MCP.so
Sign In

macOS Forensics Mcp Server

@x746b

About macOS Forensics Mcp Server

MCP (Model Context Protocol) server for macOS Digital Forensics and Incident Response (DFIR).

Basic information

Category

Other

Transports

stdio

Publisher

x746b

Submitted by

xtk

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "mac-forensics": {
      "command": "/opt/mac_forensics-mcp/.venv/bin/python",
      "args": [
        "-m",
        "mac_forensics_mcp.server"
      ],
      "env": {}
    }
  }
}

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is macOS Forensics Mcp Server?

A Model Context Protocol (MCP) server that provides structured forensic analysis tools for macOS Digital Forensics and Incident Response (DFIR). It reduces context overhead when investigating incidents with LLMs by offering 23 tools covering Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes, System Logs, and more.

How to use macOS Forensics Mcp Server?

Clone the repository to /opt/macOS/mac_forensics-mcp, create a virtual environment with uv, and install the package. Then configure it with Claude Code using the claude mcp add command or by manually adding a JSON entry to mcpServers, specifying the command to run python -m mac_forensics_mcp.server. Tools are invoked by calling their function names (e.g., mac_unified_logs_search) from an MCP client.

Key features of macOS Forensics Mcp Server

  • Structured queries instead of raw text searches
  • Automatic timestamp normalization (Mac Absolute Time β†’ UTC)
  • Pre-built security event detection patterns
  • Cross-artifact correlation and timeline building
  • Pagination to prevent context overflow
  • Artifact discovery to determine available data

Use cases of macOS Forensics Mcp Server

  • Investigate user account creation, deletion, or modification
  • Analyze file downloads via quarantine events and extended attributes
  • Detect security events such as SSH sessions, sudo usage, or auth failures
  • Build a unified timeline from multiple macOS artifacts
  • Identify external device activity using fsck_apfs.log

FAQ from macOS Forensics Mcp Server

What are the runtime dependencies?

Python 3.10+, the uv package manager, and mcp >= 1.0.0. The biplist package is optional for malformed plists.

Does it require external forensic tools?

External tools are optional: unifiedlog_iterator for .logarchive bundles, FSEParser for FSEvents, and spotlight_parser for Spotlight indexes. If not installed, corresponding tools will not be available.

How do I configure custom paths for external tools?

Set environment variables MAC_FORENSICS_UNIFIEDLOG_ITERATOR_PATH, MAC_FORENSICS_FSEPARSER_PATH, and MAC_FORENSICS_SPOTLIGHT_PARSER_PATH. Defaults are /opt/macOS/ paths.

What macOS artifacts are supported?

Unified Logs, FSEvents, Spotlight index, Plist files, SQLite databases (KnowledgeC, Safari, TCC, quarantine), Extended Attributes, and system logs (fsck_apfs). Supports user account details, browsing history, download history, and TCC permissions.

Is transport or authentication supported?

The server communicates via the MCP stdio transport (command/args configuration). No authentication is documented; it reads local triage directories specified by the user.

Comments

More Other MCP servers