CrashReporter & Diagnostic Reports

macosExecution EvidenceDisk Image

Location

~/Library/Logs/DiagnosticReports/ (per-user) and /Library/Logs/DiagnosticReports/ (system-wide)

Description

macOS crash report files (.ips and legacy .crash format) generated when applications or system processes crash. Each report contains the process name, bundle identifier, exception type, thread backtraces with symbolicated function names, loaded libraries, and the complete register state at the time of the crash.

Forensic Value

Crash reports capture the process state at the moment of failure, which frequently corresponds to exploitation attempts. Buffer overflow exploits, use-after-free attacks, and type confusion vulnerabilities trigger crashes that generate detailed reports including the faulting instruction address and stack trace. Repeated crashes of the same process with different exception addresses may indicate active exploitation attempts. Loaded library lists in crash reports reveal injected dylibs or suspicious frameworks. Crash reports for security-critical processes like Safari, Mail, or kernel extensions warrant immediate investigation.

Tools Required

mac_aptCrowdstrike UAClldbAutopsylog2timeline (Plaso)

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical