# macforensics

`macforensics` is a macOS command-line acquisition tool for creating a raw forensic image from a block device, hashing the acquired image, and writing a JSON case manifest.

## What it does

- Enumerates candidate disk devices with `diskutil`
- Streams a source block device into a `.dd` image file
- Computes a SHA-256 digest during acquisition
- Writes a `.sha256` companion file and a JSON manifest with case metadata
- Refuses to overwrite existing evidence artifacts
- Warns before imaging the currently booted disk unless explicitly overridden

## Important forensic limitations

- A live system acquisition is not forensically pristine. Prefer booting the Mac from trusted external media or Recovery before imaging internal storage.
- The tool requires root privileges to read raw devices such as `/dev/rdisk2`.
- SIP, T2, FileVault, and Apple silicon security settings may still limit access depending on the boot mode and target device state.
- This tool creates a raw image (`.dd`). It does not produce E01/AFF4 evidence containers.

## Install

```bash
python3 -m venv .venv
source .venv/bin/activate
pip install -e '.[dev]'
```

## Usage

List available devices:

```bash
macforensics list-sources
```

Acquire an image:

```bash
sudo macforensics image /dev/disk2 /Volumes/Evidence \
  --case-id CASE-2026-001 \
  --examiner "D. Analyst" \
  --evidence-label "MacBook-Pro-14"
```

If the target appears to be the currently booted disk, the command stops unless `--force-live` is supplied.

## Outputs

For case `CASE-2026-001` and evidence label `MacBook-Pro-14`, the tool writes:

- `CASE-2026-001_MacBook-Pro-14.dd`
- `CASE-2026-001_MacBook-Pro-14.sha256`
- `CASE-2026-001_MacBook-Pro-14.json`

## Run tests

```bash
pytest
```