Reference
All plugins
macfor ships 31 artifact collectors. Each plugin owns one artifact family, declares the on-disk paths it cares about, and emits parsed records into the evidence container.
Every plugin below is generated from its artifacts.yaml manifest, so the file paths, formats, and flags here match exactly what the binary collects at runtime. Click through for per-artifact detail and a link back to the kb.macfor.io article when one exists.
Community (2)
Bundled with the open-source macfor binary.
Pro (29)
Available in macfor-pro. See the comparison for licensing details.
Apple Mail
ProCollects Apple Mail.app artifacts including message metadata, EMLX files, account configuration, and AI categorization
mail.apple·4 artifactsApple Notes
ProCollects Apple Notes.app forensic artifacts including note content, metadata, attachments, and collaboration data
notes.apple·12 artifactsBluetooth Devices
ProCollects Bluetooth device pairing history, connection events, radio state, and audio session data from macOS system plists, KnowledgeC, and PowerLog
devices.bluetooth·6 artifactsCalendar & Reminders
ProCollects Calendar.app events, participants, locations, suggested travel bookings, and Reminders.app tasks, triggers, tags, and change history from macOS
pim.calendar·21 artifactsContacts (AddressBook)
ProCollects contact records, phone numbers, email addresses, change history, and photos from macOS AddressBook
contacts.addressbook·6 artifactsCoreAnalytics
ProCollects macOS CoreAnalytics program execution evidence, application usage metrics, system telemetry, and DiagnosticMessages from the analyticsd subsystem
system.coreanalytics·12 artifactsDiscord
ProCollects tokens, messages, cache, server metadata, webhook indicators, and activity artifacts from Discord Desktop
app.discord·7 artifactsDropbox
ProCollects file cache metadata, deleted file records, account configuration, and preferences from Dropbox Desktop encrypted databases
cloudstorage.dropbox·5 artifactsEvernote
ProCollects Evernote note content, notebooks, tags, attachments, and web clipper source URLs from both legacy .exb SQLite databases and the v10+ Electron conduit-storage format.
productivity.evernote·5 artifactsFacebook Messenger Desktop
ProCollects chat messages, conversation threads, contacts, payment records, search activity, call history, and cached media from the discontinued Facebook Messenger Desktop app
messaging.fbmessenger·10 artifactsFaceTime
ProCollects FaceTime call records, phone call history, and FaceTime Links from macOS
facetime.apple·4 artifactsFirefox Browser
ProCollects Firefox browsing history, downloads, bookmarks, cookies, form history, logins, extensions, and sessions
browser.firefox·14 artifactsFSEvents Journal
ProCollects and parses macOS FSEvents filesystem event journal for file activity timeline reconstruction
filesystem.fsevents·8 artifactsGoogle Chrome Browser
ProCollects Chrome browsing history, downloads, bookmarks, cookies, autofill, extensions, local storage, and sessions
browser.chrome·19 artifactsKeychain Metadata
ProCollects macOS Keychain item metadata (labels, accounts, services, timestamps, protection classes) without extracting secrets
system.keychain·6 artifactsMessages (iMessage/SMS/RCS)
ProCollects iMessage, SMS, MMS, and RCS conversations, attachments, reactions, and deleted messages from macOS Messages.app
messages.apple·6 artifactsPattern of Life
ProCollects macOS behavioral databases including KnowledgeC activity records, Biome SEGB stream data, Screen Time usage, InteractionC contact interactions, and DuetActivityScheduler scheduling records
system.patternoflife·7 artifactsPersistence Mechanisms
ProInventories macOS persistence mechanisms including launch items, login items, scheduled tasks, shell configs, kernel/system extensions, authorization plugins, configuration profiles, and legacy persistence vectors
system.persistence·20 artifactsQuarantine Events
ProCollects macOS Quarantine Events from per-user QuarantineEventsV2 databases tracking downloaded files and their sources
system.quarantine·2 artifactsQuick Look Thumbnails
ProCollects Quick Look thumbnail cache metadata, extracted thumbnail images, and raw cache files from macOS
system.quicklook·3 artifactsScreen Time
ProCollects Screen Time restrictions, family management, installed apps, and usage analytics from RMAdminStore databases
system.screentime·10 artifactsSignal Desktop
ProCollects messages, conversations, contacts, attachments, and security artifacts from Signal Desktop encrypted databases
messaging.signal·7 artifactsSlack Desktop
ProCollects workspace metadata, cached messages, authentication tokens, application logs, and user profiles from Slack Desktop local storage
communication.slack·7 artifactsSpotlight Metadata
ProCollects Spotlight search shortcuts, preferences, volume configuration, and raw metadata stores from macOS
system.spotlight·5 artifactsTCC Database
ProCollects macOS TCC (Transparency, Consent, and Control) privacy permission records from user and system databases
system.tcc·7 artifactsTelegram Desktop
ProCollects account data, media cache, sessions, and diagnostic artifacts from Telegram Desktop local storage (tdata)
messaging.telegram·7 artifactsUnified Logs
ProPreserves macOS Unified Logging stores (/var/db/diagnostics, /var/db/uuidtext), generates a sealed .logarchive via `log collect`, and renders six predicate-filtered NDJSON event extracts (auth, usb, network, exec, xprotect, tcc) via `log show`.
system.unifiedlogs·3 artifactsWhatsApp Desktop
ProCollects chat messages, search indices, contacts, group metadata, session threads, delivery receipts, iCloud backup state, and cached media from WhatsApp Desktop local storage
messaging.whatsapp·14 artifactsWiFi Known Networks
ProCollects WiFi known networks, legacy airport preferences, association history, interface configuration, and DHCP leases from macOS
network.wifi·8 artifacts