Etc Files

Overview

Evidence: ETC Files Description: Collect all files in /private/etc directory Category: System Platform: linux Short Name: etcf Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The /private/etc directory on macOS contains system configuration files that define services, networking, authentication, and other OS behavior. Reviewing these files provides visibility into security posture and configuration drift.

Data Collected

This collector gathers structured data about etc files.

Collection Method

This collector walks the /private/etc directory, captures metadata (times, modes, sizes) and copies regular files into the case content for preservation and review.

Forensic Value

Configuration files reveal service enablement, policy changes, malicious tampering, and indicators of persistence. They are essential for baselining and detecting unauthorized modifications.