Interpreting output
When the program is running, you will get a running log on the console. Once finished, browse to the output folder to find the following files. Actual list of folders/files may differ depending on plugins run and output format(s) specified. For instance if you have an APFS disk image, then another database file is created at the root of the output folder that contains APFS metadata.
ElCap_output/
├── Export
│ ├── Export_Files_Log.csv
│ ├── BASHSESSIONS
│ ├── BASICINFO
│ ├── NOTIFICATIONS
│ │ ├── admin_db
│ │ ├── bob_db
│ │ └── alice_db
│ └── ...
├── Log.20180206-193019.txt
├── mac_apt.db
└── mac_apt.xlsx
| File/Folder | Description |
|---|---|
| Export | This folder contains all files exported (copied) from the evidence image. Typically any file processed by a plugin is exported for manual review. The Export_Files_Log.csv file in this folder provides information (metadata) about all exported items. Items exported may have their names altered due to file system limitations and/or to avoid name collisions. A common theme most plugins follow is to rename files by attaching the profile name as prefix when the same filename is likely to be present under multiple profiles. |
| Log.DATETIME.txt | This is the same information seen on the console when mac_apt is run. To change the log level use the -l LOG_LEVEL command. Default log level (when not specified) is INFO |
| mac_apt.FORMAT | These are the output reports. Output formats can be Excel (.xlsx), Sqlite (.db) or CSV (.csv). Sqlite is the default and is always present. |
The excel report contains a single tab for Disk information and then one (or more) for each plugin (if the plugin has data to show).
If you aren't familiar with sqlite databases, consider using DB Browser for SQLite to view the output file mac_apt.db.
The sqlite database report contains a single table for Disk information and then one (or more) table for each plugin run (if the plugin has data to show).
- When using running mac_apt_artifact_only.py, output will be formatted the same.
- If the image provided is not a full disk image and only contains a single volume, the Disk Information tab/table will not be present.