Gatekeeper & XProtect (System Security Policy)

macosSystem ConfigurationDisk Image

Location

/var/db/SystemPolicyConfiguration/ (SystemPolicy database), /Library/Apple/System/Library/CoreServices/XProtect.bundle/, and /var/db/com.apple.xprotect/

Description

Gatekeeper enforces code signing and notarization requirements for launched applications, recording assessments in the SystemPolicy SQLite database. XProtect provides signature-based malware detection using YARA rules that are automatically updated by Apple. XProtect Remediator actively scans for and removes known malware families.

Forensic Value

The Gatekeeper SystemPolicy database records every code signing assessment performed when a user attempted to open an application, including the application path, code signing identity, assessment result (allowed/blocked), and timestamp. This provides a timeline of application launches with trust decisions. XProtect detection events captured in the Unified Log reveal known malware that was blocked or remediated. Gatekeeper bypass attempts visible in the database indicate deliberate circumvention of macOS security, often through right-click Open or xattr -d com.apple.quarantine techniques.

Tools Required

DB Browser for SQLitespctlmac_aptlog (macOS CLI)Crowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical