-
Notifications
You must be signed in to change notification settings - Fork 110
Using compiled code (exe app)
Yogesh Khatri (@swiftforensics) edited this page Jul 28, 2025
·
1 revision
On macOS, for Intel macs, download the x86_64.zip file from the Release. If you have Apple Silicon (M1, M2, M3 or higher) processor, use the arm64.zip. Unzip the file to get the .app program. All 3 executables are embedded within the same app. Go to the folder containing the .app in the Terminal. You will find them at:
./mac_apt_x86_64.app/Contents/MacOS/mac_apt
./mac_apt_x86_64.app/Contents/MacOS/mac_apt_artifact_only
./mac_apt_x86_64.app/Contents/MacOS/ios_apt
For ARM64 the app is mac_apt_arm64.app. The paths will be the same. For example running mac_apt from here will be:
./mac_apt_arm64.app/Contents/MacOS/mac_apt -h
usage: mac_apt [-h] [-o OUTPUT_PATH] [-x] [-c] [-t] [-j] [-l LOG_LEVEL] [-p PASSWORD] [-pf PASSWORD_FILE] [-d] input_type input_path plugin [plugin ...]
mac_apt is a framework to process macOS forensic artifacts
You are running macOS Artifact Parsing Tool version 1.26.1 (20250728)
Note: The default output is now sqlite, no need to specify it now
..output snipped..
On Windows, use the exe files provided under Release.
Getting Started
- Introduction
- Installation
-
Sample Usage
- ios_apt
- Artifact Only Mode
- Using compiled app/exe
- Mounted System Data Mode
- Interpreting Output
- Issues & Workarounds
Plugins
- AUTOSTART
- BASICINFO
- BLUETOOTH
- DOMAINS
- FSEVENTS
- IDEVICEBACKUPS
- IDEVICEINFO
- IMESSAGE
- INETACCOUNTS
- INSTALLHISTORY
- MSOFFICE
- NETUSAGE
- NETWORKING
- NOTES
- NOTIFICATIONS
- PRINTJOBS
- QUARANTINE
- RECENTITEMS
- SAFARI
- SCREENTIME
- SPOTLIGHT
- SPOTLIGHTSHORTCUTS
- TERMINALSTATE
- TERMSESSIONS
- UNIFIEDLOGS
- USERS
- WIFI
Development
- Write a Plugin
- Plugin Helpers