Mac Forensics MCP

The macOS Digital Forensics and Incident Response MCP Server provides 23 structured forensics analysis tools, supporting cross - evidence correlation analysis of unified logs, file system events, user activities, etc., to help investigators efficiently conduct macOS incident investigations.

Security Operating system automation #macOS Forensics #Incident Response #Log Analysis #Evidence Correlation .Python

rating : 2.5 points

downloads : 0

update time : 2026-03-13

Open Site

What is the macOS Digital Forensics MCP Server?

This is an MCP server specifically designed for macOS system digital forensics and incident response (DFIR). It converts complex macOS forensics data (such as system logs, file system events, user activity records, etc.) into a structured query interface, allowing investigators to quickly obtain key evidence through simple queries without manually parsing a large number of raw data files.

How to use the macOS Digital Forensics MCP Server?

After installation and configuration, you can directly query macOS forensics data through AI assistants that support the MCP protocol, such as Claude. Simply provide the path to the forensics data directory, and you can use 23 dedicated tools for analysis, including searching for security events, building timelines, and analyzing user activities.

Use Cases

It is suitable for scenarios such as security incident investigations, internal threat detection, compliance audits, and malware analysis. It is particularly suitable for security teams and forensics analysts who need to quickly analyze macOS system activities, track user behavior, and detect abnormal activities.

Main Features

Unified Log Analysis

Automatically parse the macOS unified log system and provide predefined security event detection patterns, such as user creation, SSH sessions, and privilege escalation.

Timeline Construction

Automatically build a unified timeline from multiple forensics data sources (logs, file system events, databases) to show the sequence of events.

User Activity Analysis

Track all activities of a specific user, including logins/logouts, file access, application usage, and network activities.

File System Forensics

Analyze FSEvents file system events, Spotlight indexes, and extended attributes to track the creation, modification, deletion, and access of files.

Browser History Analysis

Extract and analyze Safari browsing history, search queries, and download records to understand the user's network activities.

Privilege Audit

Check TCC (Transparency, Consent, and Control) privilege settings to see which applications have obtained sensitive privileges such as camera, microphone, and screen recording.

External Device Detection

Detect the connection and usage of external storage devices by analyzing fsck_apfs logs.

In - depth Event Investigation

Conduct in - depth cross - data source correlation analysis for specific security event types (such as user deletion and malware execution).

Advantages

Structured queries replace raw data searches, greatly improving investigation efficiency

Automatic timestamp conversion, uniformly displayed as readable UTC time

Predefined security event patterns for quickly discovering suspicious activities

Cross - data source correlation analysis provides a complete view of events

Pagination processing of large data sets to avoid context overflow

Automatically discover available forensics data without manually locating files

Limitations

Requires pre - collection of macOS system forensics data

Relies on external parsing tools to process certain raw formats

Primarily targeted at macOS systems and not suitable for other operating systems

Requires a Python environment and related dependencies

Some advanced features require professional forensics knowledge for correct interpretation

How to Use

Install Dependencies

Ensure that Python 3.10+ and the uv package manager are installed on the system. Then create a virtual environment and install the dependencies.

Configure Claude

Add the MCP server to the Claude configuration. You can choose user - level or project - level configuration.

Prepare Forensics Data

Collect forensics data from the macOS system, including log files, databases, configuration files, etc., and organize them into a specified directory.

Start Analysis

Use the provided 23 tools through AI assistants such as Claude for forensics analysis.

Usage Examples

Investigate Abnormal User Account Deletion

The security team received an alert and found that a user account was abnormally deleted. Use the MCP server to quickly investigate the relevant evidence of the deletion event.

Analyze Suspicious File Downloads

Suspicious files were detected to be downloaded on the system. You need to understand the source of the files, the download time, and the related user activities.

Build an Intrusion Timeline

The system may have been invaded. You need to build a complete timeline to understand the attacker's activity trajectory.

Audit Privilege Abuse

Investigate whether any applications abuse system privileges, such as unauthorized screen recording or camera access.

Frequently Asked Questions

What type of forensics data do I need to use this tool?

Can this tool monitor the system in real - time?

Do I need professional forensics knowledge to use it?

Which macOS versions are supported?

Will the data be sent to the cloud?

How to handle encrypted forensics data?

Related Resources

SANS FOR518 macOS Forensic Analysis Poster

A quick reference guide for macOS and iOS forensic analysis

mac4n6 Forensics Artifacts Spreadsheet

A comprehensive reference for macOS forensics artifacts

SUMURI Mac Forensics Best Practices Guide 2025

The latest macOS forensics methods and best practices

Google Cloud - Reviewing macOS Unified Logs

A technical guide for macOS unified log analysis

GitHub Repository

Source code and issue tracking for the MCP server

🚀 mac_forensics-mcp

The MCP (Model Context Protocol) server designed for macOS Digital Forensics and Incident Response (DFIR). It streamlines forensic analysis by providing structured tools, reducing the context overhead when using LLMs for incident investigations.

