install.log (Application Installation Log)

macosExecution EvidenceDisk Image

Location

/var/log/install.log (and rotated /var/log/install.log.*.bz2)

Description

System installation log recording all software installations performed through the macOS Installer framework (.pkg files). Captures the package identifier, version, installation path, installer process, and the user or process that initiated the installation with detailed timestamps.

Forensic Value

install.log provides an authoritative record of every .pkg-based software installation on the system with precise timestamps. Malicious packages installed through social engineering or supply chain attacks are logged here with the package identifier, revealing what was installed and when. Correlating installation timestamps with known compromise windows identifies attacker-deployed software. The log also records failed installations and prerequisite checks that may indicate unsuccessful attack attempts. Rotated log archives extend coverage to months of installation history.

Tools Required

greplessmac_aptlog2timeline (Plaso)Crowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical