Get started
Installation
macfor is a single Go binary. Pick the install path that matches your forensic workflow — pre-built release for triage carts, source build for air-gapped environments.
Requirements
- macOS 10.15 (Catalina) or newer on the collection host.
- Apple silicon (arm64) or Intel (x86_64). Universal binaries are published for tagged releases.
- Root or admin shell when collecting from any user account other than the currently logged-in one (multi-user collection requires full disk read access).
Option A — Homebrew (recommended)
brew tap macfor-io/macfor
brew install macfor
# Verify
macfor --versionOption B — Signed release archive
Grab the latest tagged release from GitHub Releases. Each release ships a notarized, hardened-runtime binary plus a SHA-256 manifest.
curl -L -o macfor.tar.gz \
https://github.com/macfor-io/macfor-community/releases/latest/download/macfor-darwin-arm64.tar.gz
# Verify checksum (compare against the release page)
shasum -a 256 macfor.tar.gz
tar xzf macfor.tar.gz
sudo mv macfor /usr/local/bin/
xattr -d com.apple.quarantine /usr/local/bin/macfor 2>/dev/null || true
macfor --versionOption C — Build from source
Useful when you need to verify provenance or run on an air-gapped analyst workstation. Requires Go 1.25 or newer.
git clone https://github.com/macfor-io/macfor-community.git
cd macfor-community
make build # produces ./bin/macfor
sudo install -m 0755 bin/macfor /usr/local/bin/macformacfor Pro
The Pro binary (macfor-pro) ships every community plugin plus the additional collectors for Signal, Mail, FaceTime, Spotlight, Unified Logs, FSEvents, and more. License keys are delivered after purchase via the macfor.io pricing page. Activation:
macfor-pro license activate <YOUR-LICENSE-KEY>
macfor-pro --version
# Lists every loaded plugin (community + pro)
macfor-pro list pluginsGranting Full Disk Access
To read protected paths (~/Library/Mail, ~/Library/Messages, ~/Library/Application Support/Signal, the TCC databases, etc.) the binary needs Full Disk Access.
- Open System Settings → Privacy & Security → Full Disk Access.
- Add the terminal you'll run macfor from (Terminal.app, iTerm2, Warp, …) — or add the macfor binary itself.
- For multi-user collection, run macfor under
sudofrom an admin user.
macfor never elevates privileges itself. If a path is unreadable, the orchestrator records the permission error in the per-plugin log inside the evidence container and continues.
Next steps
- Run your first collection — see Quick start.
- Browse the plugin reference to see what each collector pulls.