Just a quick update. I fixed a big bug in my mac-robber.py script about 2 weeks ago, but realized I hadn't published a diary about it. I didn't go back and figure out how this one slipped in because I'm sure it worked originally, but it was generating bad output for soft/symbolic links. If. you are using the script, please update immediately.

References:

[1] https://github.com/att/docker-forensics/blob/master/mac-robber.py

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu