# macOS Forensic Artifacts Reference

**Total Artifacts:** 35 | **Generated:** 2026-03-07

---

## Filesystem & Timeline

### FSEvents (Filesystem Events)
**Location:** `/.fseventsd/ (per-volume hidden directory)`

macOS filesystem event logging mechanism that records every file and directory creation, modification, deletion, and rename operation on each APFS or HFS+ volume. Events are written in compressed binary log files within the hidden /.fseventsd/ directory and include the full path, event flags, and a monotonically increasing event ID.

**Forensic Value:** FSEvents provides a high-fidelity chronological record of all filesystem activity, often spanning weeks or months depending on volume activity. It records file operations that leave no other trace, including files created and subsequently deleted by attackers. The event flags distinguish between creations, deletions, renames, and permission changes, enabling precise timeline reconstruction. FSEvents persists even after files are deleted and is one of the most valuable macOS forensic artifacts for establishing attacker file-level activity.

**Tools:** mac_apt, FSEventsParser, Autopsy, log2timeline (Plaso), macOS Artifact Collector

**Collection Commands:**
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output FSEVENTS`
- **cp:** `sudo cp -r /.fseventsd/ /forensics/fsevents_backup/`
- **FSEventsParser:** `python FSEParser_V4.0.py -s /.fseventsd/ -o /forensics/fsevents_parsed.csv`
- **log2timeline:** `log2timeline.py --parsers macosfsevents /forensics/timeline.plaso /path/to/image`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Spotlight Metadata Index
**Location:** `/.Spotlight-V100/ (per-volume) and ~/Library/Metadata/CoreSpotlight/`

macOS Spotlight search index containing rich metadata for every indexed file on the volume including file name, content type, creation and modification dates, author, file size, and for supported file types, extracted text content. The index is stored in a proprietary database format within the hidden .Spotlight-V100 directory at the root of each volume.

**Forensic Value:** Spotlight metadata preserves file attribute information even after the original files are deleted, providing evidence of files that previously existed on the system. The index contains kMDItemContentCreationDate, kMDItemContentModificationDate, and kMDItemFSName fields that can reconstruct what files were present and when. For documents, the extracted text content cached in the index can reveal the contents of deleted files. This is particularly valuable in data exfiltration cases where sensitive files were staged and then removed.

**Tools:** mac_apt, mdls, mdfind, spotlight_parser, Autopsy

**Collection Commands:**
- **mdfind:** `mdfind -name ".dmg" -onlyin /Users/ > /forensics/spotlight_dmg_results.txt`
- **mdls:** `mdls -name kMDItemWhereFroms -name kMDItemDownloadedDate /path/to/suspicious_file`
- **cp:** `sudo cp -r /.Spotlight-V100/ /forensics/spotlight_index_backup/`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output SPOTLIGHT`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### APFS Snapshots (Local Time Machine Snapshots)
**Location:** `tmutil listlocalsnapshots / (APFS snapshot metadata embedded in volume)`

APFS local snapshots created automatically by Time Machine and the macOS update process. These point-in-time snapshots of the entire filesystem volume are space-efficient copy-on-write snapshots that capture the complete state of every file at creation time. Snapshots can be listed with tmutil and mounted for browsing.

**Forensic Value:** APFS snapshots act as forensic time capsules, preserving the complete filesystem state from before a compromise. Mounting a pre-incident snapshot and comparing it against the current filesystem reveals every file the attacker created, modified, or deleted. Malware samples that were deleted after execution may still exist in older snapshots. Unlike backup media, local snapshots reside on the same volume and are immediately available without external hardware. Ransomware targeting macOS may attempt to delete snapshots, but failure to do so provides a complete recovery path.

**Tools:** tmutil, diskutil, mac_apt, APFS Fuse, Autopsy

**Collection Commands:**
- **tmutil:** `tmutil listlocalsnapshots / > /forensics/apfs_snapshots_list.txt`
- **tmutil:** `tmutil mountlocalsnapshots / && ls /Volumes/ > /forensics/mounted_snapshots.txt`
- **diskutil:** `diskutil apfs listSnapshots disk1s1 > /forensics/apfs_snapshot_details.txt`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output APFS_SNAPSHOTS`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Time Machine Backup Metadata
**Location:** `/Volumes/.timemachine/ and backup store on external/network volume (Backups.backupdb/)`

Time Machine backup metadata and backup store containing incremental snapshots of the entire filesystem taken at hourly, daily, and weekly intervals. The backup store uses hard links for unchanged files and contains full copies of modified files, preserving historical versions of every file on the system.

**Forensic Value:** Time Machine backups provide historical file versions that predate the compromise, enabling comparison of pre-attack and post-attack states. Malware persistence mechanisms, modified system files, and attacker-created accounts can be identified by diffing backup snapshots across the intrusion timeline. Even if the attacker wiped the primary disk, Time Machine backups on external or network storage may remain intact. The backup metadata includes precise timestamps for each snapshot, establishing when changes first appeared.

**Tools:** tmutil, mac_apt, Autopsy, diff, find

**Collection Commands:**
- **tmutil:** `tmutil listbackups > /forensics/timemachine_backups.txt`
- **tmutil:** `tmutil compare /Volumes/Backups.backupdb/$(hostname)/Latest / > /forensics/tm_diff.txt`
- **find:** `find /Volumes/Backups.backupdb/ -name "*.plist" -newer /tmp/start_marker -print > /forensics/tm_changed_plists.txt`
- **defaults:** `defaults read /Library/Preferences/com.apple.TimeMachine.plist > /forensics/tm_config.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### File Provider & iCloud Drive Metadata
**Location:** `~/Library/Application Support/FileProvider/, ~/Library/Application Support/CloudDocs/, and ~/Library/CloudStorage/`

**Also Known As:** CloudDocs, File Provider, iCloud Drive

Metadata caches and synchronization state for File Provider-backed storage on macOS, including iCloud Drive and other providers that surface content through CloudStorage and File Provider frameworks.

**Forensic Value:** These stores help determine which cloud-backed documents, folders, and providers were visible to the user even when the actual file contents were not fully hydrated on disk at collection time. They are valuable in exfiltration, insider threat, and cloud storage investigations because they can show file names, sync state, provider identifiers, and timestamps for recently accessed or staged content. They also help distinguish local files from placeholders that were only materialized on demand.

