Macintosh Forensic Software


First Responder

RAM Capture

iOS Apps

Imaging and Disk Arbitration Control
  • BlackBag Technologies MacQuisition - imaging and incident response of Intel and PPC Macs in one solution
  • BlackBag Technologies SoftBlock - Disk Arbitration control at the kernel level allowing for internal and external media control
  • Disk Arbitrator - from Aaron Burghardt, “Disk Arbitrator continuously monitors for disks to appear and disappear and tracks the disks in the main window. When a new disk is attached, the system notifies Disk Arbitrator and gives it a chance to reject mounting of a disk volume”.
  • Evidence Collector - our latest tool for safe collection of single folders on a Mac
  • FTK Imager for Mac GUI - this is the FTK Imager by AccessData with a Graphical User Interface added to it. It is in beta now. Please read the included notes before using.
  • MacOSXForensics Imager Release Candidate 2.1! Image physical devices in the Encase or FTK format. MD5 and SHA1 hash support. See the Read Me file for complete documentation.
  • Paladin, an Ubuntu based LiveCD for Mac and PC with imaging and analytical tools included
  • DCFLDD - combines hashing and imaging into one utility. Based on 'dd' with much more functionality and provides feedback.
  • DC3DD - combines hashing and imaging into one utility. Based on 'dd' with much more functionality and provides feedback.
  • FTK Imager - Windows only but recognizes HFS+ file format and is free
  • FTK Imager CLI for Macintosh - command line version of Access Data’s Imager software available for OS X
  • MacForensicsLab Write Controller - disk arbitration control

Virtual Machine
  • VMware Fusion, virtualize multiple operating systems including Mac OS X 10.5 Server
  • Nova Development Parallels, virtualize multiple operating systems including Mac OS X 10.5 Server
  • Sun VirtualBox, virtualize multiple operating systems for free, will not run Mac OS X 10.5 Server
  • VMWare vCenter Converter, a new free product from VMWare that allows you to convert physical Windows and Linux machines as well as images to other formats into virtual machines.

  • NSMonitor - utility that combines the live tracking of File System events, Network events, sockets, files, IORegistry, and others.
  • Wireshark - packet sniffing
  • F-Response TACTICAL - remote acquisition and analysis of Macs (and other platforms)
  • Dropbox Reader - free utility to analyze Dropbox evidence on the local machine
  • MacForensicsLab Web Agent - Cross-platform forensic web crawler

iOS Devices
see our page iOS Device Analysis Tools page for the most up to date information

  • DaveGrohl - optimized OS X 10.7 and later hash cracking, built to run on OS X
  • Passware Kit v11 - login password and Keychain stored passwords among other features
  • John the Ripper, free software to attach several different hashes including the OS X salted SHA-1(scroll down to the specific Mac build so you don’t have to compile)
  • HashCat, free software that uses the CPU and GPU
  • crowbarKC, a free utility to dictionary attack a Keychain file
  • crowbarDMG, a free utility to dictionary attack DMG, sparseimage, and sparsebundle file types
  • Mike’s Forensic Tools - Mike Harrison has a website with some great tools, namely a password cracker and SpotLight query tool.
  • FileVault 2 mounting - open source code to mount FIleVault 2 encrypted volumes

Memory/RAM Analysis
  • MacQuisition - imaging of RAM on a live Mac as well as “soft boot” ability to capture most of RAM when admin password isn’t known
  • Mac Memory Reader - ATC-NY has released the singular function from Mac Marshal of gather RAM of a live Mac to the community for free
  • “volafox” a.k.a “Memory Analyzer for Mac OS X” - volafox is a python 2.5 application that will analyze images of Macintosh RAM. This utility is free.

Image Analysis
  • MacForensicsLab Field Agent, free for law enforcement, application to locate images using flesh tone analysis, available on Mac, Windows, and Linux
  • File Juicer, extract images and many other file types from a given source with this great utility by Echo One
  • Exiftool, a free utility to extract EXIF data from a huge list of file types by Phil Harvey.
  • Exif Data Dump, an Automator Action based on Exiftool by George Starcher that will turn Exif data gathering into a one step action

Image Capture

Hex Editors
  • iBored, a free hex editor for disk sectors written by Thomas Tempelmann
  • 0xED is a native, Cocoa based Hex Editor by SuaveTech
  • Synalyze It! and Synalyze It! Pro, a hex editor with custom views, grammar, printing, and searching

  • EasyFind - DEVON Technologies free search utility
  • Find Any File - free utility from Thomas Tempelmann to search entire volumes
  • MacForensicsLab Social - Social Agent™ is designed to get evidence from chats, private messages, and blog activity on Facebook (and other) social networking websites

  • ThumbsUp - DEVON Technologies free utility to generate thumbnails of images
  • MacOSXForensics MetaData Extractor - utility to extract metadata from any file(s) and also plot the lat/long on a Google map if available

Email & Internet
  • Internet Evidence Finder v6 - Windows based tool that supports many OS X specific data artifacts
  • Emailchemy - Weird Kid Software Products
  • TNEF, a free utility to decode WINMAIL.DAT email attachments by Josh Jacob
  • SafariCacheView, a Windows based utility to read and extract data from the Safari cache.db

  • MacTracker - a complete and up-to-date database of all Apple hardware produced since the day they became a company. Excellent reference.


Always check out our
Files section for the latest in FREE tools from this site.