mac_forensics-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| MAC_FORENSICS_FSEPARSER_PATH | No | Path to FSEParser script | /opt/macOS/FSEventsParser/FSEParser_V4.1.py |
| MAC_FORENSICS_SPOTLIGHT_PARSER_PATH | No | Path to spotlight_parser script | /opt/macOS/spotlight_parser/spotlight_parser.py |
| MAC_FORENSICS_UNIFIEDLOG_ITERATOR_PATH | No | Path to unifiedlog_iterator binary | /opt/macOS/unifiedlog_iterator |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| mac_list_artifactsB | Discover available forensic artifacts in a macOS triage collection. Returns inventory of logs, databases, plists, and user profiles. |
| mac_unified_logs_searchB | Search macOS Unified Logs with filters. Supports regex patterns, subsystem/category/process filters, and time ranges. |
| mac_unified_logs_security_eventsC | Get pre-defined security events from Unified Logs. Event types: user_created, user_deleted, user_modified, ssh_session, sudo_usage, auth_success, auth_failure, process_exec, gatekeeper, tcc_prompt, login, logout, screen_lock, screen_unlock, remote_login, persistence |
| mac_unified_logs_statsA | Get statistics about a Unified Log file: time range, top subsystems, top processes, total entry count. |
| mac_plist_readB | Read and parse a macOS plist file. Optionally extract specific key path. |
| mac_plist_searchC | Search for keys matching a pattern across a plist file. |
| mac_plist_timestampsB | Extract all timestamp values from a plist file with UTC conversion. |
| mac_knowledgec_app_usageB | Get application usage data from KnowledgeC.db. Shows what apps were used and when. |
| mac_safari_historyB | Get Safari browsing history with timestamps. |
| mac_safari_searchesB | Extract search queries from Safari history (Google, Bing, etc.). |
| mac_tcc_permissionsB | Get TCC (Transparency, Consent, Control) permissions. Shows which apps have camera, mic, screen recording access. |
| mac_quarantine_eventsA | Get quarantine events (file downloads) from QuarantineEventsV2. Shows download source, app that downloaded, timestamp. |
| mac_get_user_accountsB | Get user accounts from a triage collection, including deleted users. |
| mac_get_extended_attributesA | Get extended attributes (xattr) for a file. Contains true download times, quarantine info, and user-action dates more accurate than DB records. |
| mac_spotlight_searchB | Search Spotlight index for file metadata. Contains info even for deleted files. |
| mac_spotlight_statsB | Get statistics about a Spotlight index: total entries, content types, top directories. |
| mac_fsevents_searchC | Search FSEvents records for file system activity. Shows file creation, deletion, modification, and rename operations. |
| mac_fsevents_statsB | Get statistics about FSEvents records: total count, time range, event type counts. |
| mac_build_timelineB | Build a unified timeline from multiple forensic artifacts. Correlates events from unified logs, Safari history, KnowledgeC, and plists. |
| mac_get_user_timelineC | Build a timeline for a specific user account. Shows account creation, modification, deletion, and related activity. |
| mac_investigate_eventB | Deep investigation of a specific event type. Correlates evidence across multiple artifacts. Event types: user_deletion, user_creation, file_download, ssh_session, malware_execution, privilege_escalation. |
| mac_parse_fsck_apfs_logB | Parse fsck_apfs.log to find volume creation, external device connections, and anti-forensics activity. Shows APFS volume formatting operations with timestamps. |
| mac_fsck_apfs_statsA | Get statistics about fsck_apfs.log: devices checked, volumes found, external devices, time range. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/x746b/mac_forensics-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server