20251206

What's changed

• Python 3.14 compatibility for macOS and Windows.
  • Python 3.14 compiled executables
• Some Bug fixes and optimisations.

Full Changelog: v1.26.8...v1.28.7

29250905

This release just fixes a couple of bugs

• Fixes an issue with Spotlight which caused the plugin to crash
• Fixes an issue with Excel file creation, caused due to a bug in a dependency

Full Changelog: v1.26.4...v1.26.8

20250814

This is a minor release with only few bug fixes and enhancements

• Fixes bug with unzipping Velociraptor created zips
• Removed zipfile_deflate64 dependancy
• Optimisation for apfs disk block reads, results in faster reading of APFS

Full Changelog: v1.26.1...v1.26.4

20250728

What's Changed

• Add a plugin for items in iCloud devices by @a5hlynx in #129
• Add System keychain parsing with Chainbreaker (new plugin KEYCHAINS)
• New Plugins - LAUNCHPAD, FACETIME
• Add parsing of Secure Preferences for Extension data in CHROMIUM
• Removed Unifiedlogs plugin, added UnifiedLogExport plugin
• Compiled mac (x86_64 and arm64) apps are now published! For usage, see here

WARNING - mac_apt now includes code from the Chainbreaker project, which may flag with AV/EDR vendors as malware.

Bugfixes and general improvements:

• Adjust for -ve uid and gid values, previously this would interpret as uint
• Add powermanagement to .asl file paths
• Add Bluetooth vendor name resolution
• Add genstore_orig_display_name from xattr to DocumentRevisions
• Add timestamp for SecureBookmark last used date in MSOFFICE
• Standardize and improve urldecode across several plugins
• Correct Spotlightshortcuts path
• Add Xattr support for mounted volumes and Velociraptor zips
• Fix RSR detection issue

Changelog**: v1.13.6...v1.26.1

20250506 (v1.13.6)

What's Changed

• Added support for reading Velociraptor created zip file collections (collected using the MacOS.Search.FileFinder module)
• Added support for new Notification DB path in macOS 15 by @mnrkbys in #119
• Added feature to specify plugins not to be run by @mnrkbys in #113
• Add JSONL output type
• New plugin - CALLHISTORY
• New plugin - CRASHREPORTER
• New plugin - WIFI_INTELLIGENCE - Details
• Add CoreSimulator file system events to FSEVENTS plugin
• Significant update to BTM parsing in AUTOSTART plugin - Details
• Fetch additional window titles from decrypting data.data and add Dock saved info to SAVEDSTATE plugin

• Added Identifier field, fix other minor issues with NOTIFICATIONS plugin
• Parse new screentime strings files
• Update APFS parsing - changed the way an item was classified as file or folder or symlink
• Minor bugfixes and latest macOS compatibility for SCREENSHARING, MSRDC, SPOTLIGHT and QUICKLOOK plugins
• Removed mac_apt_mounted_sys_data.py as it was unused. This was only a temporary measure for macOS 10.15

Full Changelog: v1.7.5-dev...v1.13.6

v1.7.5-dev

Dev release - not extensively tested..

Windows binaries are now Python 3.12 compiled and run upto 30% faster ⚡

What's Changed

• Added TCC and UTMPX plugins to README.md by @mnrkbys in #99
• Added support for 3SLD format (fsevents) by @ydkhatri
• Added support for Arc Browser by @mnrkbys in #101
• modifications of autostart and firefox by @a5hlynx in #102
• Added support for sfl3 by @mnrkbys in #109
• Add a plugin for ASL by @a5hlynx in #108
• Added SCREENSHARING plugin by @mnrkbys in #111
• Added support for Safari profiles and tab snapshots by @mnrkbys in #115
• Added XPROTECTBEHAVIOR plugin by @mnrkbys in #114
• Added MSRDC (Microsoft Remote Desktop) plugin by @mnrkbys in #117
• Identify and process data from deleted User's DARWIN_ cache folders
• Python 3.12 compatibility
• Supports ASLA produced SPARSEIMAGE files now

Bug Fixes and improvements

• Faster processing due to improved file reading by preventing unneeded data copies
• Improved zlib handling
• Count user and system accounts separately in Users output
• Add timezone artifact
• Fixed a possible error in CFURLCACHE plugin by @mnrkbys in #112

Full Changelog: v1.5.8-dev...v1.7.5-dev

20230617

Dev release - not extensively tested..

Changes in this release

• More locations added to fetch serial number
• Ventura (macOS 13) support including reading RSR
• Docker support added
• Support for SNSS v3 for chromium browsers
• Extended CHROME to CHROMIUM covering more CHROMIUM based browsers
• Added plugin FIREFOX
• Better profile detection for CHROMIUM browsers
• Update AUTOSTART for macOS 13
• Update spotlight database paths for new ones on macOS 12+
• Support for parsing very old Spotlight v1 store.db files
• Python 3.10 support and binaries compiled with 3.10

Bug fixes

• Many minor bugs fixed
• Better handling of broken XML issues in certain plists
• Better fsevents reading, some data was skipped at times
• LZVN bug fixed
• Reading of the correct boot container (if multiple) and parsing the OS one

20220614

Dev release - not extensively tested..

Changes in this release

• Add CSV support for output (old CSV was TSV, also supported)
• Add new plugins - TCC and XPROTECTDIAG by Minoru Kobayashi (@mnrkbys)
• Add SafariTabs.db parsing

Bug fixes

• Fix an issue with Spotlight parsing (prop_type 8)
• Fix a display issue with excel dates for utmpx plugin
• Fix a display issue with excel dates for cfurul_cache plugin
• Minor bugfix for fsevents and utmpx plugin

20210904

This is a dev release that fixes a few bugs

20210824

A temporary dev release that fixes a few identified bugs