Open source · v1.0 now available

macOS forensics, done right.

Open-source artifact collection with forensically sound methodology. Built for DFIR professionals who need reliable evidence extraction from live systems and disk images.

Get StartedStar on GitHub
macfor — collect
$brew install macforensics/tap/macfor
==> Downloading macfor v1.0.0
==> Installing macfor
✓ macfor 1.0.0 installed
$macfor collect --output evidence.zip
✓ shell.history (47 entries)
✓ browser.safari (1,284 entries)
✓ filesystem.fsevents (8,451 entries)
... 15 more artifact types
→ evidence.zip · manifest signed · SHA-256 verified

Built for the way investigators actually work.

One static binary. Structured output. Defensible evidence handling. macfor turns macOS forensic collection into something you can trust and script.

Browser history, shell commands, system logs, FSEvents, Spotlight metadata. 30+ macOS artifacts, parsed into structured JSONL.

macfor — collect
$macfor collect --all --output ir-2026-05.zip
✓ shell.history 47 entries · 8ms
✓ browser.safari 1,284 entries · 312ms
✓ browser.chrome 8,917 entries · 901ms
✓ filesystem.fsevents 8,451 entries · 1.2s
✓ system.unifiedlogs 92,318 entries · 4.7s
✓ system.spotlight 14,206 entries · 2.3s
... 12 more artifact types
→ ir-2026-05.zip · 47s elapsed

Engineered for defensible investigations.

Three pillars: deep coverage, evidence integrity, and a format your existing tools already understand.

Coverage

30+ artifacts across browsers, system, and user activity.

Safari, Chrome, Firefox, FSEvents, Unified Logs, Spotlight, Quick Look, Quarantine, TCC, Bluetooth, WiFi networks, persistence mechanisms, and more — all parsed into structured JSONL.

artifacts/
browser.safari
browser.chrome
browser.firefox
shell.history
filesystem.fsevents
system.unifiedlogs
system.spotlight
system.quicklook
system.tcc
system.persistence
system.quarantine
system.coreanalytics
system.patternoflife
system.screentime
mail.apple
messages.apple
facetime.apple
contacts.addressbook
pim.calendar
notes.apple
devices.bluetooth
network.wifi
messaging.signal
messaging.whatsapp
messaging.fbmessenger
communication.slack
app.discord
cloudstorage.dropbox
... and more

Integrity

SHA-256 hashing, signed manifests, full chain of custody.

Every file is hashed at collection time. Every action is logged to the chain of custody. Manifests are signed and verifiable so your evidence holds up in review.

chain-of-custody.logtext
2026-05-01T09:14:22Z  collection_started   examiner=j.doe@acme.com host=MBP-FINANCE-04
2026-05-01T09:14:23Z  plugin_invoked       plugin=browser.safari
2026-05-01T09:14:23Z  file_collected       path=~/Library/Safari/History.db sha256=9f8a7c1e...
2026-05-01T09:14:24Z  artifact_parsed      plugin=browser.safari records=1284
2026-05-01T09:14:24Z  file_collected       path=~/.zsh_history sha256=4e2b81d3...
2026-05-01T09:15:09Z  manifest_signed      keyid=ED25519/4F8C
2026-05-01T09:15:09Z  collection_complete  duration=47s artifacts=18 sha256=c1a2...

Composability

Pipe straight into jq, your SIEM, or macfor's analysis platform.

Output is JSONL by default. Pipe it through jq, push it to Splunk or Elastic, or load it into macfor analyze for graph-powered timeline reconstruction. Your data, your tools.

macfor — collect
$macfor collect --plugin browser.safari --stdout \
| jq '.records[] | select(.url | contains("github"))'
{
"url": "https://github.com/macforensics",
"title": "macfor on GitHub",
"visit_time": "2026-04-29T11:14:02Z"
}
$macfor collect | curl -X POST splunk.acme.com:8088/...
✓ 18 artifacts streamed (47,231 records)

One command. Real evidence in under a minute.

Install macfor, run macfor collect, and walk away with a signed evidence container ready for analysis.

$brew install macforensics/tap/macfor
Read the docsView source

Free for the community, scalable for teams.

The collector is open source and free forever. Pro tiers add full artifact coverage, priority support, and enterprise deployment.

Community

Open-source collector for individual use

Free

  • Shell history collection
  • Safari browser artifacts
  • Evidence container with hashing
  • Chain of custody logging
  • Community support
Download

Professional

Full artifact coverage for teams

Coming soon

  • All Community features
  • Chrome, Firefox, Edge browsers
  • Unified Logs (tracev3)
  • FSEvents journal parsing
  • Spotlight metadata
  • Priority email support
Get notified

Enterprise

For large teams and MSSPs

Coming soon

  • All Professional features
  • Keychain metadata
  • Custom plugin development
  • On-premises deployment
  • Dedicated support channel
  • SLA guarantees
Contact us

Frequently asked questions

Can't find what you're looking for? Open a discussion on GitHub or reach out to our team.

    • Is the Collector really free?

      Yes! The macfor Collector is open-source under the MIT license. You can use it for personal or commercial purposes at no cost.

    • When will Professional and Enterprise be available?

      We're working on Pro and Enterprise tiers now. Get in touch via the contact form and we'll let you know the moment they're ready, including early-access pricing for waitlist sign-ups.

    • What's included in support?

      Community tier includes community support via GitHub Discussions. Professional and Enterprise will include priority email and dedicated support channels respectively.

    • Do you offer discounts for non-profits or education?

      Yes, we plan to offer 50% off for qualified non-profits and educational institutions when paid tiers launch. Contact us to be notified.

    • What happens to my data if I downgrade?

      Your collected evidence remains yours. The collector and evidence format are open-source, so you can always access your data.