Introducing macfor 1.0: Open-Source macOS Forensics

Today marks a significant milestone for the macOS forensics community. We're releasing macfor 1.0, the first open-source forensic artifact collector built specifically for macOS.

Why We Built macfor

The digital forensics industry has long had excellent Windows tooling, but macOS has been underserved. Commercial tools often treat macOS as an afterthought, and existing open-source options are fragmented or abandoned.

macfor changes that by providing:

• macOS-first design: Every artifact parser is built with macOS specifics in mind
• Forensic soundness: Chain of custody documentation, hash verification, and evidence containers
• Modern Go codebase: Fast, portable, and easy to extend

What's in 1.0

The initial release includes collection support for:

Shell History

• Bash, Zsh, Fish, and Sh history files
• Timestamp extraction where available
• Multi-user collection

Safari Browser

• Browsing history with visit timestamps
• Downloads with file metadata
• Bookmarks and reading list
• Cookies (binary format)
• Extensions
• Local storage
• Session state

Getting Started

Installation is straightforward:

# Download the binary
curl -L https://github.com/macforensics/macfor/releases/latest/download/macfor-darwin-amd64 -o macfor
chmod +x macfor

# Run collection
sudo ./macfor collect --output evidence.zip

What's Next

We're already working on macfor Pro, which will add:

• Chrome, Firefox, and Edge browser support
• Unified Logs (tracev3) parsing
• Spotlight metadata extraction
• FSEvents timeline reconstruction

Join the Community

macfor is open source under the MIT license. We welcome contributions, bug reports, and feature requests:

• GitHub: github.com/macforensics/macfor
• Discord: Join our community for support and discussion
• Twitter: Follow @macforensics for updates

Thank you to everyone who tested early releases and provided feedback. Your input shaped this release.