🚀 Quick Start

This MCP server offers structured forensic analysis tools for macOS triage collections, which can reduce context overhead when investigating incidents with LLMs.

Key Benefits:

Conduct structured queries instead of performing raw grep operations on massive files.
Automatically normalize timestamps (from Mac Absolute Time to UTC).
Utilize pre - built security event detection patterns.
Perform cross - artifact correlation and build timelines.
Implement pagination to avoid context overflow.
Discover available artifacts.

There are 23 tools covering Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes, System Logs, and more.

📦 Installation

cd /opt/macOS/mac_forensics-mcp

# Create virtual environment and install dependencies
uv venv
uv pip install -e .

💻 Usage Examples

Basic Usage

# Discover artifacts in a triage
mac_list_artifacts(artifacts_dir="/path/to/triage")

# Find user deletion events
mac_unified_logs_security_events(
    log_path="/path/to/unified_logs.csv",
    event_type="user_deleted"
)

# Read deleted users from plist
mac_plist_read(
    plist_path="/path/to/com.apple.preferences.accounts.plist",
    key_path="deletedUsers"
)

Advanced Usage

# Deep investigation of user deletion
mac_investigate_event(
    artifacts_dir="/path/to/triage",
    event_type="user_deletion",
    target="username"
)

# Get Safari search history
mac_safari_searches(
    db_path="/path/to/History.db",
    query_filter="delete"
)

# Find external device activity
mac_parse_fsck_apfs_log(
    log_path="/path/to/fsck_apfs.log",
    external_only=True
)

# Search for specific volume
mac_parse_fsck_apfs_log(
    log_path="/path/to/fsck_apfs.log",
    volume_filter="suspicious_volume"
)

# Build user activity timeline
mac_get_user_timeline(
    artifacts_dir="/path/to/triage",
    username="username"
)

# Search FSEvents for file activity
mac_fsevents_search(
    fseventsd_path="/path/to/.fseventsd",
    path_filter="/Users/username",
    event_types=["created", "deleted"]
)

📚 Documentation

Claude Code Configuration

Option 1: Using `claude mcp add` (Recommended)

# Add to user settings (available in all projects)
claude mcp add mac-forensics -s user -- /opt/macOS/mac_forensics-mcp/.venv/bin/python -m mac_forensics_mcp.server

# Or add to current project only
claude mcp add mac-forensics -- /opt/macOS/mac_forensics-mcp/.venv/bin/python -m mac_forensics_mcp.server

To verify it was added:

claude mcp list

To remove:

claude mcp remove mac-forensics -s user

Option 2: Manual JSON Configuration

Add to ~/.claude/settings.json (user - level) or .claude/settings.json (project - level):

{
  "mcpServers": {
    "mac-forensics": {
      "command": "/opt/macOS/mac_forensics-mcp/.venv/bin/python",
      "args": ["-m", "mac_forensics_mcp.server"],
      "env": {}
    }
  }
}

Available Tools (23)

Discovery

Tool	Description
`mac_list_artifacts`	Discover available artifacts in a triage collection

Unified Logs

Tool	Description
`mac_unified_logs_search`	Search logs with regex, filters, time range
`mac_unified_logs_security_events`	Get pre - defined security events (user_created, ssh_session, etc.)
`mac_unified_logs_stats`	Get log statistics: time range, top subsystems

Plist Files

Tool	Description
`mac_plist_read`	Read and parse plist, optionally extract key path
`mac_plist_search`	Search for keys matching pattern
`mac_plist_timestamps`	Extract all timestamp values with UTC conversion

Databases

Tool	Description
`mac_knowledgec_app_usage`	App usage from KnowledgeC.db
`mac_safari_history`	Safari browsing history
`mac_safari_searches`	Extract search queries from Safari
`mac_tcc_permissions`	TCC permissions (camera, mic, screen recording)
`mac_quarantine_events`	File download history

User Analysis

Tool	Description
`mac_get_user_accounts`	List users including deleted accounts
`mac_get_user_timeline`	Build timeline for specific user account

FSEvents

Tool	Description
`mac_fsevents_search`	Search file system events (create, delete, modify, rename)
`mac_fsevents_stats`	Get FSEvents statistics

Extended Attributes & Spotlight

Tool	Description
`mac_get_extended_attributes`	Get xattr for file (quarantine, download URL, etc.)
`mac_spotlight_search`	Search Spotlight index for file metadata
`mac_spotlight_stats`	Get Spotlight index statistics