**Tools:** find, sqlite3, plutil, mac_apt

**Collection Commands:**
- **find:** `find ~/Library/Application\ Support/FileProvider ~/Library/Application\ Support/CloudDocs ~/Library/CloudStorage -maxdepth 4 -print > /forensics/file_provider_inventory.txt 2>/dev/null`
- **cp:** `cp -R ~/Library/Application\ Support/FileProvider /forensics/file_provider/ 2>/dev/null && cp -R ~/Library/Application\ Support/CloudDocs /forensics/clouddocs/ 2>/dev/null`
- **plutil:** `find ~/Library/Application\ Support/FileProvider -name "*.plist" -exec plutil -p {} \; > /forensics/file_provider_plists.txt 2>/dev/null`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Hydration state, provider layout, and cache coverage vary by provider and macOS release. Placeholder files may exist without full content, and some metadata is only meaningful alongside provider-specific logs.

## System Configuration

### Unified Logging System (log show)
**Location:** `/var/db/diagnostics/ and /var/db/uuidtext/ (tracev3 files)`

macOS Unified Logging system introduced in macOS 10.12 Sierra, replacing the legacy ASL and syslog systems. Captures log messages from the kernel, system services, and applications in compressed tracev3 binary format. Queried using the log show and log stream commands with predicate-based filtering by subsystem, category, process, and log level.

**Forensic Value:** The Unified Log is the single most comprehensive logging source on macOS, capturing process execution, network connections, authentication events, application launches, Gatekeeper decisions, and XProtect detections in one place. Log entries include the originating process, subsystem, and thread, enabling precise attribution. The info and debug log levels contain detailed diagnostic data but are stored in memory-only buffers with limited persistence. Forensic collection should occur as soon as possible because older entries are purged based on storage pressure. The log show command with --predicate filtering enables targeted extraction of security-relevant events.

**Tools:** log (macOS CLI), mac_apt, UnifiedLogReader, log2timeline (Plaso), Crowdstrike UAC

**Collection Commands:**
- **log:** `log show --last 7d --predicate "process == 'sudo' OR process == 'su'" > /forensics/auth_log.txt`
- **log:** `log show --last 24h --info --debug --predicate "subsystem == 'com.apple.xprotect'" > /forensics/xprotect_log.txt`
- **log:** `log collect --output /forensics/unified_log_archive.logarchive`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output UNIFIEDLOGS`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

### TCC.db (Transparency, Consent, and Control)
**Location:** `/Library/Application Support/com.apple.TCC/TCC.db (system-wide) and ~/Library/Application Support/com.apple.TCC/TCC.db (per-user)`

SQLite database controlling macOS privacy permissions including Full Disk Access, Screen Recording, Accessibility, Camera, Microphone, and Automation access. Each record contains the requesting application bundle ID, the service being accessed, the authorization decision, and a timestamp of when access was granted or denied.

**Forensic Value:** TCC.db reveals which applications were granted sensitive permissions and when, directly supporting detection of surveillance tools and spyware that require Screen Recording, Accessibility, or Input Monitoring access. Unauthorized Full Disk Access grants indicate an attacker or malware bypassed macOS security to access protected user data. Comparing TCC grants against expected application permissions identifies anomalous access. Forensic tools themselves often require FDA grants, so the presence of forensic tool entries may indicate prior investigations on the system.

**Tools:** DB Browser for SQLite, mac_apt, tccutil, Crowdstrike UAC, Autopsy

**Collection Commands:**
- **sqlite3:** `sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "SELECT service, client, auth_value, auth_reason, last_modified FROM access ORDER BY last_modified DESC"`
- **sqlite3:** `sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access WHERE auth_value = 2"`
- **cp:** `sudo cp "/Library/Application Support/com.apple.TCC/TCC.db" /forensics/tcc_system.db && cp ~/Library/Application\ Support/com.apple.TCC/TCC.db /forensics/tcc_user.db`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output TCC`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### system.log (Legacy System Log)
**Location:** `/var/log/system.log (and rotated /var/log/system.log.*.gz)`

Legacy text-based system log still generated on macOS alongside the Unified Logging system. Captures a subset of system daemon messages, kernel events, and application output in a familiar syslog format with timestamps, process names, and PIDs.

**Forensic Value:** While largely superseded by the Unified Log, system.log provides a human-readable text log that is easier to parse and search than tracev3 binary logs. It captures service start/stop events, kernel extension loading, network daemon activity, and authentication-related messages. The rotated log archives (.gz) may contain weeks of historical data. On older macOS versions, system.log is the primary system log and contains more comprehensive entries than on modern versions.

**Tools:** grep, less, log2timeline (Plaso), mac_apt

**Collection Commands:**
- **cp:** `sudo cp /var/log/system.log* /forensics/system_logs/`
- **find:** `sudo find /var/log/ -name "system.log*" -exec stat -f "%m %N" {} \; | sort -rn > /forensics/syslog_timeline.txt`
- **log2timeline:** `log2timeline.py --parsers syslog /forensics/timeline.plaso /var/log/`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output SYSLOG`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

### Gatekeeper & XProtect (System Security Policy)
**Location:** `/var/db/SystemPolicyConfiguration/ (SystemPolicy database), /Library/Apple/System/Library/CoreServices/XProtect.bundle/, and /var/db/com.apple.xprotect/`

**Also Known As:** SystemPolicy, Gatekeeper

Gatekeeper enforces code signing and notarization requirements for launched applications, recording assessments in the SystemPolicy SQLite database. XProtect provides signature-based malware detection using YARA rules that are automatically updated by Apple. XProtect Remediator actively scans for and removes known malware families.

**Forensic Value:** The Gatekeeper SystemPolicy database records every code signing assessment performed when a user attempted to open an application, including the application path, code signing identity, assessment result (allowed/blocked), and timestamp. This provides a timeline of application launches with trust decisions. XProtect detection events captured in the Unified Log reveal known malware that was blocked or remediated. Gatekeeper bypass attempts visible in the database indicate deliberate circumvention of macOS security, often through right-click Open or xattr -d com.apple.quarantine techniques.

**Tools:** DB Browser for SQLite, spctl, mac_apt, log (macOS CLI), Crowdstrike UAC

**Collection Commands:**
- **sqlite3:** `sqlite3 /var/db/SystemPolicyConfiguration/SystemPolicy "SELECT * FROM authority ORDER BY ROWID DESC LIMIT 100"`
- **spctl:** `spctl --assess --verbose /path/to/suspicious_app.app 2>&1 > /forensics/gatekeeper_assessment.txt`
- **log:** `log show --last 7d --predicate "subsystem == 'com.apple.xprotect'" > /forensics/xprotect_events.txt`
- **cp:** `sudo cp /var/db/SystemPolicyConfiguration/SystemPolicy /forensics/gatekeeper_db.sqlite`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### MRT & XProtect Remediator Logs
**Location:** `/var/log/DiagnosticMessages/ and Unified Log entries (subsystem: com.apple.xprotect, com.apple.MRT)`

Malware Removal Tool (MRT) and XProtect Remediator are Apple built-in malware scanning and removal tools. MRT runs periodically and after signature updates to scan for known malware families. XProtect Remediator performs regular background scans targeting specific malware threats with individual scan modules for each malware family.

