MRT & XProtect Remediator Logs

macosSystem ConfigurationDisk Image

Location

/var/log/DiagnosticMessages/ and Unified Log entries (subsystem: com.apple.xprotect, com.apple.MRT)

Description

Malware Removal Tool (MRT) and XProtect Remediator are Apple built-in malware scanning and removal tools. MRT runs periodically and after signature updates to scan for known malware families. XProtect Remediator performs regular background scans targeting specific malware threats with individual scan modules for each malware family.

Forensic Value

MRT and XProtect Remediator scan results reveal whether known malware was detected and remediated on the system. The Unified Log captures detailed scan activity including which modules ran, what was scanned, and any detections or removal actions taken. A remediation event confirms the system was previously infected and the specific malware family involved. Gaps in scan execution history may indicate the attacker disabled or tampered with these security mechanisms. Correlating remediation timestamps with other forensic artifacts helps establish the initial infection timeline.

Tools Required

log (macOS CLI)mac_aptUnifiedLogReaderCrowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical