install.log (Application Installation Log)

Location

Description

System installation log recording all software installations performed through the macOS Installer framework (.pkg files). Captures the package identifier, version, installation path, installer process, and the user or process that initiated the installation with detailed timestamps.

Forensic Value

install.log provides an authoritative record of every .pkg-based software installation on the system with precise timestamps. Malicious packages installed through social engineering or supply chain attacks are logged here with the package identifier, revealing what was installed and when. Correlating installation timestamps with known compromise windows identifies attacker-deployed software. The log also records failed installations and prerequisite checks that may indicate unsuccessful attack attempts. Rotated log archives extend coverage to months of installation history.

Tools Required

Collection Commands

sudo cp /var/log/install.log* /forensics/install_logs/

strings /var/log/install.log | grep -i "installer\|package\|error" > /forensics/install_log_filtered.txt

log2timeline.py --parsers syslog /forensics/timeline.plaso /var/log/install.log

python mac_apt.py -i /path/to/image -o /forensics/output INSTALLLOG

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References