**Forensic Value:** MRT and XProtect Remediator scan results reveal whether known malware was detected and remediated on the system. The Unified Log captures detailed scan activity including which modules ran, what was scanned, and any detections or removal actions taken. A remediation event confirms the system was previously infected and the specific malware family involved. Gaps in scan execution history may indicate the attacker disabled or tampered with these security mechanisms. Correlating remediation timestamps with other forensic artifacts helps establish the initial infection timeline.

**Tools:** log (macOS CLI), mac_apt, UnifiedLogReader, Crowdstrike UAC

**Collection Commands:**
- **log:** `log show --last 30d --predicate "subsystem == 'com.apple.xprotect'" > /forensics/xprotect_remediator_log.txt`
- **log:** `log show --last 30d --predicate "process == 'MRT' OR process == 'XProtectRemediatorMRTv3'" > /forensics/mrt_log.txt`
- **find:** `find /Library/Apple/System/Library/CoreServices/XProtect.bundle/ -type f -exec stat -f "%m %N" {} \; > /forensics/xprotect_bundle_info.txt`
- **cp:** `sudo cp -r /var/log/DiagnosticMessages/ /forensics/diagnostic_messages/`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### ExecPolicy / Gatekeeper Execution Policy Database
**Location:** `/private/var/db/SystemPolicyConfiguration/ExecPolicy and related SystemPolicyConfiguration SQLite databases`

**Also Known As:** ExecPolicy, Gatekeeper execution policy

SQLite databases used by Gatekeeper and macOS execution policy subsystems to track notarization decisions, launch policy state, and execution trust metadata for applications and bundles presented to the user.

**Forensic Value:** ExecPolicy data helps determine whether an application was first-run via standard user workflows, whether notarization checks succeeded or failed, and whether the system evaluated a bundle under Gatekeeper at a specific point in time. It is particularly valuable when reconstructing malicious application launches, notarization bypass attempts, and the trust decisions surrounding newly introduced payloads. Correlating ExecPolicy with QuarantineEventsV2 and Unified Log data provides a stronger picture of download-to-execution chains.

**Tools:** sqlite3, spctl, mac_apt, DB Browser for SQLite

**Collection Commands:**
- **sqlite3:** `sqlite3 /private/var/db/SystemPolicyConfiguration/ExecPolicy ".tables" > /forensics/execpolicy_tables.txt 2>/dev/null`
- **cp:** `sudo cp /private/var/db/SystemPolicyConfiguration/ExecPolicy /forensics/ExecPolicy.sqlite 2>/dev/null`
- **spctl:** `spctl --status > /forensics/gatekeeper_status.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Database names and schema vary between macOS releases. Interpret records alongside quarantine state and Unified Log evidence rather than in isolation.

### InstallHistory.plist
**Location:** `/Library/Receipts/InstallHistory.plist`

**Also Known As:** InstallHistory.plist, software update history

System-wide property list recording application installations, package receipts, XProtect or platform updates, and software-update events processed through Apple installers and package frameworks.

**Forensic Value:** InstallHistory.plist helps establish when software, security updates, and package-based payloads first landed on the Mac. It can highlight suspicious third-party packages introduced near the compromise window, confirm whether the system received Apple security updates before exploitation, and provide product identifiers that are not obvious from simple application-folder listings. Combined with quarantine and Gatekeeper artifacts, it helps reconstruct the lifecycle of user-approved and installer-based software introduction.

**Tools:** plutil, defaults, cp, mac_apt

**Collection Commands:**
- **plutil:** `plutil -p /Library/Receipts/InstallHistory.plist > /forensics/install_history.txt`
- **cp:** `sudo cp /Library/Receipts/InstallHistory.plist /forensics/InstallHistory.plist`
- **defaults:** `defaults read /Library/Receipts/InstallHistory > /forensics/install_history_defaults.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)
- [Update macOS on Mac](https://support.apple.com/guide/mac-help/update-macos-on-mac-mchlpx1065/mac)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- This file records package and software-update events, not every application launch or drag-and-drop install. Some third-party apps and portable bundles do not create receipt history.

## Network Traffic

### Network Preferences & Configuration
**Location:** `/Library/Preferences/SystemConfiguration/ (preferences.plist, NetworkInterfaces.plist, com.apple.airport.preferences.plist)`

System-level network configuration plists containing active network interface settings, DNS configuration, proxy settings, VPN profiles, and Wi-Fi connection history. The airport preferences plist records every Wi-Fi network the system has connected to with timestamps and security type.

**Forensic Value:** The com.apple.airport.preferences.plist file contains a history of all Wi-Fi networks the system has joined, including the SSID, BSSID, security type, and last connection timestamp. This establishes the physical locations where the device was used and detects connections to suspicious or rogue access points. VPN profiles in network preferences reveal configured tunnels that may have been used for data exfiltration. Proxy configuration changes can indicate attacker interception of network traffic. DNS server modifications point to potential DNS hijacking for command and control.

**Tools:** plutil, defaults read, mac_apt, plistutil, Crowdstrike UAC

**Collection Commands:**
- **plutil:** `plutil -p /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist > /forensics/wifi_history.txt`
- **defaults:** `defaults read /Library/Preferences/SystemConfiguration/preferences.plist > /forensics/network_prefs.txt`
- **plutil:** `plutil -p /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist > /forensics/network_interfaces.txt`
- **cp:** `sudo cp /Library/Preferences/SystemConfiguration/*.plist /forensics/network_config/`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Wi-Fi & Airport Connection Logs
**Location:** `/var/log/wifi.log (legacy) and Unified Log (subsystem: com.apple.wifi)`

Wi-Fi subsystem logs capturing wireless network association and disassociation events, SSID and BSSID information, signal strength, authentication type, and connection state changes. On modern macOS versions, Wi-Fi events are primarily recorded in the Unified Log under the com.apple.wifi subsystem, while legacy systems used the /var/log/wifi.log text file.

**Forensic Value:** Wi-Fi logs establish which wireless networks the system connected to and when, providing physical location context for the investigation timeline. Connection events to unknown or suspicious SSIDs may indicate evil twin attacks or rogue access point compromise. The BSSID (MAC address of the access point) enables correlation with physical network infrastructure. Frequent reconnection attempts or authentication failures suggest wireless deauthentication attacks. Wi-Fi connection history combined with airport preferences data creates a comprehensive wireless network usage profile.

