MCP (Model Context Protocol) server for macOS Digital Forensics and Incident Response (DFIR).
This MCP server provides structured forensic analysis tools for macOS triage collections, reducing context overhead when investigating incidents with LLMs.
Key Benefits:
- Structured queries instead of raw grep through massive files
- Automatic timestamp normalization (Mac Absolute Time → UTC)
- Pre-built security event detection patterns
- Cross-artifact correlation and timeline building
- Pagination to avoid context overflow
- Artifact discovery to know what's available
23 tools covering: Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes, System Logs, and more.
cd /opt/macOS/mac_forensics-mcp
# Create virtual environment and install dependencies
uv venv
uv pip install -e .# Add to user settings (available in all projects)
claude mcp add mac-forensics -s user -- /opt/macOS/mac_forensics-mcp/.venv/bin/python -m mac_forensics_mcp.server
# Or add to current project only
claude mcp add mac-forensics -- /opt/macOS/mac_forensics-mcp/.venv/bin/python -m mac_forensics_mcp.serverTo verify it was added:
claude mcp listTo remove:
claude mcp remove mac-forensics -s userAdd to ~/.claude/settings.json (user-level) or .claude/settings.json (project-level):
{
"mcpServers": {
"mac-forensics": {
"command": "/opt/macOS/mac_forensics-mcp/.venv/bin/python",
"args": ["-m", "mac_forensics_mcp.server"],
"env": {}
}
}
}| Tool | Description |
|---|---|
mac_list_artifacts |
Discover available artifacts in a triage collection |
| Tool | Description |
|---|---|
mac_unified_logs_search |
Search logs with regex, filters, time range |
mac_unified_logs_security_events |
Get pre-defined security events (user_created, ssh_session, etc.) |
mac_unified_logs_stats |
Get log statistics: time range, top subsystems |
| Tool | Description |
|---|---|
mac_plist_read |
Read and parse plist, optionally extract key path |
mac_plist_search |
Search for keys matching pattern |
mac_plist_timestamps |
Extract all timestamp values with UTC conversion |
| Tool | Description |
|---|---|
mac_knowledgec_app_usage |
App usage from KnowledgeC.db |
mac_safari_history |
Safari browsing history |
mac_safari_searches |
Extract search queries from Safari |
mac_tcc_permissions |
TCC permissions (camera, mic, screen recording) |
mac_quarantine_events |
File download history |
| Tool | Description |
|---|---|
mac_get_user_accounts |
List users including deleted accounts |
mac_get_user_timeline |
Build timeline for specific user account |
| Tool | Description |
|---|---|
mac_fsevents_search |
Search file system events (create, delete, modify, rename) |
mac_fsevents_stats |
Get FSEvents statistics |
| Tool | Description |
|---|---|
mac_get_extended_attributes |
Get xattr for file (quarantine, download URL, etc.) |
mac_spotlight_search |
Search Spotlight index for file metadata |
mac_spotlight_stats |
Get Spotlight index statistics |
| Tool | Description |
|---|---|
mac_parse_fsck_apfs_log |
Parse fsck_apfs.log for volume creation, external devices, anti-forensics |
mac_fsck_apfs_stats |
Get fsck_apfs.log statistics: devices, volumes, time range |
| Tool | Description |
|---|---|
mac_build_timeline |
Build unified timeline from multiple artifacts |
mac_investigate_event |
Deep investigation with evidence correlation |
The mac_unified_logs_security_events tool supports these event types:
| Event Type | Description |
|---|---|
user_created |
User account creation |
user_deleted |
User account deletion |
user_modified |
User account changes |
ssh_session |
SSH connections |
sudo_usage |
Sudo command execution |
auth_success |
Successful authentication |
auth_failure |
Failed authentication |
process_exec |
Process execution |
gatekeeper |
Gatekeeper/quarantine events |
tcc_prompt |
TCC permission prompts |
login |
User login |
logout |
User logout |
screen_lock |
Screen lock events |
screen_unlock |
Screen unlock events |
remote_login |
Remote Login service |
persistence |
Persistence mechanisms |
The mac_investigate_event tool supports deep investigation of these event types:
| Event Type | Description |
|---|---|
user_deletion |
Investigate user account deletion with timeline and evidence correlation |
user_creation |
Investigate user account creation |
file_download |
Investigate file downloads (quarantine, xattr, browser history) |
ssh_session |
Investigate SSH session activity |
malware_execution |
Investigate potential malware execution |
privilege_escalation |
Investigate privilege escalation attempts |
mac_list_artifacts(artifacts_dir="/path/to/triage")mac_unified_logs_security_events(
log_path="/path/to/unified_logs.csv",
event_type="user_deleted"
)mac_investigate_event(
artifacts_dir="/path/to/triage",
event_type="user_deletion",
target="username"
)mac_safari_searches(
db_path="/path/to/History.db",
query_filter="delete"
)mac_plist_read(
plist_path="/path/to/com.apple.preferences.accounts.plist",
key_path="deletedUsers"
)mac_parse_fsck_apfs_log(
log_path="/path/to/fsck_apfs.log",
external_only=True
)mac_parse_fsck_apfs_log(
log_path="/path/to/fsck_apfs.log",
volume_filter="suspicious_volume"
)mac_get_user_timeline(
artifacts_dir="/path/to/triage",
username="username"
)mac_fsevents_search(
fseventsd_path="/path/to/.fseventsd",
path_filter="/Users/username",
event_types=["created", "deleted"]
)External forensic tools can be configured via environment variables. If not set, defaults to /opt/macOS/ paths.
