Having spent the best part of the last decade working on Live Forensic techniques I've begun to turn my attention to OSX. I'm an unashamed MacHead but have not spent much time thinking about ways to extract data from a live machine.
Knowing who a suspect speaks to or emails can be very useful in an investigation and so I've started looking at the email system in OSX. The inbuilt email app, Mail is very widely used and connects to the OSX Address Book for the management of contact data. However, tucked away in a SQL Lite table is a large list of 'Recent Contacts', which contains the name and email address of recently contacted people who may or may not be in your standard contacts.
You can see this list by opening OSX Mail and browsing to Window - Previous Recipients. This opens a box with all the recent contacts, but apart from being able to add the contact to your main contacts, there is no way to export them.
I've written a small shell script to extract the name and email from the SQL table and pop them in a csv file for you.
The code is very simple, just 2 lines:-
echo 'First Name,Surname,Email Address' > ~/Desktop/recentcontacts.csv
This simply writes the column heads to a CSV file on your Desktop
sqlite3 -csv ~/Library/Application\ Support/AddressBook/MailRecents-v4.abcdmr 'select ZFIRSTNAME, ZLASTNAME, ZEMAIL from ZABCDMAILRECENT;' >> ~/Desktop/recentcontacts.csv
This opens the MailRecents SQL file and pulls out the first name, last name and email address, writing them to the CSV file on your Desktop.
Easy!
For ease just drop the file somewhere, 'cd' to it and run - ./recentexport.sh
If it doesn't run you might have a permissions issue so just type - chmod +x recentexport.sh
You can download the tool here.
Hope its useful to you.
3 comments:
Awesome Nick, thanks for this.
nice
While extracting I got an issue called apple Error 4013
Post a Comment