**Tools:** log (macOS CLI), mac_apt, grep, Crowdstrike UAC

**Collection Commands:**
- **log:** `log show --last 7d --predicate "subsystem == 'com.apple.wifi'" > /forensics/wifi_log.txt`
- **log:** `log show --last 7d --predicate "subsystem == 'com.apple.wifi' AND eventMessage CONTAINS 'association'" > /forensics/wifi_associations.txt`
- **cp:** `sudo cp /var/log/wifi.log* /forensics/wifi_logs/ 2>/dev/null`
- **defaults:** `defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist > /forensics/airport_prefs.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

### AirDrop & Bluetooth Connection Logs
**Location:** `Unified Log (subsystem: com.apple.bluetooth, com.apple.sharing) and /var/log/bluetoothd* (legacy)`

Bluetooth daemon and AirDrop subsystem logs capturing device pairing events, connection history, file transfer activity, and nearby device discovery. AirDrop sharing events are logged under the com.apple.sharing subsystem in the Unified Log. Bluetooth device connections record the device name, MAC address, and connection timestamps.

**Forensic Value:** Bluetooth and AirDrop logs are critical for detecting proximity-based attacks and unauthorized data transfers. AirDrop file transfers bypass network monitoring entirely, making the Unified Log the only artifact that records these transfers with the sending device identifier and file names. Bluetooth pairing events reveal which external devices were connected, including keyboards (potential keystroke injection attacks via BadUSB/Rubber Ducky devices), headsets, and storage devices. Unauthorized AirDrop transfers in proximity to sensitive systems may indicate insider threat data exfiltration via this out-of-band channel.

**Tools:** log (macOS CLI), mac_apt, system_profiler SPBluetoothDataType, Crowdstrike UAC

**Collection Commands:**
- **log:** `log show --last 7d --predicate "subsystem == 'com.apple.bluetooth'" > /forensics/bluetooth_log.txt`
- **log:** `log show --last 7d --predicate "subsystem == 'com.apple.sharing'" > /forensics/airdrop_sharing_log.txt`
- **system_profiler:** `system_profiler SPBluetoothDataType > /forensics/bluetooth_devices.txt`
- **defaults:** `defaults read /Library/Preferences/com.apple.Bluetooth > /forensics/bluetooth_prefs.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

## Persistence Mechanisms

### LaunchAgents (User & System)
**Location:** `~/Library/LaunchAgents/ (per-user), /Library/LaunchAgents/ (system-wide), /System/Library/LaunchAgents/ (Apple)`

Property list files defining agents that launchd loads when a user logs in. Each plist specifies the executable or script to run, arguments, environment variables, run conditions (KeepAlive, StartInterval, WatchPaths), and the label identifier. Per-user agents run in the user context; system-wide agents run for all users.

**Forensic Value:** LaunchAgents are the most common macOS persistence mechanism used by malware. Each plist contains the ProgramArguments array specifying the exact binary and arguments executed at login, enabling identification of the malicious payload. Comparing agent plists against known-good baselines or Apple defaults reveals attacker additions. The plist Label field provides a unique identifier for cross-referencing with launchctl output and Unified Log entries. Recently created plists with execution paths pointing to hidden directories, /tmp, or user-writable locations are high-confidence persistence indicators.

**Tools:** plutil, launchctl list, mac_apt, KnockKnock (Objective-See), Crowdstrike UAC

**Collection Commands:**
- **plutil:** `for f in ~/Library/LaunchAgents/*.plist /Library/LaunchAgents/*.plist; do echo "=== $f ===" && plutil -p "$f"; done > /forensics/launch_agents.txt`
- **launchctl:** `launchctl list > /forensics/launchctl_list.txt`
- **find:** `find ~/Library/LaunchAgents /Library/LaunchAgents -name "*.plist" -exec stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" {} \; | sort > /forensics/launch_agents_timeline.txt`
- **cp:** `sudo cp ~/Library/LaunchAgents/*.plist /Library/LaunchAgents/*.plist /forensics/launch_agents_copy/`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### LaunchDaemons (System-Level Persistence)
**Location:** `/Library/LaunchDaemons/ (third-party) and /System/Library/LaunchDaemons/ (Apple)`

Property list files defining daemons that launchd loads at system boot, running as root regardless of whether a user is logged in. LaunchDaemons provide higher-privilege persistence than LaunchAgents and execute earlier in the boot process. Each plist defines the program, arguments, run conditions, and optional socket listeners.

**Forensic Value:** LaunchDaemons run as root and persist across reboots, making them the most privileged launchd-based persistence mechanism. Malicious LaunchDaemons grant the attacker root-level code execution on every boot without user interaction. The ProgramArguments field reveals the exact command executed with root privileges. Daemons with RunAtLoad set to true execute immediately at boot. Checking file creation timestamps and code signing status of referenced binaries identifies unauthorized daemon installations. Any unsigned or ad-hoc signed daemon in /Library/LaunchDaemons/ warrants immediate investigation.

**Tools:** plutil, launchctl list, mac_apt, KnockKnock (Objective-See), Crowdstrike UAC

**Collection Commands:**
- **plutil:** `for f in /Library/LaunchDaemons/*.plist; do echo "=== $f ===" && plutil -p "$f"; done > /forensics/launch_daemons.txt`
- **launchctl:** `sudo launchctl list > /forensics/launchctl_daemons_list.txt`
- **find:** `find /Library/LaunchDaemons -name "*.plist" -exec stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" {} \; | sort > /forensics/launch_daemons_timeline.txt`
- **cp:** `sudo cp /Library/LaunchDaemons/*.plist /forensics/launch_daemons_copy/`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Login Items & Background Task Management
**Location:** `~/Library/Application Support/com.apple.backgroundtaskmanagementagent/ (backgrounditems.btm) and LSSharedFileList plists`

macOS login items registered through the BackgroundTaskManagement framework (macOS 13+) or the legacy LSSharedFileList mechanism. These items launch automatically when a user logs in and include applications, helper tools, and scripts. The backgrounditems.btm database tracks all registered background tasks and login items in a single location.

**Forensic Value:** Login Items provide user-level persistence that survives reboots and executes in the user session context. The backgrounditems.btm file on macOS Ventura and later consolidates all login items and background tasks into a single parseable database, simplifying forensic review. Legacy login items stored in LSSharedFileList plists may contain entries not visible through the modern System Settings interface. Comparing registered login items against expected software identifies attacker-installed persistence. The Items tab in System Settings > General > Login Items displays current entries but may not show all historical registrations visible in the raw data.