| Environment Variable | Default | Description |
|---|---|---|
MAC_FORENSICS_UNIFIEDLOG_ITERATOR_PATH |
/opt/macOS/unifiedlog_iterator |
Path to unifiedlog_iterator binary |
MAC_FORENSICS_FSEPARSER_PATH |
/opt/macOS/FSEventsParser/FSEParser_V4.1.py |
Path to FSEParser script |
MAC_FORENSICS_SPOTLIGHT_PARSER_PATH |
/opt/macOS/spotlight_parser/spotlight_parser.py |
Path to spotlight_parser script |
Example with custom paths:
{
"mcpServers": {
"mac-forensics": {
"command": "/opt/macOS/mac_forensics-mcp/.venv/bin/python",
"args": ["-m", "mac_forensics_mcp.server"],
"env": {
"MAC_FORENSICS_UNIFIEDLOG_ITERATOR_PATH": "/custom/path/unifiedlog_iterator",
"MAC_FORENSICS_FSEPARSER_PATH": "/custom/path/FSEParser.py",
"MAC_FORENSICS_SPOTLIGHT_PARSER_PATH": "/custom/path/spotlight_parser.py"
}
}
}
}- Python 3.10+
- uv (for virtual environment and package management)
- mcp >= 1.0.0
- biplist (optional, for malformed plists)
External tools (optional, for parsing raw artifacts):
unifiedlog_iterator- for parsing .logarchive bundlesFSEParser- for parsing FSEvents (.fseventsd)spotlight_parser- for parsing Spotlight indexes
mac_forensics_mcp/
├── server.py # MCP server and tool definitions
├── config.py # Configurable external tool paths
├── parsers/
│ ├── plist_parser.py # Plist file parsing
│ ├── unified_log_parser.py # Unified log analysis
│ ├── sqlite_parser.py # SQLite databases (KnowledgeC, Safari, TCC)
│ ├── fsevents_parser.py # FSEvents parsing
│ ├── spotlight_parser.py # Spotlight index parsing
│ ├── xattr_parser.py # Extended attributes parsing
│ └── fsck_apfs_parser.py # fsck_apfs.log parsing
├── correlation/
│ ├── timeline_builder.py # Cross-artifact timeline correlation
│ └── event_investigator.py # Event-specific investigation
└── utils/
├── timestamps.py # Mac/WebKit/HFS timestamp conversion
└── discovery.py # Artifact discovery
This MCP server was developed based on real-world macOS DFIR investigations. Key forensic capabilities:
| Capability | Tools |
|---|---|
| User account forensics | mac_get_user_accounts, mac_get_user_timeline, mac_investigate_event |
| File activity tracking | mac_fsevents_search, mac_spotlight_search |
| Download analysis | mac_quarantine_events, mac_get_extended_attributes |
| Security event detection | mac_unified_logs_security_events |
| External device detection | mac_parse_fsck_apfs_log |
| Cross-artifact correlation | mac_build_timeline, mac_investigate_event |
- SANS FOR518 Poster
- mac4n6 Artifacts Spreadsheet
- SUMURI Mac Forensics Best Practices Guide 2025
- Google Cloud - Reviewing macOS Unified Logs
Based on lessons learned from macOS DFIR investigations. Additional tools and event patterns welcome.
xtk
Built for the DFIR community.