Show iMessage alias (if used)
- Better APFS parsing, completely re-coded reading the file system tree structure
20201228
Changes in this release
- Introducing ios_apt - parses ios full disk images
- ios_apt plugins - APPS, BASICINFO, FSEVENTS, INETACOUNTS, NETUSAGE, NETWORKING, SAFARI, SCREENTIME, SPOTLIGHT, TERMSESSIONS, WIFI
- Support for ios 14 artifacts
- Improved support for Big Sur (macOS 11) Sealed volumes
- Python 3.8 compiled libraries for windows available
- Adds full support for decrypting FileVault when HFS upgraded to APFS
- Safari binarycookie parsing for Big Sur (new location)
- Add views for Spotlight ios db output removing empty columns
- Spotlight table's ID column is now hex, and a new column for reverse id for ios spotlight
Pre-compiled executables (no python needed) are available below for Windows
20201205
20200917
This version has many incremental updates and minor bug fixes to several modules. New plugins (from last stable release) are
- SAVEDSTATE (Gets window titles from Saved Application State info)
- CHROME
- ARD (Apple Remote Desktop artifacts)
- DOCUMENTREVISIONS (Thanks @nicoleibrahim )
Significant Improvements/additions
- Mounted mode made better and bugs fixed
- Encryption support improved
- Domain user info enumeration improved (when running MOUNTED mode on windows)
- Compatibility with Xways emulated volume (for running with MOUNTED mode in windows)
- Big Sur (macOS 11.0)
- Sealed volumes support added
- Some artifact locations updated
- ZSH sessions parsed
20200625
This is a temp development release that adds a workaround for an issue with MOUNTED mode. This should now work with disks mounted with Xways Forensics's Mount as Drive Letter option. It adds a workaround for python issues with XWF mounted files.
20200620
This is a temporary development release. For the latest stable get version 0.6. This fixes issues identified in MOUNTED mode.
20200609
This is a temporary development release, which fixes identified bugs in 0.6. It also adds the following new plugins
- SAVEDSTATE
- CHROME
- ARD
20200529
Changes in this release
- 🔓 APFS encryption support added, encrypted volumes can be processed by providing password/recovery-key
- FAST mode, which skips plugins IDEVICEBACKUPS, SPOTLIGHT, UNIFIEDLOGS
- BASHSESSIONS renamed to TERMSESSIONS (it reads zsh history too)
- Better HFS parsing, and reading of large files
- Support for Maquisition created T2 AFF4 images (finally!)
- Export_log is now an sqlite db instead of CSV file
- FSEVENTS plugin is now a lot faster
- Better exception handling, script should halt on Ctrl-C now
- Bugfixes, improvements in other plugins - QUICKLOOK, IMESSAGE, COOKIES, SPOTLIGHT, UNIFIEDLOGS