Processes
Overview
Evidence: Processes Description: Collect Processes Category: System Platform: macOS Short Name: process Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Process information provides a snapshot of all running processes on the system, including their command lines, parent-child relationships, and resource usage. This data is essential for understanding system activity, detecting malicious processes, and identifying unauthorized software execution.
Process data helps investigators understand what applications and services were running at the time of collection, identify suspicious or malicious processes, and trace the execution flow of potentially harmful software.
Data Collected
This collector gathers structured data about processes.
Processes Data
ID
Primary key (auto-increment)
1
ProcessId
Process ID
1234
CSTime
CPU system time
2023-10-15 14:30:25
StartTime
Process start time
2023-10-15 14:30:25
Command
Process name
Safari
CommandLine
Full command line
/Applications/Safari.app/Contents/MacOS/Safari
State
Process state
running
SecureProcess
Secure process flag
1
VirtualProcess
Virtual process flag
0
ProtectionType
Process protection type
none
Cwd
Current working directory
/Users/john
VirtualRootDir
Virtual root directory
/
Executable
Executable path
/Applications/Safari.app/Contents/MacOS/Safari
IsExecutableExists
Whether executable exists
true
Environment
Environment variables (JSON)
["PATH=/usr/bin", "HOME=/Users/john"]
LastChangeTime
Last change time
2023-10-15 14:30:25
AccessTime
Access time
2023-10-15 14:30:25
ModificationTime
Modification time
2023-10-15 14:30:25
SizeInBytes
Executable size in bytes
1048576
Hash
Executable SHA-256 hash
a1b2c3d4e5f6...
ParentId
Parent process ID
1
UserId
User ID
501
UserName
Username
john
EffectiveUserId
Effective user ID
501
EffectiveUserName
Effective username
john
SavedUserId
Saved user ID
501
SavedUserName
Saved username
john
GroupId
Group ID
20
EffectiveGroupId
Effective group ID
20
SavedGroupId
Saved group ID
20
Threads
Number of threads
8
Nice
Process nice value
0
Collection Method
This collector parses the necessary data from the processes table.
Usage
Why This Evidence Matters for Forensics
Process information is fundamental to understanding system activity and detecting malicious behavior. It provides visibility into what applications and services were running, helping investigators identify unauthorized processes, malware, and suspicious system activity.
Investigative Questions This Evidence Can Answer:
What processes were running at the time of collection?
Which applications or services were active during an incident?
Are there any suspicious or unauthorized processes running?
Attack Detection:
Malicious processes and malware execution (MITRE ATT&CK T1055)
Unauthorized software and backdoors
Process injection and privilege escalation techniques
Incident Response Applications:
Identify active threats and malicious processes
Understand system state during an incident
Track process execution and system activity
Threat Hunting:
Hunt for suspicious process names and command lines
Detect processes with unusual resource usage
Identify unauthorized or unknown applications
Compliance & Security Posture:
Audit running applications for policy compliance
Monitor for unauthorized software execution
Verify system security and application whitelisting
Notes
This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.
Last updated
Was this helpful?