ExecPolicy / Gatekeeper Execution Policy Database

Location

Common Names

Description

SQLite databases used by Gatekeeper and macOS execution policy subsystems to track notarization decisions, launch policy state, and execution trust metadata for applications and bundles presented to the user.

Forensic Value

ExecPolicy data helps determine whether an application was first-run via standard user workflows, whether notarization checks succeeded or failed, and whether the system evaluated a bundle under Gatekeeper at a specific point in time. It is particularly valuable when reconstructing malicious application launches, notarization bypass attempts, and the trust decisions surrounding newly introduced payloads. Correlating ExecPolicy with QuarantineEventsV2 and Unified Log data provides a stronger picture of download-to-execution chains.

Tools Required

Collection Commands

sqlite3 /private/var/db/SystemPolicyConfiguration/ExecPolicy ".tables" > /forensics/execpolicy_tables.txt 2>/dev/null

sudo cp /private/var/db/SystemPolicyConfiguration/ExecPolicy /forensics/ExecPolicy.sqlite 2>/dev/null

spctl --status > /forensics/gatekeeper_status.txt

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
• •Database names and schema vary between macOS releases. Interpret records alongside quarantine state and Unified Log evidence rather than in isolation.

MITRE ATT&CK Techniques

References