**Tools:** sfltool, mac_apt, KnockKnock (Objective-See), plutil, Crowdstrike UAC

**Collection Commands:**
- **sfltool:** `sfltool dumpbtm > /forensics/backgrounditems_btm_dump.txt`
- **plutil:** `plutil -p ~/Library/Application\ Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm > /forensics/btm_parsed.txt`
- **cp:** `cp ~/Library/Application\ Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm /forensics/backgrounditems.btm`
- **find:** `find ~/Library/Application\ Support/com.apple.sharedfilelist -name "*.sfl2" -exec plutil -p {} \; > /forensics/login_items_sfl2.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Cron Jobs & Periodic Scripts
**Location:** `/usr/lib/cron/tabs/ (user crontabs), /etc/crontab, /etc/periodic/ (daily/weekly/monthly)`

macOS supports both traditional cron job scheduling via crontab and the periodic system that runs maintenance scripts at daily, weekly, and monthly intervals via launchd. User crontabs are stored in /usr/lib/cron/tabs/ and system-wide tasks in /etc/crontab. The periodic directories contain shell scripts executed by the com.apple.periodic-* LaunchDaemons.

**Forensic Value:** While LaunchAgents and LaunchDaemons are the dominant macOS scheduling mechanisms, cron jobs remain functional and are used by attackers who are more familiar with Linux persistence techniques. User crontabs in /usr/lib/cron/tabs/ may contain entries that download and execute payloads from external URLs. Scripts added to /etc/periodic/daily/ execute as root once per day and can fly under the radar because administrators expect files in these directories. File modification timestamps and content analysis of periodic scripts identify unauthorized additions.

**Tools:** crontab -l, cat, find, mac_apt, KnockKnock (Objective-See)

**Collection Commands:**
- **crontab:** `for user in $(dscl . -list /Users | grep -v "^_"); do echo "=== $user ===" && sudo crontab -l -u "$user" 2>/dev/null; done > /forensics/crontabs.txt`
- **find:** `find /etc/periodic/ -type f -exec stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" {} \; > /forensics/periodic_scripts_timeline.txt`
- **cp:** `sudo cp -r /usr/lib/cron/tabs/ /etc/periodic/ /forensics/cron_periodic_backup/`
- **stat:** `sudo stat -f "%Sm %N" /etc/crontab /usr/lib/cron/tabs/* 2>/dev/null > /forensics/crontab_timestamps.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### System Extensions State & Inventory
**Location:** `/Library/SystemExtensions/, /Library/SystemExtensions/db.plist, and runtime inventory via systemextensionsctl list`

**Also Known As:** systemextensionsctl, db.plist

macOS System Extensions replace many legacy kernel extensions with user-space endpoint security, network extension, and driver extension components that are managed through the system extension framework and approval workflow.

**Forensic Value:** System extension inventory helps identify security agents, VPN components, network filters, USB drivers, and potentially malicious persistence components that load outside traditional LaunchAgents and LaunchDaemons. Because many EDR, DLP, and network interception products now rely on Endpoint Security or Network Extension system extensions, reviewing this state is necessary to distinguish legitimate sensors from unauthorized filters or tampered components. Approval status and owning app bundle identifiers also help determine when a component was introduced and whether the user or MDM approved it.

**Tools:** systemextensionsctl, find, plutil, mac_apt

**Collection Commands:**
- **systemextensionsctl:** `systemextensionsctl list > /forensics/system_extensions.txt`
- **find:** `sudo find /Library/SystemExtensions -maxdepth 3 -print > /forensics/system_extensions_files.txt`
- **cp:** `sudo cp /Library/SystemExtensions/db.plist /forensics/system_extensions_db.plist 2>/dev/null`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- System extensions are a modern framework and are most relevant on recent macOS releases. Some inventory is easiest to confirm from a live system with systemextensionsctl.

## User Activity

### KnowledgeC.db (User Activity Database)
**Location:** `~/Library/Application Support/Knowledge/knowledgeC.db and /var/db/CoreDuet/Knowledge/knowledgeC.db`

Core Duet SQLite database tracking detailed user activity including application usage with focus duration, device lock/unlock events, Safari browsing activity, media playback, Siri interactions, and battery state. Each event includes precise start and end timestamps and is attributed to specific bundle identifiers.

**Forensic Value:** KnowledgeC.db provides a comprehensive timeline of user interaction with the system that persists for weeks to months. Application usage entries record which apps were in the foreground and for how long, reconstructing the user activity timeline during a compromise. Device lock/unlock events establish when the system was actively in use. Safari browsing entries in the database complement traditional browser history analysis. This artifact is particularly valuable for insider threat investigations where understanding the complete user activity pattern is critical.

**Tools:** DB Browser for SQLite, mac_apt, APOLLO (mac4n6), Crowdstrike UAC, log2timeline (Plaso)

**Collection Commands:**
- **sqlite3:** `sqlite3 ~/Library/Application\ Support/Knowledge/knowledgeC.db "SELECT ZOBJECT.ZVALUESTRING, datetime(ZOBJECT.ZCREATIONDATE + 978307200, 'unixepoch') AS creation_date, datetime(ZOBJECT.ZENDDATE + 978307200, 'unixepoch') AS end_date FROM ZOBJECT WHERE ZSTREAMNAME = '/app/usage' ORDER BY creation_date DESC LIMIT 200"`
- **cp:** `cp ~/Library/Application\ Support/Knowledge/knowledgeC.db /forensics/knowledgec_user.db && sudo cp /var/db/CoreDuet/Knowledge/knowledgeC.db /forensics/knowledgec_system.db`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output KNOWLEDGEC`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### QuarantineEventsV2 (Downloaded Files Database)
**Location:** `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`

SQLite database maintained by the macOS quarantine system that records every file downloaded through quarantine-aware applications including Safari, Chrome, Mail, AirDrop, and curl. Each entry contains the download URL, source application bundle ID, download timestamp, and the quarantine agent name.

**Forensic Value:** QuarantineEventsV2 provides a complete download history with source URLs that persists even after downloaded files are deleted. The LSQuarantineDataURLString field records the exact URL from which a file was downloaded, directly linking malicious payloads to their delivery infrastructure. The LSQuarantineOriginURLString captures the referring page that initiated the download, which may be the phishing page or compromised website. Entries remain in the database long after quarantine attributes are removed from files, creating a permanent download audit trail that attackers cannot clear without root access to the database file itself.

