CrashReporter & Diagnostic Reports
Location
~/Library/Logs/DiagnosticReports/ (per-user) and /Library/Logs/DiagnosticReports/ (system-wide)Description
macOS crash report files (.ips and legacy .crash format) generated when applications or system processes crash. Each report contains the process name, bundle identifier, exception type, thread backtraces with symbolicated function names, loaded libraries, and the complete register state at the time of the crash.
Forensic Value
Crash reports capture the process state at the moment of failure, which frequently corresponds to exploitation attempts. Buffer overflow exploits, use-after-free attacks, and type confusion vulnerabilities trigger crashes that generate detailed reports including the faulting instruction address and stack trace. Repeated crashes of the same process with different exception addresses may indicate active exploitation attempts. Loaded library lists in crash reports reveal injected dylibs or suspicious frameworks. Crash reports for security-critical processes like Safari, Mail, or kernel extensions warrant immediate investigation.
Tools Required
Collection Commands
cp
sudo cp -r ~/Library/Logs/DiagnosticReports/ /Library/Logs/DiagnosticReports/ /forensics/crash_reports/
find
find ~/Library/Logs/DiagnosticReports /Library/Logs/DiagnosticReports -name "*.ips" -o -name "*.crash" | xargs -I{} stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" {} | sort -r > /forensics/crash_report_timeline.txtstrings
for f in ~/Library/Logs/DiagnosticReports/*.ips; do echo "=== $f ===" && head -50 "$f"; done > /forensics/crash_summaries.txt
mac_apt
python mac_apt.py -i /path/to/image -o /forensics/output CRASHREPORTS
Collection Constraints
- •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.