Get macfor Pro

Get started

Frequently asked questions

Does macfor modify the source?

No. Files are opened read-only and copied byte-for-byte. The source filesystem is never written to. SHA-256 is computed in-flight and stored in hashes.json for re-verification.

What macOS versions are supported?

macOS 10.15 (Catalina) and newer for the collection host. Per-plugin minimums are enumerated on the compatibility page — many plugins accept older sources when collecting from a disk image.

Will macfor decrypt Keychain entries / Chrome cookies / Signal?

No, by design. macfor collects encrypted blobs as opaque values and records the parameters needed for offline decryption. Decryption is the analyst's call — and is best done in a controlled environment with the right authority.

Can I run it against a FileVault-encrypted volume?

Yes — once the volume is unlocked and mounted. Pass the mount point via --source image:/Volumes/Macintosh\ HD. macfor does not handle FileVault unlock itself; use Apple tooling (diskutil, fdesetup) or your acquisition platform.

Why a single-binary collector instead of a plugin loader?

Forensic reproducibility. A statically linked, signed binary is trivially auditable: one hash, one provenance, one runtime. Plugins are compiled in, not loaded at runtime — every collection produces the same plugin set as the last one with the same binary.

Can I add a plugin?

Yes. The plugin interface is minimal — Info(), Detect(), Collect() — and a per-plugin artifacts.yaml manifest declares the paths. See the Safari plugin as the reference implementation.

How do I integrate with my SIEM / case-management?

The evidence container is a deterministic ZIP. The parsed JSONL records under records/ are the easiest ingestion path (Splunk, OpenSearch, DuckDB, Polars). The macfor-analyze platform consumes the same container directly.

Does it work on Apple silicon?

Yes. Universal binaries ship with every tagged release. The underlying SQLite engine (modernc.org/sqlite) is pure Go, so collection runs CGO-free on both arm64 and x86_64. The Pro binary additionally compiles SQLCipher (CGO) for Signal Desktop.