**Tools:** DB Browser for SQLite, mac_apt, Crowdstrike UAC, APOLLO (mac4n6), log2timeline (Plaso)

**Collection Commands:**
- **sqlite3:** `sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "SELECT datetime(LSQuarantineTimeStamp + 978307200, 'unixepoch') AS download_date, LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC"`
- **cp:** `cp ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 /forensics/quarantine_events.db`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output QUARANTINE`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Safari History, Downloads & Extensions
**Location:** `~/Library/Safari/ (History.db, Downloads.plist, Extensions/)`

Safari browser artifacts including the History.db SQLite database tracking visited URLs with timestamps, Downloads.plist recording downloaded files with source URLs and destination paths, cached web content, and installed browser extensions with their permissions and code.

**Forensic Value:** Safari History.db provides timestamped URL visit records that establish browsing activity and potential initial access vectors. The Downloads.plist supplements QuarantineEventsV2 with additional download metadata specific to Safari. Installed extensions should be reviewed for malicious or surveillance-capable add-ons that intercept web traffic or harvest credentials. Safari reading list and bookmarks may reveal attacker reconnaissance of target resources. The TopSites and LastSession plists provide additional context about the most recently active browsing sessions.

**Tools:** DB Browser for SQLite, mac_apt, Hindsight, Crowdstrike UAC, Autopsy

**Collection Commands:**
- **sqlite3:** `sqlite3 ~/Library/Safari/History.db "SELECT datetime(hv.visit_time + 978307200, 'unixepoch') AS visit_date, hi.url, hv.title FROM history_visits hv JOIN history_items hi ON hv.history_item = hi.id ORDER BY hv.visit_time DESC LIMIT 500"`
- **plutil:** `plutil -p ~/Library/Safari/Downloads.plist > /forensics/safari_downloads.txt`
- **cp:** `cp -r ~/Library/Safari/ /forensics/safari_artifacts/`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output SAFARI`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Notification Center Database
**Location:** `~/Library/Group Containers/group.com.apple.usernoted/ (db2/)`

SQLite database storing all user notifications delivered by macOS Notification Center. Contains the notification title, subtitle, body text, delivering application bundle identifier, delivery timestamp, and whether the user interacted with the notification.

**Forensic Value:** The Notification Center database captures notification content that may reveal security-relevant events such as AirDrop file transfer requests, VPN connection notifications, email arrival summaries, and application permission requests. Notifications from security tools about detected threats are preserved. The timing of specific notifications can corroborate other timeline events. In social engineering investigations, notification content can reveal whether a user was prompted to take an action. This artifact provides context about what the user was presented with on screen at specific times.

**Tools:** DB Browser for SQLite, mac_apt, APOLLO (mac4n6), Crowdstrike UAC

**Collection Commands:**
- **sqlite3:** `sqlite3 ~/Library/Group\ Containers/group.com.apple.usernoted/db2/db "SELECT datetime(delivered_date + 978307200, 'unixepoch') AS date, app_id, title, subtitle, body FROM record ORDER BY delivered_date DESC LIMIT 200"`
- **cp:** `cp ~/Library/Group\ Containers/group.com.apple.usernoted/db2/db /forensics/notification_center.db`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output NOTIFICATIONS`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Recent Items & Shared File Lists
**Location:** `~/Library/Application Support/com.apple.sharedfilelist/ (various .sfl2 files)`

Property list files tracking recently accessed applications, documents, servers, and volumes through the macOS Shared File List mechanism. SFL2 files are serialized binary plists containing bookmark data for recently used items across Finder and applications, including network volumes and remote servers.

**Forensic Value:** Recent Items plists provide evidence of which files, applications, and servers the user accessed most recently, persisting even after the items themselves are removed. The RecentApplications, RecentDocuments, and RecentServers lists reconstruct the user activity pattern. FavoriteServers entries reveal network resources the user regularly connects to, including SMB shares and AFP volumes that may be data exfiltration targets. Bookmark data within each entry contains the full file path and volume information at the time of access.

**Tools:** plutil, mac_apt, Crowdstrike UAC, APOLLO (mac4n6), plistutil

**Collection Commands:**
- **plutil:** `for f in ~/Library/Application\ Support/com.apple.sharedfilelist/*.sfl2; do echo "=== $f ===" && plutil -p "$f"; done > /forensics/recent_items.txt`
- **cp:** `cp -r ~/Library/Application\ Support/com.apple.sharedfilelist/ /forensics/sharedfilelists/`
- **find:** `find ~/Library/Application\ Support/com.apple.sharedfilelist/ -name "*.sfl2" -exec stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" {} \; > /forensics/sfl2_timestamps.txt`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output RECENTITEMS`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Dock Plist (Application Arrangement)
**Location:** `~/Library/Preferences/com.apple.dock.plist`

Per-user property list storing the Dock configuration including pinned applications, recent applications, minimized windows, persistent and recent document stacks, and the arrangement order. Each entry contains a file-data bookmark referencing the application or file path.

**Forensic Value:** The Dock plist records which applications a user has pinned and which were recently used, providing insight into the user activity profile and installed software. Recent applications in the Dock that do not match installed software may indicate execution of portable or attacker-deployed tools. The persistent-others array reveals folders and files the user keeps accessible, which may include network share shortcuts or frequently accessed sensitive directories. Changes to the Dock configuration correlated with the compromise timeline can indicate attacker interaction with the system GUI.

**Tools:** plutil, defaults read, mac_apt, Crowdstrike UAC

**Collection Commands:**
- **defaults:** `defaults read com.apple.dock > /forensics/dock_config.txt`
- **plutil:** `plutil -p ~/Library/Preferences/com.apple.dock.plist > /forensics/dock_plist_parsed.txt`
- **cp:** `cp ~/Library/Preferences/com.apple.dock.plist /forensics/dock.plist`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

## Execution Evidence

### install.log (Application Installation Log)
**Location:** `/var/log/install.log (and rotated /var/log/install.log.*.bz2)`

System installation log recording all software installations performed through the macOS Installer framework (.pkg files). Captures the package identifier, version, installation path, installer process, and the user or process that initiated the installation with detailed timestamps.

**Forensic Value:** install.log provides an authoritative record of every .pkg-based software installation on the system with precise timestamps. Malicious packages installed through social engineering or supply chain attacks are logged here with the package identifier, revealing what was installed and when. Correlating installation timestamps with known compromise windows identifies attacker-deployed software. The log also records failed installations and prerequisite checks that may indicate unsuccessful attack attempts. Rotated log archives extend coverage to months of installation history.

