Releases: ydkhatri/mac_apt
Releases · ydkhatri/mac_apt
20200426
Changes in this release
- New Plugins - SCREENTIME, QUICKLOOK, TERMINALSTATE, APPLIST, COOKIES
- Compatibility with macOS 10.15 separate System & Data volumes
- New launcher script for processing separate mounted volumes - mac_apt_mounted_sys_data.py
- Better disk space reporting for APFS & HFS
- Added AFF4 support
- FSEVENTS now works for iOS
- BootVolume Spotlight parsing for Catalina
- Add ssh known_hosts to RECENTITEMS
- Add zsh history to BASHSESSIONS
- Added column for recent_app in DOCKITEMS
- Bug Fixes and improvements in SPOTLIGHT, UNIFIEDLOGS
Pre-compiled executables/bundles (no python needed) are available below for Windows
& macOS. For macOS, there is an alternate version (0.5a) compiled with a different libewf(pyewf), use it only if you are having problems with the 0.5 version.
macOS bundles temporarily removed till I figure out a packaging mechanism that actually works!
In the meanwhile, try running from code using the install script. https://github.com/ydkhatri/mac_apt/wiki/Installation-for-Python3.7#macos-osx
20190816
Changes in this release
- Bugfixes in Plugins - Printjobs, iDeviceInfo, Wifi
- Adds following to RecentItems plugin -
- Reads FileCreatedDates from APP.securebookmarks.plist
- Gets Mounted dev/vol name from userglobalpref plist
- Reads LastSaveFilePathBookmark parsing
- Better exception handling in some places
- Now gracefully handles file open failure in MOUNTED mode (due to lacking permissions)
Pre-compiled executables(no python needed) are available below for Windows & macOS.
The *.app.zip files are for macOS only!
20190720
Changes in this release
- Transition to python3
- New plugins - FSEVENTS, SPOTLIGHT, MSOFICE, UNIFIEDLOGS, AUTOSTART, IDEVICEINFO
- Added ability to process VMDK disk images
- RecentItems now reads SFL2 files
- API for reading XATTR on APFS & HFS
- mac_apt_singleplugin is renamed to mac_apt_artifact_only
- Lots of changes under the hood for APFS handling,
- enumerating files/folders is now several times faster
- encrypted volumes are detected properly now
- exporting or opening very large files is now supported
- now handles dirty APFS volume mounting using checkpoint processing
- disk processing is more robust now, less crash prone now!
- Fixed Bash sessions bug, not retrieving data from .historynew files
- Fixed a bug with MOUNTED mode
- Basicinfo now gets vol info on vol-only images
- Minor bug fixes to several plugins
Pre-compiled executables(no python needed) are available below. macOS compiled version coming soon.
20180606
Compiled exes for Windows
Compiled bundle for macOS (on 10.10) <-- Try this first
Compiled bundle for macOS (on 10.13) <-- If the above does not work for you, try this
Changes in this release
- New plugins -iMessage, iNetAccounts, Quarantine, NetUsage
- Add support for High Sierra's notifications (db2)
- Added FrequentlyVisitedSitesCache, NSNavLastRootDirectory & RecentlyClosedTabls.plist parsing to SAFARI plugin
- Added GotoFieldHistory, RecentMoveCopyDestinations, BulkRename settings to RECENTITEMS plugin
- Added detection of encrypted volumes and user friendly message
- More documentation on wiki!
- Native HFS parser made default, processing is much faster!
- Fixed Bash sessions exception on some binary UTF8 strings
- Fixed bugs with MOUNTED option, added more support for mounted disk parsing
- Fixed Notes bugs - 'table missing' bug for High Sierra, long notes related bug
- Excel sheet with > 1 million records is now handled correctly
- Several minor fixes
20171230
Compiled bundle for macOS (on 10.10) <-- Use this one first
Compiled bundle for macOS (on 10.13 - high sierra) <-- If the above does not work for you, try this
Changes in this release
- Minor Bug fixes
- This release is only to fix a bug with the Notes plugin that caused unpredictable behavior on OSX as the artifact source file was extracted but deleted before or during processing
- Instructions for macOS installation are now on the wiki
20171225
Changes in this version
- Ships with compiled windows executables (no need to install python)!
- New plugin - Notes
- Fixes a minor bug with mac_apt_singleplugin that prevented it from running in last release
- PRINTJOBS plugin can be used with singleplugin mode now
- -ve dates in RECENTITEMS are parsed correctly now
- APFS volumes database now has GUID in its name, so if you re-run the script in the same folder, it will not parse the filesystem all over again.
20171207
The big feature in this update is APFS support. mac_apt can now read APFS volumes and parse HighSierra images. Encryption is not supported yet.
New Features
- APFS support added, we can parse APFS containers and volumes now
- New plugin - PrintJobs
- Retrieves deleted users
- Retrieves default user's password if 'autologon' was enabled
- Sidebarlists plist is now parsed & Alias v3 parsing added
- Vol created dates are now extracted from FXDesktopVolumePositions
- Better ALIAS v2 parsing, new Info column in RecentItems output
20170902
Changes in this version
- Added new plugin BASHSESSIONS that parses bash_sessions and bash_history
- Added processing of 'finder' plist to RECENTITEMS plugin
- More user data is parsed (account policy data such as creation date, last password set date, password hint,..)
- Minor bug fixes
20170827
First release