Get macfor Pro

Documentation

The macfor collector

Forensically sound macOS artifact collection for live systems and disk images. Built for DFIR practitioners who need evidence that holds up.

macfor is a single-binary collector that walks a macOS source — your live machine, a mounted disk image, or a triage target — and packages every relevant artifact into a hashed, chain-of-custody-tracked evidence container. The collector is plugin driven: each artifact family (browser history, FSEvents, Signal, Spotlight, Unified Logs, …) is owned by one plugin with a declarative artifacts.yaml manifest.

The community binary ships 2 reference plugins. The Pro binary adds 29 more for messaging, system telemetry, and forensic deep-dive collection.

Install →

Get the binary onto your collection host. Homebrew, signed release, or build from source.

Run your first collection →

Five minutes from install to a verified evidence container.

Browse plugins →

All 31 collectors, the on-disk paths they read, and kb articles for deeper analysis.

CLI reference →

Every command, flag, and exit code, with examples for triage and full-system runs.

Design principles

  • Forensic soundness. The source is never modified. Every collected file is hashed; every collection action is logged into a chain-of-custody record committed to the evidence container.
  • Plugin architecture. Every artifact family is one plugin. New collectors plug in without touching the orchestrator.
  • Source abstraction. The same plugin code runs against a live system or a mounted disk image — the source interface absorbs the difference.
  • Graceful degradation. A failure in one artifact never stops collection of the rest. Errors land in the per-plugin log inside the evidence container.
  • Metadata-only secrets. Keychain entries, encrypted cookies, and token-bearing files are collected as metadata, not decrypted.

Where to next

If you're investigating a specific artifact (FSEvents, Signal messages, Spotlight metadata, …) jump to the plugin reference. For broader forensic background — schemas, timestamp formats, analysis tradecraft — head to kb.macfor.io.