Login Items & Background Task Management

macosPersistence MechanismsDisk Image

Location

~/Library/Application Support/com.apple.backgroundtaskmanagementagent/ (backgrounditems.btm) and LSSharedFileList plists

Description

macOS login items registered through the BackgroundTaskManagement framework (macOS 13+) or the legacy LSSharedFileList mechanism. These items launch automatically when a user logs in and include applications, helper tools, and scripts. The backgrounditems.btm database tracks all registered background tasks and login items in a single location.

Forensic Value

Login Items provide user-level persistence that survives reboots and executes in the user session context. The backgrounditems.btm file on macOS Ventura and later consolidates all login items and background tasks into a single parseable database, simplifying forensic review. Legacy login items stored in LSSharedFileList plists may contain entries not visible through the modern System Settings interface. Comparing registered login items against expected software identifies attacker-installed persistence. The Items tab in System Settings > General > Login Items displays current entries but may not show all historical registrations visible in the raw data.

Tools Required

sfltoolmac_aptKnockKnock (Objective-See)plutilCrowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical