mac_forensics-mcp
Provides tools for forensic analysis of macOS systems, including user account forensics, file activity tracking, security event detection, and cross-artifact correlation from triage collections.
Enables extraction of Safari browsing history and search queries from Safari's database.
Allows searching the Spotlight index for file metadata and retrieving index statistics.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mac_forensics-mcpsearch for failed authentication events in the last 24 hours"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mac_forensics-mcp
MCP (Model Context Protocol) server for macOS Digital Forensics and Incident Response (DFIR).
Overview
This MCP server provides structured forensic analysis tools for macOS triage collections, reducing context overhead when investigating incidents with LLMs.
Key Benefits:
Structured queries instead of raw grep through massive files
Automatic timestamp normalization (Mac Absolute Time → UTC)
Pre-built security event detection patterns
Cross-artifact correlation and timeline building
Pagination to avoid context overflow
Artifact discovery to know what's available
23 tools covering: Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes, System Logs, and more.
Related MCP server: SIFTAgent
Installation
cd /opt/macOS/mac_forensics-mcp
# Create virtual environment and install dependencies
uv venv
uv pip install -e .Claude Code Configuration
Option 1: Using claude mcp add (Recommended)
# Add to user settings (available in all projects)
claude mcp add mac-forensics -s user -- /opt/macOS/mac_forensics-mcp/.venv/bin/python -m mac_forensics_mcp.server
# Or add to current project only
claude mcp add mac-forensics -- /opt/macOS/mac_forensics-mcp/.venv/bin/python -m mac_forensics_mcp.serverTo verify it was added:
claude mcp listTo remove:
claude mcp remove mac-forensics -s userOption 2: Manual JSON Configuration
Add to ~/.claude/settings.json (user-level) or .claude/settings.json (project-level):
{
"mcpServers": {
"mac-forensics": {
"command": "/opt/macOS/mac_forensics-mcp/.venv/bin/python",
"args": ["-m", "mac_forensics_mcp.server"],
"env": {}
}
}
}Available Tools (23)
Discovery
Tool | Description |
| Discover available artifacts in a triage collection |
Unified Logs
Tool | Description |
| Search logs with regex, filters, time range |
| Get pre-defined security events (user_created, ssh_session, etc.) |
| Get log statistics: time range, top subsystems |
Plist Files
Tool | Description |
| Read and parse plist, optionally extract key path |
| Search for keys matching pattern |
| Extract all timestamp values with UTC conversion |
Databases
Tool | Description |
| App usage from KnowledgeC.db |
| Safari browsing history |
| Extract search queries from Safari |
| TCC permissions (camera, mic, screen recording) |
| File download history |
User Analysis
Tool | Description |
| List users including deleted accounts |
| Build timeline for specific user account |
FSEvents
Tool | Description |
| Search file system events (create, delete, modify, rename) |
| Get FSEvents statistics |
Extended Attributes & Spotlight
Tool | Description |
| Get xattr for file (quarantine, download URL, etc.) |
| Search Spotlight index for file metadata |
| Get Spotlight index statistics |
System Logs
Tool | Description |
| Parse fsck_apfs.log for volume creation, external devices, anti-forensics |
| Get fsck_apfs.log statistics: devices, volumes, time range |
Correlation & Investigation
Tool | Description |
| Build unified timeline from multiple artifacts |
| Deep investigation with evidence correlation |
Security Event Types
The mac_unified_logs_security_events tool supports these event types:
Event Type | Description |
| User account creation |
| User account deletion |
| User account changes |
| SSH connections |
| Sudo command execution |
| Successful authentication |
| Failed authentication |
| Process execution |
| Gatekeeper/quarantine events |
| TCC permission prompts |
| User login |
| User logout |
| Screen lock events |
| Screen unlock events |
| Remote Login service |
| Persistence mechanisms |
Investigation Event Types
The mac_investigate_event tool supports deep investigation of these event types:
Event Type | Description |
| Investigate user account deletion with timeline and evidence correlation |
| Investigate user account creation |
| Investigate file downloads (quarantine, xattr, browser history) |
| Investigate SSH session activity |
| Investigate potential malware execution |
| Investigate privilege escalation attempts |
Usage Examples
Discover artifacts in a triage
mac_list_artifacts(artifacts_dir="/path/to/triage")Find user deletion events
mac_unified_logs_security_events(
log_path="/path/to/unified_logs.csv",
event_type="user_deleted"
)Deep investigation of user deletion
mac_investigate_event(
artifacts_dir="/path/to/triage",
event_type="user_deletion",
target="username"
)Get Safari search history
mac_safari_searches(
db_path="/path/to/History.db",
query_filter="delete"
)Read deleted users from plist
mac_plist_read(
plist_path="/path/to/com.apple.preferences.accounts.plist",
key_path="deletedUsers"
)Find external device activity
mac_parse_fsck_apfs_log(
log_path="/path/to/fsck_apfs.log",
external_only=True
)Search for specific volume
mac_parse_fsck_apfs_log(
log_path="/path/to/fsck_apfs.log",
volume_filter="suspicious_volume"
)Build user activity timeline
mac_get_user_timeline(
artifacts_dir="/path/to/triage",
username="username"
)Search FSEvents for file activity
mac_fsevents_search(
fseventsd_path="/path/to/.fseventsd",
path_filter="/Users/username",
event_types=["created", "deleted"]
)Configuration
External Tool Paths
External forensic tools can be configured via environment variables. If not set, defaults to /opt/macOS/ paths.
Environment Variable | Default | Description |
|
| Path to unifiedlog_iterator binary |
|
| Path to FSEParser script |
|
| Path to spotlight_parser script |
Example with custom paths:
{
"mcpServers": {
"mac-forensics": {
"command": "/opt/macOS/mac_forensics-mcp/.venv/bin/python",
"args": ["-m", "mac_forensics_mcp.server"],
"env": {
"MAC_FORENSICS_UNIFIEDLOG_ITERATOR_PATH": "/custom/path/unifiedlog_iterator",
"MAC_FORENSICS_FSEPARSER_PATH": "/custom/path/FSEParser.py",
"MAC_FORENSICS_SPOTLIGHT_PARSER_PATH": "/custom/path/spotlight_parser.py"
}
}
}
}Dependencies
Python 3.10+
uv (for virtual environment and package management)
mcp >= 1.0.0
biplist (optional, for malformed plists)
External tools (optional, for parsing raw artifacts):
unifiedlog_iterator- for parsing .logarchive bundlesFSEParser- for parsing FSEvents (.fseventsd)spotlight_parser- for parsing Spotlight indexes
Architecture
mac_forensics_mcp/
├── server.py # MCP server and tool definitions
├── config.py # Configurable external tool paths
├── parsers/
│ ├── plist_parser.py # Plist file parsing
│ ├── unified_log_parser.py # Unified log analysis
│ ├── sqlite_parser.py # SQLite databases (KnowledgeC, Safari, TCC)
│ ├── fsevents_parser.py # FSEvents parsing
│ ├── spotlight_parser.py # Spotlight index parsing
│ ├── xattr_parser.py # Extended attributes parsing
│ └── fsck_apfs_parser.py # fsck_apfs.log parsing
├── correlation/
│ ├── timeline_builder.py # Cross-artifact timeline correlation
│ └── event_investigator.py # Event-specific investigation
└── utils/
├── timestamps.py # Mac/WebKit/HFS timestamp conversion
└── discovery.py # Artifact discoveryForensic Value
This MCP server was developed based on real-world macOS DFIR investigations. Key forensic capabilities:
Capability | Tools |
User account forensics |
|
File activity tracking |
|
Download analysis |
|
Security event detection |
|
External device detection |
|
Cross-artifact correlation |
|
References
Contributing
Based on lessons learned from macOS DFIR investigations. Additional tools and event patterns welcome.
Author
xtk
Built for the DFIR community.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/x746b/mac_forensics-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server