Crashes

Overview

Evidence: Crashes Description: Collect Crashes Category: System Platform: macos Short Name: crsh Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

macOS automatically generates crash reports when applications or system processes terminate unexpectedly. These reports are stored in ~/Library/Logs/DiagnosticReports and /Library/Logs/DiagnosticReports, containing detailed information about the crash including stack traces, exception codes, register states, and responsible processes. Crash reports provide critical forensic evidence for understanding system stability, identifying malicious behavior, and detecting exploitation attempts.

Data Collected

This collector gathers structured data about crashes.

Crashes Data

Collection Method

This collector uses osquery to query the crashes table, which parses crash report files from diagnostic report directories. It joins crash data with user information to provide comprehensive crash analysis including process details, crash paths, timestamps, exception types, stack traces, and registers. The collector captures both user-level and system-level crashes.

Forensic Value

Crash reports are essential for detecting exploitation attempts, identifying unstable or malicious software, understanding system reliability issues, and reconstructing incident timelines. Stack traces can reveal code execution paths and potential vulnerabilities. Exception codes and types help identify specific failure conditions. This evidence is particularly valuable for malware analysis, exploit detection, and investigating system compromises or denial-of-service conditions.