Ma2Tl - macOS Forensic Timeline Generator Using The Analysis Result DBs Of Mac_Apt

This is a DFIR tool for generating a macOS forensic timeline from the analysis result DBs of mac_apt.


  • Python 3.7.0 or later
  • pytz
  • tzlocal
  • xlsxwriter


% git clone https://github.com/mnrkbys/ma2tl.git


% python ./ma2tl.py -husage: ma2tl.py [-h] [-i INPUT] [-o OUTPUT] [-ot OUTPUT_TYPE] [-s START] [-e END] [-t TIMEZONE] [-l LOG_LEVEL] plugin [plugin ...]Forensic timeline generator using mac_apt analysis results. Supports only SQLite DBs.positional arguments:  plugin                Plugins to run (space separated).optional arguments:  -h, --help            show this help message and exit  -i INPUT, --input INPUT                        Path to a folder that contains mac_apt DBs.  -o OUTPUT, --output OUTPUT                        Path to a folder to save ma2tl result.  -ot OUTPUT_TYPE, --output_type OUTPUT_TYPE                        Specify the output file type: SQLITE, XLSX, TSV (Default: SQLITE)  -s START, --start START                        Specify start timestamp. (ex. 2021-11-05 08:30:00)  -e END, --end END     Specify end timestamp.     -t TIMEZONE, --timezone TIMEZONE                        Specify Timezone: "UTC", "Asia/Tokyo", "US/Eastern", etc (Default: System Local Timezone)  -l LOG_LEVEL, --log_level LOG_LEVEL                        Specify log level: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default: INFO)The following 4 plugins are available:    FILE_DOWNLOAD       Extract file download activities.    PERSISTENCE         Extract persistence settings.    PROG_EXEC           Extract program execution activities.    VOLUME_MOUNT        Extract volume mount/unmount activities.    ----------------------------------------------------------------------------    ALL                 Run all plugins

Generated timeline example


This tool was published on Japan Security Analyst Conference 2022 (JSAC2022).

Slides are available below:


Minoru Kobayashi



Disqus Comments