System Logs

Tool	Description
`mac_parse_fsck_apfs_log`	Parse fsck_apfs.log for volume creation, external devices, anti - forensics
`mac_fsck_apfs_stats`	Get fsck_apfs.log statistics: devices, volumes, time range

Correlation & Investigation

Tool	Description
`mac_build_timeline`	Build unified timeline from multiple artifacts
`mac_investigate_event`	Deep investigation with evidence correlation

Security Event Types

The mac_unified_logs_security_events tool supports these event types:

Event Type	Description
`user_created`	User account creation
`user_deleted`	User account deletion
`user_modified`	User account changes
`ssh_session`	SSH connections
`sudo_usage`	Sudo command execution
`auth_success`	Successful authentication
`auth_failure`	Failed authentication
`process_exec`	Process execution
`gatekeeper`	Gatekeeper/quarantine events
`tcc_prompt`	TCC permission prompts
`login`	User login
`logout`	User logout
`screen_lock`	Screen lock events
`screen_unlock`	Screen unlock events
`remote_login`	Remote Login service
`persistence`	Persistence mechanisms

Investigation Event Types

The mac_investigate_event tool supports deep investigation of these event types:

Event Type	Description
`user_deletion`	Investigate user account deletion with timeline and evidence correlation
`user_creation`	Investigate user account creation
`file_download`	Investigate file downloads (quarantine, xattr, browser history)
`ssh_session`	Investigate SSH session activity
`malware_execution`	Investigate potential malware execution
`privilege_escalation`	Investigate privilege escalation attempts

Configuration

External Tool Paths

External forensic tools can be configured via environment variables. If not set, defaults to /opt/macOS/ paths.

Environment Variable	Default	Description
`MAC_FORENSICS_UNIFIEDLOG_ITERATOR_PATH`	`/opt/macOS/unifiedlog_iterator`	Path to unifiedlog_iterator binary
`MAC_FORENSICS_FSEPARSER_PATH`	`/opt/macOS/FSEventsParser/FSEParser_V4.1.py`	Path to FSEParser script
`MAC_FORENSICS_SPOTLIGHT_PARSER_PATH`	`/opt/macOS/spotlight_parser/spotlight_parser.py`	Path to spotlight_parser script

Example with custom paths:

{
  "mcpServers": {
    "mac-forensics": {
      "command": "/opt/macOS/mac_forensics-mcp/.venv/bin/python",
      "args": ["-m", "mac_forensics_mcp.server"],
      "env": {
        "MAC_FORENSICS_UNIFIEDLOG_ITERATOR_PATH": "/custom/path/unifiedlog_iterator",
        "MAC_FORENSICS_FSEPARSER_PATH": "/custom/path/FSEParser.py",
        "MAC_FORENSICS_SPOTLIGHT_PARSER_PATH": "/custom/path/spotlight_parser.py"
      }
    }
  }
}

🔧 Technical Details

Dependencies

Python 3.10+
uv (for virtual environment and package management)
mcp >= 1.0.0
biplist (optional, for malformed plists)

External tools (optional, for parsing raw artifacts):

unifiedlog_iterator - for parsing .logarchive bundles
FSEParser - for parsing FSEvents (.fseventsd)
spotlight_parser - for parsing Spotlight indexes

Architecture

mac_forensics_mcp/
├── server.py                # MCP server and tool definitions
├── config.py                # Configurable external tool paths
├── parsers/
│   ├── plist_parser.py      # Plist file parsing
│   ├── unified_log_parser.py # Unified log analysis
│   ├── sqlite_parser.py     # SQLite databases (KnowledgeC, Safari, TCC)
│   ├── fsevents_parser.py   # FSEvents parsing
│   ├── spotlight_parser.py  # Spotlight index parsing
│   ├── xattr_parser.py      # Extended attributes parsing
│   └── fsck_apfs_parser.py  # fsck_apfs.log parsing
├── correlation/
│   ├── timeline_builder.py  # Cross-artifact timeline correlation
│   └── event_investigator.py # Event-specific investigation
└── utils/
    ├── timestamps.py        # Mac/WebKit/HFS timestamp conversion
    └── discovery.py         # Artifact discovery

Forensic Value

This MCP server was developed based on real - world macOS DFIR investigations. Key forensic capabilities:

Capability	Tools
User account forensics	`mac_get_user_accounts`, `mac_get_user_timeline`, `mac_investigate_event`
File activity tracking	`mac_fsevents_search`, `mac_spotlight_search`
Download analysis	`mac_quarantine_events`, `mac_get_extended_attributes`
Security event detection	`mac_unified_logs_security_events`
External device detection	`mac_parse_fsck_apfs_log`
Cross - artifact correlation	`mac_build_timeline`, `mac_investigate_event`