MCP.so
ログイン

macOS Forensics Mcp Server

@x746b

macOS Forensics Mcp Server について

MCP (Model Context Protocol) server for macOS Digital Forensics and Incident Response (DFIR).

基本情報

カテゴリ

その他

トランスポート

stdio

公開者

x746b

投稿者

xtk

設定

以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。

{
  "mcpServers": {
    "mac-forensics": {
      "command": "/opt/mac_forensics-mcp/.venv/bin/python",
      "args": [
        "-m",
        "mac_forensics_mcp.server"
      ],
      "env": {}
    }
  }
}

ツール

ツールは検出されませんでした

ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。

概要

What is macOS Forensics Mcp Server?

A Model Context Protocol (MCP) server that provides structured forensic analysis tools for macOS Digital Forensics and Incident Response (DFIR). It reduces context overhead when investigating incidents with LLMs by offering 23 tools covering Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes, System Logs, and more.

How to use macOS Forensics Mcp Server?

Clone the repository to /opt/macOS/mac_forensics-mcp, create a virtual environment with uv, and install the package. Then configure it with Claude Code using the claude mcp add command or by manually adding a JSON entry to mcpServers, specifying the command to run python -m mac_forensics_mcp.server. Tools are invoked by calling their function names (e.g., mac_unified_logs_search) from an MCP client.

Key features of macOS Forensics Mcp Server

  • Structured queries instead of raw text searches
  • Automatic timestamp normalization (Mac Absolute Time → UTC)
  • Pre-built security event detection patterns
  • Cross-artifact correlation and timeline building
  • Pagination to prevent context overflow
  • Artifact discovery to determine available data

Use cases of macOS Forensics Mcp Server

  • Investigate user account creation, deletion, or modification
  • Analyze file downloads via quarantine events and extended attributes
  • Detect security events such as SSH sessions, sudo usage, or auth failures
  • Build a unified timeline from multiple macOS artifacts
  • Identify external device activity using fsck_apfs.log

FAQ from macOS Forensics Mcp Server

What are the runtime dependencies?

Python 3.10+, the uv package manager, and mcp >= 1.0.0. The biplist package is optional for malformed plists.

Does it require external forensic tools?

External tools are optional: unifiedlog_iterator for .logarchive bundles, FSEParser for FSEvents, and spotlight_parser for Spotlight indexes. If not installed, corresponding tools will not be available.

How do I configure custom paths for external tools?

Set environment variables MAC_FORENSICS_UNIFIEDLOG_ITERATOR_PATH, MAC_FORENSICS_FSEPARSER_PATH, and MAC_FORENSICS_SPOTLIGHT_PARSER_PATH. Defaults are /opt/macOS/ paths.

What macOS artifacts are supported?

Unified Logs, FSEvents, Spotlight index, Plist files, SQLite databases (KnowledgeC, Safari, TCC, quarantine), Extended Attributes, and system logs (fsck_apfs). Supports user account details, browsing history, download history, and TCC permissions.

Is transport or authentication supported?

The server communicates via the MCP stdio transport (command/args configuration). No authentication is documented; it reads local triage directories specified by the user.

コメント

「その他」の他のコンテンツ