**Tools:** grep, less, mac_apt, log2timeline (Plaso), Crowdstrike UAC

**Collection Commands:**
- **cp:** `sudo cp /var/log/install.log* /forensics/install_logs/`
- **strings:** `strings /var/log/install.log | grep -i "installer\|package\|error" > /forensics/install_log_filtered.txt`
- **log2timeline:** `log2timeline.py --parsers syslog /forensics/timeline.plaso /var/log/install.log`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output INSTALLLOG`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### Bash / Zsh Shell History
**Location:** `~/.zsh_history (default since macOS Catalina), ~/.bash_history, ~/.zsh_sessions/`

Per-user shell command history files recording commands entered in interactive terminal sessions. Since macOS Catalina, Zsh is the default shell and history is stored in ~/.zsh_history. The ~/.zsh_sessions/ directory contains per-session history files with additional metadata. Extended history format includes timestamps for each command.

**Forensic Value:** Shell history provides direct evidence of commands executed by the attacker or compromised user including reconnaissance (whoami, sw_vers, ifconfig), persistence installation (launchctl load), credential access (security find-generic-password), and data staging (tar, zip, curl, scp). The Zsh sessions directory preserves per-session command history even when the main history file is cleared. Sophisticated attackers unset HISTFILE or clear history, but partially written session files and Unified Log entries may preserve command evidence. Always check all user accounts including root.

**Tools:** cat, grep, mac_apt, strings, Crowdstrike UAC

**Collection Commands:**
- **cp:** `for user_home in /Users/*/; do cp "${user_home}.zsh_history" "${user_home}.bash_history" /forensics/shell_history/ 2>/dev/null; done`
- **cp:** `cp -r ~/.zsh_sessions/ /forensics/zsh_sessions_backup/`
- **find:** `find /Users/ -maxdepth 2 -name ".*_history" -o -name ".zsh_sessions" -type d | xargs -I{} stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" {} > /forensics/shell_history_timestamps.txt`
- **strings:** `strings ~/.zsh_history | grep -iE "curl|wget|nc |ncat|ssh|scp|base64|python|osascript" > /forensics/suspicious_commands.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### CrashReporter & Diagnostic Reports
**Location:** `~/Library/Logs/DiagnosticReports/ (per-user) and /Library/Logs/DiagnosticReports/ (system-wide)`

macOS crash report files (.ips and legacy .crash format) generated when applications or system processes crash. Each report contains the process name, bundle identifier, exception type, thread backtraces with symbolicated function names, loaded libraries, and the complete register state at the time of the crash.

**Forensic Value:** Crash reports capture the process state at the moment of failure, which frequently corresponds to exploitation attempts. Buffer overflow exploits, use-after-free attacks, and type confusion vulnerabilities trigger crashes that generate detailed reports including the faulting instruction address and stack trace. Repeated crashes of the same process with different exception addresses may indicate active exploitation attempts. Loaded library lists in crash reports reveal injected dylibs or suspicious frameworks. Crash reports for security-critical processes like Safari, Mail, or kernel extensions warrant immediate investigation.

**Tools:** mac_apt, Crowdstrike UAC, lldb, Autopsy, log2timeline (Plaso)

**Collection Commands:**
- **cp:** `sudo cp -r ~/Library/Logs/DiagnosticReports/ /Library/Logs/DiagnosticReports/ /forensics/crash_reports/`
- **find:** `find ~/Library/Logs/DiagnosticReports /Library/Logs/DiagnosticReports -name "*.ips" -o -name "*.crash" | xargs -I{} stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" {} | sort -r > /forensics/crash_report_timeline.txt`
- **strings:** `for f in ~/Library/Logs/DiagnosticReports/*.ips; do echo "=== $f ===" && head -50 "$f"; done > /forensics/crash_summaries.txt`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output CRASHREPORTS`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

## Authentication & Access

### Keychain Access & Credential Storage
**Location:** `~/Library/Keychains/ (login.keychain-db) and /Library/Keychains/ (System.keychain)`

macOS Keychain databases storing encrypted credentials including user passwords, Wi-Fi passwords, application tokens, certificates, private keys, and secure notes. The login keychain is unlocked when the user logs in and the System keychain stores system-wide credentials accessible to daemons and services.

**Forensic Value:** The Keychain is the primary credential store on macOS, and its access patterns reveal credential harvesting activity. The security command-line tool (security find-generic-password, security dump-keychain) can enumerate stored credentials on a live system. Keychain access events in the Unified Log show which processes requested credential access and whether the user approved the request. Unauthorized keychain dumps indicate credential theft. The system keychain may contain Wi-Fi passwords, VPN credentials, and certificate private keys that provide lateral movement opportunities for attackers.

**Tools:** security (macOS CLI), mac_apt, Keychain Access.app, chainbreaker, Crowdstrike UAC

**Collection Commands:**
- **security:** `security dump-keychain -d ~/Library/Keychains/login.keychain-db > /forensics/keychain_dump.txt 2>&1`
- **security:** `security list-keychains > /forensics/keychain_list.txt`
- **cp:** `sudo cp ~/Library/Keychains/login.keychain-db /Library/Keychains/System.keychain /forensics/keychains/`
- **log:** `log show --last 7d --predicate "subsystem == 'com.apple.securityd' AND category == 'keychain'" > /forensics/keychain_access_log.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

### sudo.log & Authorization Logs
**Location:** `/var/log/sudo.log (if configured), /var/log/authd.log, and Unified Log (subsystem: com.apple.authd)`

macOS authorization and privilege escalation logs capturing sudo command usage, authorization plugin decisions, and authentication dialog events. sudo usage is logged to the Unified Log and optionally to /var/log/sudo.log. The authd subsystem records authorization rights evaluations for password prompts, installer authentication, and system preference changes.

**Forensic Value:** Sudo log entries record the exact commands executed with elevated privileges, the requesting user, the target user (typically root), and the timestamp, providing a complete privileged command execution audit trail. Failed sudo attempts indicate password guessing or unauthorized privilege escalation attempts. The authd logs reveal when users were prompted for authentication and whether they approved, which is relevant for detecting social engineering attacks that trick users into entering passwords. Correlating sudo timestamps with shell history and process execution artifacts builds a comprehensive privileged activity timeline.

