Reference
Compatibility
Which macOS versions, architectures, and source types are supported — at the binary level and per plugin.
Collection host
- macOS 10.15 (Catalina) and newer. Older versions are not actively tested.
- arm64 and x86_64. Universal binaries published with every tagged release.
Source types
- Live system. Default. Reads through normal filesystem APIs; respects TCC.
- Mounted disk image. Pass
--source image:/Volumes/...after mounting the image read-only. The same plugins run; multi-user collection no longer requires root. - Sparse / encrypted images. Mount via
hdiutilor DiskArbitration, then point macfor at the mount point.
Permissions
The collection process reads files using its own credentials. To reach paths protected by TCC (~/Library/Mail, ~/Library/Messages, ~/Library/Application Support/Signal, the TCC database itself, …), grant Full Disk Access to either the terminal you invoke macfor from or the macfor binary itself.
macfor never decrypts protected secrets. Encrypted blobs (Chrome passwords/cookies, Keychain entries) are collected as opaque values; decryption is the analyst's decision.
Per-plugin minimum macOS
Below the listed version, the underlying artifact either does not exist or has a meaningfully different on-disk format.
| Plugin | Plugin ID | Module | Minimum macOS |
|---|---|---|---|
| Apple Mail | mail.apple | pro | macOS 10.12+ |
| Apple Notes | notes.apple | pro | macOS 10.15+ |
| Bluetooth Devices | devices.bluetooth | pro | macOS 10.15+ |
| Calendar & Reminders | pim.calendar | pro | macOS 10.12+ |
| Contacts (AddressBook) | contacts.addressbook | pro | macOS 10.12+ |
| CoreAnalytics | system.coreanalytics | pro | macOS 10.13+ |
| Discord | app.discord | pro | macOS 10.13+ |
| Dropbox | cloudstorage.dropbox | pro | macOS 10.12+ |
| Evernote | productivity.evernote | pro | macOS 10.15+ |
| Facebook Messenger Desktop | messaging.fbmessenger | pro | macOS 10.15+ |
| FaceTime | facetime.apple | pro | macOS 10.13+ |
| Firefox Browser | browser.firefox | pro | macOS 10.12+ |
| FSEvents Journal | filesystem.fsevents | pro | macOS 10.5+ |
| Google Chrome Browser | browser.chrome | pro | macOS 10.12+ |
| Keychain Metadata | system.keychain | pro | macOS 10.15+ |
| Messages (iMessage/SMS/RCS) | messages.apple | pro | macOS 10.12+ |
| Pattern of Life | system.patternoflife | pro | macOS 10.15+ |
| Persistence Mechanisms | system.persistence | pro | macOS 10.15+ |
| Quarantine Events | system.quarantine | pro | macOS 10.5+ |
| Quick Look Thumbnails | system.quicklook | pro | macOS 10.15+ |
| Safari Browser | browser.safari | community | macOS 10.12+ |
| Screen Time | system.screentime | pro | macOS 10.15+ |
| Shell History | shell.history | community | macOS 10.12+ |
| Signal Desktop | messaging.signal | pro | macOS 10.15+ |
| Slack Desktop | communication.slack | pro | macOS 10.13+ |
| Spotlight Metadata | system.spotlight | pro | macOS 10.15+ |
| TCC Database | system.tcc | pro | macOS 10.14+ |
| Telegram Desktop | messaging.telegram | pro | macOS 10.13+ |
| Unified Logs | system.unifiedlogs | pro | macOS 10.15+ |
| WhatsApp Desktop | messaging.whatsapp | pro | macOS 10.15+ |
| WiFi Known Networks | network.wifi | pro | macOS 10.15+ |