Fuji stands out in the macOS forensic acquisition landscape by doing something surprisingly straightforward yet effective: it uses only the standard macOS executables to perform live logical imaging. No kernel extensions, no disabling System Integrity Protection (SIP), no complex third-party drivers. This approach simplifies the process and reduces risk on both Intel and Apple Silicon Macs, while still generating forensic-quality disk images.
What Fuji does and how it works
Fuji is an open-source tool written in Python designed for live logical forensic acquisition of macOS systems. Unlike traditional imaging tools that might rely on kernel extensions or require disabling SIP—which can be invasive and risky—Fuji orchestrates native macOS command-line utilities to create a forensically sound disk image (DMG format) of a running system.
The key architectural choice is to leverage only what macOS provides out of the box. This means it works on both Intel and Apple Silicon Macs without any special drivers or kernel tweaks. Under the hood, Fuji runs a sequence of standard macOS commands to collect filesystem data, metadata, and create a DMG container that preserves chain of custody requirements.
The tool operates unattended, which means an investigator can kick off the acquisition process and let it run without manual intervention. This is especially useful in live forensics, where time is critical and human error must be minimized.
Development is supported by 13Cubed and community donations, suggesting a focus on practical forensic tools rather than commercial products. Fuji is distributed as a DMG via GitHub Releases, making deployment on macOS straightforward.
The technical strengths and architectural tradeoffs
What distinguishes Fuji is its clean, minimalist architecture that orchestrates multiple native macOS utilities into a cohesive forensic acquisition workflow. The entire process avoids kernel extensions or SIP modifications, which is a deliberate design tradeoff with distinct advantages.
First, by relying solely on native tools, Fuji sidesteps many common compatibility issues that plague forensic tools on macOS, especially with the transition to Apple Silicon. There’s no need to worry about kernel module signing or system security changes breaking your acquisition tool in future OS updates.
Second, the unattended design simplifies the investigator’s workflow. Instead of juggling multiple separate commands or tools, the investigator launches a single Python script that manages everything end-to-end. This reduces the chance of procedural errors and makes the process more repeatable.
The tradeoff is that Fuji focuses on live logical acquisition rather than physical imaging. This means it captures the filesystem and files as they appear live, rather than an exact bit-for-bit snapshot of the physical disk. For many forensic use cases—especially on macOS where physical imaging can be challenging—this logical acquisition is sufficient and often preferred for speed and safety.
The code is surprisingly clean and well-structured for a forensic tool, with clear separation of concerns: one part handles environment preparation, another handles the actual imaging steps, and the final stages focus on packaging and verification. The use of standard macOS executables means Fuji has a small footprint and few external dependencies.
One limitation is that Fuji’s reliance on macOS native commands may restrict some advanced forensic capabilities available with kernel-level tools or specialized hardware. Also, unattended operation means less flexibility for ad-hoc investigator input during acquisition, which some scenarios might require.
Explore the project
Fuji’s repository is primarily focused on the core Python scripts that automate the forensic acquisition process. The documentation is hosted externally at https://fujiapp.top/docs, which is the best starting point to understand setup, usage, and forensic best practices.
The GitHub Releases page (https://github.com/Lazza/Fuji/releases) provides the prebuilt DMG installer, making it easy to deploy on target macOS systems. The README points to a video demonstration showing the acquisition workflow in action, which is helpful to see Fuji’s unattended operation in a live environment.
Since there is no explicit quickstart command section, the recommended approach is to familiarize yourself with the documentation for preparing target drives and then run the provided Python script or bundled DMG installer on the Mac to be imaged.
Verdict
Fuji is a practical and well-considered tool for macOS live logical forensic acquisition that embraces a minimalist, native-only approach. Its unattended workflow and use of standard macOS utilities make it accessible and reliable across Intel and Apple Silicon Macs without risky system modifications.
If you’re a macOS forensic practitioner needing a straightforward logical acquisition tool that respects system integrity and reduces operational complexity, Fuji is worth exploring. However, if your investigation demands physical disk imaging or kernel-level access, Fuji’s approach may be limiting.
The project’s clean design and careful orchestration of existing tools serve as a good example of how sometimes the simplest architecture—relying on what the OS already provides—can solve real-world problems effectively. It’s a solid addition to the macOS forensic toolkit, especially for live, unattended acquisitions.
Related Articles
- Inside FilmKit: Reverse-engineering Fujifilm X-series camera preset management with WebUSB — FilmKit manages Fujifilm X-series camera presets and RAW conversion in-browser via WebUSB, using reverse-engineered PTP
- ShichiZip: a native macOS 7-Zip manager with a Swift UI and Zig core — ShichiZip is a macOS native 7-Zip file manager built with a Swift UI and a Zig-compiled core library. It offers macOS-sp
- ForensiX: ML-powered forensic analysis of Chrome and Brave browser artifacts — ForensiX combines ML-driven URL classification with browser artifact extraction for forensic analysis of Chrome and Brav
- MacSift: a safety-first macOS disk cleaner with SwiftUI and MVVM — MacSift is a lightweight macOS disk cleaner built with SwiftUI and MVVM, emphasizing safety with hard-blocked system pat
- Mapping the digital forensics landscape with the Digital-Forensics-Guide — Digital-Forensics-Guide catalogs essential DFIR tools, frameworks, certifications, and playbooks across subdomains, serv
→ GitHub Repo: Lazza/Fuji ⭐ 273 · Python