Question 1

How do I run OSXCollector on a disk image?

Accepted Answer

Use the `-p` option to set the root path, e.g., `sudo osxcollector.py -p '/mnt/powned'`, as shown in the README. This allows collection from mounted disk images for offline forensic analysis.

Question 2

Can OSXCollector collect browser cookies and local storage?

Accepted Answer

Yes, but by default it omits this sensitive data. Enable collection with the `-c` flag for cookies and `-l` for local storage, though be cautious of privacy implications as noted in the options section.

Question 3

OSXCollector vs osquery for macOS forensics?

Accepted Answer

OSXCollector is a single-script tool for one-time forensic collection post-incident, while osquery provides real-time SQL-based monitoring and analytics. Choose OSXCollector for deep-dive evidence gathering and osquery for continuous system instrumentation.

Question 4

What tools can I use to analyze OSXCollector output?

Accepted Answer

For manual analysis, use grep for timestamps and jq for JSON parsing, as demonstrated in the README. For automated analysis, integrate with the OSXCollector Output Filters project to process and highlight suspicious data.

Question 5

Is OSXCollector good for automated incident response pipelines?

Accepted Answer

It can be scripted for collection, but for full automation, you need to pair it with external filters or scripts. The output is structured JSON, making it integrable, but it lacks built-in alerting or orchestration features.

Question 6

Does OSXCollector work on newer macOS versions?

Accepted Answer

It should, as it relies on standard OS X libraries and Python bindings, but compatibility isn't guaranteed for all future updates. Check the README and community resources for any version-specific issues or forks.

Question 7

How to collect only specific data like startup items?

Accepted Answer

Use the `-s` option with section names, e.g., `sudo osxcollector.py -s 'startup'`, to limit collection. The README lists all available sections and subsections for precise control.

OSX Collector

What is OSX Collector?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions