# Crashes

## Overview

**Evidence:** Crashes\
**Description:** Collect Crashes\
**Category:** System\
**Platform:** macos\
**Short Name:** crsh\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

macOS automatically generates crash reports when applications or system processes terminate unexpectedly. These reports are stored in \~/Library/Logs/DiagnosticReports and /Library/Logs/DiagnosticReports, containing detailed information about the crash including stack traces, exception codes, register states, and responsible processes. Crash reports provide critical forensic evidence for understanding system stability, identifying malicious behavior, and detecting exploitation attempts.

## Data Collected

This collector gathers structured data about crashes.

### Crashes Data

| Field            | Description     | Example                   |
| ---------------- | --------------- | ------------------------- |
| `Type`           | Type            | Example value             |
| `PID`            | PID             | 123                       |
| `Path`           | Path            | Example value             |
| `CrashPath`      | Crash Path      | Example value             |
| `Identifier`     | Identifier      | Example value             |
| `Version`        | Version         | 123                       |
| `Parent`         | Parent          | 123                       |
| `Responsible`    | Responsible     | Example value             |
| `UID`            | UID             | 123                       |
| `DateTime`       | Date Time       | 2023-10-15 14:30:25+03:00 |
| `CrashedThread`  | Crashed Thread  | 123                       |
| `StackTrace`     | Stack Trace     | Example value             |
| `ExceptionType`  | Exception Type  | Example value             |
| `ExceptionCodes` | Exception Codes | Example value             |
| `ExceptionNotes` | Exception Notes | Example value             |
| `Registers`      | Registers       | Example value             |

## Collection Method

This collector uses osquery to query the crashes table, which parses crash report files from diagnostic report directories. It joins crash data with user information to provide comprehensive crash analysis including process details, crash paths, timestamps, exception types, stack traces, and registers. The collector captures both user-level and system-level crashes.

## Forensic Value

Crash reports are essential for detecting exploitation attempts, identifying unstable or malicious software, understanding system reliability issues, and reconstructing incident timelines. Stack traces can reveal code execution paths and potential vulnerabilities. Exception codes and types help identify specific failure conditions. This evidence is particularly valuable for malware analysis, exploit detection, and investigating system compromises or denial-of-service conditions.