Evidence: ETC Files
Description: Collect all files in /private/etc directory
Category: System
Platform: linux
Short Name: etcf
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
The /private/etc directory on macOS contains system configuration files that define services, networking, authentication, and other OS behavior. Reviewing these files provides visibility into security posture and configuration drift.
Data Collected
This collector gathers structured data about etc files.
Collection Method
This collector walks the /private/etc directory, captures metadata (times, modes, sizes) and copies regular files into the case content for preservation and review.
Forensic Value
Configuration files reveal service enablement, policy changes, malicious tampering, and indicators of persistence. They are essential for baselining and detecting unauthorized modifications.
