Shell History

Overview

Evidence: Shell History Description: Collect Shell History Category: System Platform: macos Short Name: shellhist Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers shell history information from macOS. This data is essential for understanding user activity, detecting suspicious commands, and investigating command-based incidents.

Data Collected

This collector gathers structured data about shell history.

Shell History Data

Collection Method

This collector reads history files (e.g., .bash_history, .zsh_history) and records parsed entries into the shell_history table.

Forensic Value

This evidence is crucial for forensic investigations as it reveals executed commands, helping trace attacker actions, privilege escalation attempts, and persistence via command-line activity.