Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Mac OS X OpenBSM Audit Log Parser

This script parses user-specified Mac OS X OpenBSM audit logs, which are usually found in the following folder -

           /private/var/audit

The default audit configuration is such that events relating to audit-control, user-logon, and group/user creation/modification/deletion will be logged. That said, the audit-logging system is customizable and can be configured to log a wide range of other events.

Each audit-log will contain one or more records each one starting with a header token and ending with a trailer token. Stored between these tokens will be one or more additional tokens the number and content of which will depend on the nature of the record concerned.

The script determines the length of a record using information contained in the header token. This information is mirrored in the trailer token together with a magic number: this information allows the script to check that a record isn't corrupt.

When it comes to parsing additional tokens, the script has to parse each token in turn. If a token cannot be identified, or if it can't be parsed, then the script will have to skip to the next record. It will record the fact that it's done this in the bookmark created for the record; it will also write a warning to the console.

Some tokens contain a stream of binary data. These include those with the following token IDs -

           AUT_OPAQUE - A sequence of one or more un-typed values each one having the same length.
           AUT_DATA - A sequence of bytes.
           AUT_IP - A 20-byte IP header.

The script will not make an effort to decode these bytes: it will simply report on their offset and length within the associated audit-log file.

The output of the script is in the form of bookmarks and XML files.

One XML file will be created per audit file. The script will assign GUIDs to certain XML entities including those that represent audit files, audit records and certain types of audit token. The GUID assigned to an audit file will be the GUID of the source entry.

The reason for assigning GUIDs is to facilitate import of the XML data into a database such as MS Access. Access will, on reading a given XML file, create tables for the file, the records it contains, and the different types of audit tokens contained therein. Using the GUIDs will allow the examiner to create queries that identify the tokens that belong to each record; also the records that belong to each file.

Note: The XML files created by the script will be larger than the binary source files due to the amount of text contained therein.



Version: 2
Tested with:
EnCase Forensic 7.10
Developer: Simon Key
Category: Artifact

278 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9953 Downloads
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
7627 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
379 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
221 Downloads
App