MARS is a data extraction and recovery toolkit for macOS that salvages and recovers SQLite, plist, log, and cache data from a set of raw, carved files and matches them with artifacts of forensic interest from a reference system.
In some cases, MARS can recover thousands more database rows and hundreds of extra days of data beyond what exists in the original reference files alone.
The set of baseline target artifacts (databases, logs, etc.) from a reference system that forms the "ground truth" for data recovery.
An unclassified file MARS will recover then attempt to match to exemplar artifacts.
A JSON schema that contains per-column metadata used for matching candidate databases.
MARS uses a catalog of known artifacts to collect target files from an exemplar system. It can scan most disk image formats (EWF, etc.), folders, archives, and live macOS systems.
Artifacts with associated archives - like Powerlog's .gz backups - are automatically decompressed, deduplicated, and combined.
Databases are then "fingerprinted" column-by-column to create rubrics for matching candidates against.
The recovery and vetting process ensures that all candidate data that can be recovered is recovered.
MARS assesses and classifies the recovered data - including from within corrupt SQLite databases - then matches it against exemplar rubrics.
Truly unrepairable databases are byte-carved with protobuf extraction and timestamp detection for manual analysis.
Both Exemplar and Candidate reports provide quick links to artifact folders and module reports, such as WiFi history and Biome parsing.
Data Comparison Reports show exactly how much data you've gained beyond baseline, measured in rows and days, and include a comprehensive zoomable timeline.
Export original Exemplar files, matched Candidates, or Both. The full-path option recreates the original file and folder structure, making the data easily parsable by external tools such as mac_apt, APOLLO, plaso, and others.
The combined export deduplicates and merges data while maintaining its integrity. Discrete user and profile account data is never mixed. An optional database source column marks each row's origin - so you can always trace the information back to its source.
If you just want to salvage corrupt SQLite databases, MARS can do that, too. Run the recovery pipeline on any set of files to automatically recover as much data as possible. Try it on the SQLite Forensic Corpus to see how it works.
- Easily mount EWF images directly in macOS via FUSE-T
- (Completely avoids kernel-level FUSE install)
- Automatic pseudo-logarchive creation, ready for Unified Logs parsing
- Database timeline plotter for SQLite with Plotly
- Add and edit targets using the Artifact Recovery Catalog (ARC) Manager
- Export and import anonymized exemplar catalog packages to share with other MARS users
- In-depth HTML documentation (no internet required)
- WiFi activity and location mapping
- Biome parsing with CCL Group's SEGB parser
- Firefox JSONLZ4 parsing
- Firefox cache parsing (extract images, HTML, etc.)
- macOS: macOS 11+ (Big Sur or later)
- Windows: Windows 10/11
- Python: 3.13+
- Download the latest release for your platform
- Extract the archive and enter the directory
- Run the installer:
macOS:
chmod +x install.sh./install.shWindows:
install.batOr double-click install.bat.
- MARS application in an isolated virtual environment
marslauncher script in the installation directory- Optional: Kaleido for PDF/PNG export (prompted during install)
- Optional: fuse-t for mounting forensic images (prompted during install, macOS only)
macOS:
.venv/bin/pip install kaleidoWindows:
.venv\Scripts\pip install kaleidofuse-t allows MARS to mount forensic disk images directly for analysis without extracting them first. Install via Homebrew:
brew tap macos-fuse-t/homebrew-caskbrew install fuse-t fuse-t-sshfsNote
Homebrew must be installed first. Get it from https://brew.sh
macOS:
./marsWindows:
mars.batmarsMARS uses a three-stage workflow:
- Create Project – Set up a new case
- Exemplar Scan – Collect baseline artifacts from known locations to establish "ground truth"
- Candidates Scan – Process carved/recovered files against the exemplar to recover additional data
The TUI guides you through each step.
Free Match Mode: Process any set of SQLite databases through the recovery pipeline without an exemplar baseline.
Tip
Press h in the MARS console for a comprehensive help guide.
Simply delete the installation folder. MARS is fully self-contained.
# macOS
rm -rf /path/to/mars-installation
# Windows
rmdir /s /q C:\path\to\mars-installationMake sure Python 3.13+ is installed and in your PATH:
- macOS: Install from https://python.org or via Homebrew (
brew install python@3.13) - Windows: Install from https://python.org (check "Add Python to PATH")
If you see permission errors when running bundled binaries:
chmod +x .venv/lib/python3.*/site-packages/resources/macos/bin/*First time running MARS or its bundled tools may trigger Gatekeeper. Allow in System Preferences > Security & Privacy.
First run may trigger Windows Defender SmartScreen. Click "More info" > "Run anyway" if you trust the source.
MARS is licensed under the Apache License 2.0. See LICENSE for details.
This project includes bundled binaries and references third-party software. For complete license details, see THIRD-PARTY-NOTICES.md.
Key components:
- libewf - Expert Witness Format library (LGPL v3)
- gzrecover - Corrupted gzip recovery (GPL v2)
- sqlite_dissect - SQLite forensic parser (DC3 License)
- dfVFS - Virtual file system layer (Apache 2.0)
- zlib - Compression library (zlib License)
Individual license files are in src/resources/licenses/.
MARS builds upon the work of several open-source projects:
- blackboxprotobuf (bbpb) - Protobuf decoding without .proto files
- unfurl - URL and timestamp parsing
- libewf - Expert Witness Format library (MARS fork with macOS FUSE-T support)
- sqlite_dissect - SQLite forensic parser by DC3 (MARS fork)
- SEGB Parser - by CCL Group
MARS is for informational purposes only. The data presented should be independently verified before being relied upon for any legal, regulatory, or evidentiary purpose.