macOS Forensics Mcp Server
@x746b
About macOS Forensics Mcp Server
MCP (Model Context Protocol) server for macOS Digital Forensics and Incident Response (DFIR).
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"mac-forensics": {
"command": "/opt/mac_forensics-mcp/.venv/bin/python",
"args": [
"-m",
"mac_forensics_mcp.server"
],
"env": {}
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is macOS Forensics Mcp Server?
A Model Context Protocol (MCP) server that provides structured forensic analysis tools for macOS Digital Forensics and Incident Response (DFIR). It reduces context overhead when investigating incidents with LLMs by offering 23 tools covering Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes, System Logs, and more.
How to use macOS Forensics Mcp Server?
Clone the repository to /opt/macOS/mac_forensics-mcp, create a virtual environment with uv, and install the package. Then configure it with Claude Code using the claude mcp add command or by manually adding a JSON entry to mcpServers, specifying the command to run python -m mac_forensics_mcp.server. Tools are invoked by calling their function names (e.g., mac_unified_logs_search) from an MCP client.
Key features of macOS Forensics Mcp Server
- Structured queries instead of raw text searches
- Automatic timestamp normalization (Mac Absolute Time β UTC)
- Pre-built security event detection patterns
- Cross-artifact correlation and timeline building
- Pagination to prevent context overflow
- Artifact discovery to determine available data
Use cases of macOS Forensics Mcp Server
- Investigate user account creation, deletion, or modification
- Analyze file downloads via quarantine events and extended attributes
- Detect security events such as SSH sessions, sudo usage, or auth failures
- Build a unified timeline from multiple macOS artifacts
- Identify external device activity using fsck_apfs.log
FAQ from macOS Forensics Mcp Server
What are the runtime dependencies?
Python 3.10+, the uv package manager, and mcp >= 1.0.0. The biplist package is optional for malformed plists.
Does it require external forensic tools?
External tools are optional: unifiedlog_iterator for .logarchive bundles, FSEParser for FSEvents, and spotlight_parser for Spotlight indexes. If not installed, corresponding tools will not be available.
How do I configure custom paths for external tools?
Set environment variables MAC_FORENSICS_UNIFIEDLOG_ITERATOR_PATH, MAC_FORENSICS_FSEPARSER_PATH, and MAC_FORENSICS_SPOTLIGHT_PARSER_PATH. Defaults are /opt/macOS/ paths.
What macOS artifacts are supported?
Unified Logs, FSEvents, Spotlight index, Plist files, SQLite databases (KnowledgeC, Safari, TCC, quarantine), Extended Attributes, and system logs (fsck_apfs). Supports user account details, browsing history, download history, and TCC permissions.
Is transport or authentication supported?
The server communicates via the MCP stdio transport (command/args configuration). No authentication is documented; it reads local triage directories specified by the user.
More Other MCP servers
Reactive Resume
amruthpillaiA one-of-a-kind resume builder that keeps your privacy in mind. Completely secure, customizable, portable, open-source and free forever. Try it out today!
Maestro
mobile-dev-incPainless E2E Automation for Mobile and Web

Sequential Thinking
modelcontextprotocolModel Context Protocol Servers
Awesome Mlops
visengerA curated list of references for MLOps
MaxKB
1Panel-devπ₯ MaxKB is an open-source platform for building enterprise-grade agents. εΌΊε€§ζη¨ηεΌζΊδΌδΈηΊ§ζΊθ½δ½εΉ³ε°γ
Comments