Is it installed?

Question

Is it installed?

PAULABAILEN opened this issue 9 years ago · 1 comments

How do I know it has been installed? The most important stuff I need is the firefox history on this machine for litigation purposes. Where are these files?

JAIMEs-MacBook-Pro% cd osxcollector
JAIMEs-MacBook-Pro% sudo /usr/bin/python2.7 osxcollector.py
Password:
[ERROR] Unable to parse plist: [The data couldn’t be read because it isn’t in the correct format.]. plist_path[/Applications/Adobe After Effects CS5/Plug-ins/Effects/Foundry/KeylightPro.plugin/Contents/Info.plist] - {'osxcollector_incident_id': 'osxcollect-2016_05_26-16_03_34', 'osxcollector_subsection': 'applications', 'osxcollector_section': 'applications'}
[ERROR] failed _log_sqlite_table near "1": syntax error <class 'sqlite3.OperationalError'> [('osxcollector.py', 1308, '_log_sqlite_table', "cursor.execute('SELECT * from {0}'.format(table_name))")] - {'osxcollector_table_name': u'1', 'osxcollector_incident_id': 'osxcollect-2016_05_26-16_03_34', 'osxcollector_db_path': '/Users/jimmypaula/Library/Application Support/Firefox/Profiles/6oyn5a5a.default-1460806269425/places.sqlite', 'osxcollector_username': 'jimmypaula', 'osxcollector_subsection': 'history', 'osxcollector_section': 'firefox'}
[ERROR] failed _log_sqlite_table database disk image is malformed <class 'sqlite3.DatabaseError'> [('osxcollector.py', 1309, '_log_sqlite_table', 'rows = cursor.fetchall()')] - {'osxcollector_table_name': u'moz_historyvisits', 'osxcollector_incident_id': 'osxcollect-2016_05_26-16_03_34', 'osxcollector_db_path': '/Users/jimmypaula/Library/Application Support/Firefox/Profiles/zqowk87w.default-1461982128860/places.sqlite', 'osxcollector_username': 'jimmypaula', 'osxcollector_subsection': 'history', 'osxcollector_section': 'firefox'}
[ERROR] failed _log_sqlite_table near "1": syntax error <class 'sqlite3.OperationalError'> [('osxcollector.py', 1308, '_log_sqlite_table', "cursor.execute('SELECT * from {0}'.format(table_name))")] - {'osxcollector_table_name': u'1', 'osxcollector_incident_id': 'osxcollect-2016_05_26-16_03_34', 'osxcollector_db_path': '/Users/jimmypaula/Library/Application Support/Firefox/Profiles/zqowk87w.default-1461982128860/places.sqlite', 'osxcollector_username': 'jimmypaula', 'osxcollector_subsection': 'history', 'osxcollector_section': 'firefox'}
Wrote 1984863 lines.
Output in osxcollect-2016_05_26-16_03_34.tar.gz

Answer 1 · 2016-05-27T04:26:47.000Z

Hi @PAULABAILEN,
Firefox history is in firefox sections subsection history so if you would like to see the firefox history, you should unpack the output file (osxcollect-2016_05_26-16_03_34.tar.gz in your case). There will be a json file there (actually the name follows the pattern of the archive output file so it should be called osxcollect-2016_05_26-16_03_34.json). Now to see the entries in firefox section and history subsection you can use a tools like jq:

$ cat osxcollect-2016_05_26-16_03_34.json | jq 'select(.osxcollector_section=="firefox" AND .osxcollector_subsection=="history")'

I invite you to read the documentation in README.md which can point you to lots of examples on how to use the tool.