**Tools:** log (macOS CLI), mac_apt, grep, Crowdstrike UAC, log2timeline (Plaso)

**Collection Commands:**
- **log:** `log show --last 7d --predicate "process == 'sudo'" > /forensics/sudo_log.txt`
- **log:** `log show --last 7d --predicate "subsystem == 'com.apple.authd'" > /forensics/authd_log.txt`
- **cp:** `sudo cp /var/log/sudo.log /var/log/authd.log /forensics/auth_logs/ 2>/dev/null`
- **mac_apt:** `python mac_apt.py -i /path/to/image -o /forensics/output SUDOLOGS`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

### OpenBSM Audit Logs
**Location:** `/var/audit/ (audit trail files) and /etc/security/audit_control (configuration)`

macOS Basic Security Module (BSM) audit subsystem generating kernel-level audit records for system calls, file access, process execution, authentication events, and administrative actions. Audit trails are binary files in /var/audit/ that capture events based on the audit policy configured in /etc/security/audit_control. Each record contains event type, timestamp, process info, and operation-specific parameters.

**Forensic Value:** OpenBSM provides the most granular audit trail available on macOS, recording system calls at the kernel level. Audit records capture process execution (execve) with full arguments, file open operations with paths, network socket operations, and authentication events independently of application-level logging. The audit trail is tamper-resistant because it is written by the kernel audit subsystem. praudit and auditreduce enable filtering and human-readable output of binary audit trails. On systems where auditing is enabled, this is the authoritative source for process execution and file access evidence.

**Tools:** praudit, auditreduce, mac_apt, Crowdstrike UAC, log2timeline (Plaso)

**Collection Commands:**
- **praudit:** `praudit -x /var/audit/current > /forensics/bsm_audit_current.xml`
- **auditreduce:** `auditreduce -c ex /var/audit/* | praudit > /forensics/bsm_execve_events.txt`
- **cp:** `sudo cp /var/audit/* /forensics/bsm_audit_trails/`
- **stat:** `sudo stat -f "%Sm %N" /var/audit/* | sort > /forensics/bsm_audit_timeline.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

## Memory & Live State

### macOS Memory Dump (RAM Capture)
**Location:** `Acquired via osxpmem, MacQuisition, or RECON ITR (live capture from RAM)`

Complete physical memory capture of a running macOS system including all active process address spaces, kernel structures, Mach port tables, network connection state, loaded kernel extensions (kexts), and cached filesystem data. macOS memory acquisition requires bypassing SIP or using specialized tools that work within SIP constraints.

**Forensic Value:** Memory analysis is essential for detecting macOS-specific fileless threats, injected dylibs, and kernel extensions that leave minimal disk footprint. Volatility macOS profiles can enumerate processes including those hidden from ps, recover decrypted Keychain entries from memory, extract active network connections with owning process attribution, and identify suspicious loaded kexts. On Apple Silicon Macs, memory acquisition is more constrained, making live triage with memory-aware tools increasingly important. In-memory-only implants used by advanced threat actors are only detectable through memory analysis.

**Tools:** osxpmem, Volatility 3, MacQuisition (BlackBag), RECON ITR, Rekall

**Collection Commands:**
- **osxpmem:** `sudo osxpmem -o /forensics/memory_dump.aff4`
- **osxpmem:** `sudo osxpmem --format raw -o /forensics/memory_dump.raw`
- **Volatility 3:** `vol3 -f /forensics/memory_dump.raw mac.pslist.PsList > /forensics/process_list.txt`
- **Volatility 3:** `vol3 -f /forensics/memory_dump.raw mac.netstat.Netstat > /forensics/network_connections.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.

## Communication

### Messages Database (chat.db)
**Location:** `~/Library/Messages/chat.db and ~/Library/Messages/Attachments/`

**Also Known As:** chat.db, Messages

SQLite database used by the Messages app to store iMessage and SMS conversation metadata, message bodies, participant handles, read state, attachment references, and chat membership relationships for the user profile.

**Forensic Value:** chat.db is a primary communication artifact on macOS because it preserves conversation content, timestamps, delivery state, and the attachment paths needed to recover exchanged files. It is especially useful in insider threat, extortion, or phishing investigations where coordination or lure content may have happened through iMessage rather than corporate messaging systems. Attachment and handle tables also let investigators connect Messages activity to local files and Apple IDs present elsewhere on the host.

**Tools:** sqlite3, DB Browser for SQLite, mac_apt, find

**Collection Commands:**
- **sqlite3:** `sqlite3 ~/Library/Messages/chat.db ".tables" > /forensics/messages_tables.txt`
- **cp:** `cp ~/Library/Messages/chat.db* /forensics/messages_db/ 2>/dev/null && cp -R ~/Library/Messages/Attachments /forensics/messages_attachments/ 2>/dev/null`
- **find:** `find ~/Library/Messages -maxdepth 2 -type f -print > /forensics/messages_file_inventory.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)
- [Use Messages in iCloud on Mac](https://support.apple.com/en-lamr/guide/messages/ichte16154fb/mac)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Message retention, attachment caching, and iCloud sync behavior vary by user settings and macOS release. Deleted rows may require WAL or unallocated-page recovery.

### Mail Envelope Index
**Location:** `~/Library/Mail/V*/MailData/Envelope Index* and per-mailbox metadata under ~/Library/Mail/`

**Also Known As:** Envelope Index, MailData

SQLite-based metadata index used by Apple Mail to catalog message headers, mailbox locations, account relationships, and search state across local and synced mailboxes in the user profile.

**Forensic Value:** Envelope Index provides a fast way to enumerate mail subjects, senders, recipients, message IDs, and mailbox placement even when individual .emlx files have been moved or partially pruned by the client. It helps reconstruct what mailboxes existed, which accounts were configured, and whether suspicious messages were present locally on the Mac around the incident window. Correlating the index with attachment and quarantine artifacts can reveal phishing delivery and message-based staging activity on the host.

**Tools:** sqlite3, DB Browser for SQLite, find, mac_apt

**Collection Commands:**
- **find:** `find ~/Library/Mail -path "*MailData/Envelope Index*" -exec cp {} /forensics/mail_envelope_index/ \; 2>/dev/null`
- **sqlite3:** `sqlite3 ~/Library/Mail/V*/MailData/Envelope\ Index ".tables" > /forensics/mail_envelope_tables.txt 2>/dev/null`
- **find:** `find ~/Library/Mail -maxdepth 4 -type f | head -1000 > /forensics/mail_file_inventory.txt`

**Official References:**
- [System Extensions](https://developer.apple.com/system-extensions/)
- [File Provider Framework](https://developer.apple.com/documentation/fileprovider)
- [Gatekeeper and Runtime Protection](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web)
- [Mail User Guide for Mac](https://support.apple.com/guide/mail/welcome/mac)

**Collection Constraints:**
- Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- Mailbox layout and schema vary by Apple Mail version and account type. Some content may reside only in server-synced stores or encrypted cloud mailboxes rather than locally cached files.

---
*Generated by DFIR Assist*