macOS Collections

macOS Evidence List

Category	Name	Collection Type
Processes	Auto Loaded Processes	Parsed & presented in Investigation Hub
Processes	Processes	Parsed & presented in Investigation Hub
Browser	Default Browser	Parsed & presented in Investigation Hub
Browser	Chrome Bookmarks	Parsed & presented in Investigation Hub
Browser	Chrome Cookies	Parsed & presented in Investigation Hub
Browser	Chrome User Profiles	Parsed & presented in Investigation Hub
Browser	Chrome Extensions	Parsed & presented in Investigation Hub
Browser	Chrome Local Storage	Parsed & presented in Investigation Hub
Browser	Chrome IndexedDB	Parsed & presented in Investigation Hub
Browser	Chrome Web Storage	Parsed & presented in Investigation Hub
Browser	Chrome Form History	Parsed & presented in Investigation Hub
Browser	Chrome Thumbnails	Parsed & presented in Investigation Hub
Browser	Chrome Favicons	Parsed & presented in Investigation Hub
Browser	Chrome Sessions	Parsed & presented in Investigation Hub
Browser	Chrome Login Data	Parsed & presented in Investigation Hub
Browser	Chrome Browsing History	Parsed & presented in Investigation Hub
Browser	Edge Browsing History	Parsed & presented in Investigation Hub
Browser	Firefox Browsing History	Parsed & presented in Investigation Hub
Browser	Opera Browsing History	Parsed & presented in Investigation Hub
Browser	Safari Browsing History	Parsed & presented in Investigation Hub
Browser	Vivaldi Browsing History	Parsed & presented in Investigation Hub
Browser	Waterfox Browsing History	Parsed & presented in Investigation Hub
Browser	Brave Browsing History	Parsed & presented in Investigation Hub
Browser	Arc Browsing History	Parsed & presented in Investigation Hub
Browser	Chrome Downloads	Parsed & presented in Investigation Hub
Browser	Safari Downloads	Parsed & presented in Investigation Hub
Browser	Firefox Downloads	Parsed & presented in Investigation Hub
Browser	Edge Downloads	Parsed & presented in Investigation Hub
Browser	Opera Downloads	Parsed & presented in Investigation Hub
Browser	Vivaldi Downloads	Parsed & presented in Investigation Hub
Browser	Arc Downloads	Parsed & presented in Investigation Hub
Browser	Brave Downloads	Parsed & presented in Investigation Hub
Browser	Waterfox Downloads	Parsed & presented in Investigation Hub
Browser	QQ Downloads	Parsed & presented in Investigation Hub
Browser	Firefox Cookies	Parsed & presented in Investigation Hub
System	Crashes	Parsed & presented in Investigation Hub
System	Gatekeeper	Parsed & presented in Investigation Hub
System	Gatekeeper Approved Apps	Parsed & presented in Investigation Hub
System	Installed Applications	Parsed & presented in Investigation Hub
System	Kernel Extensions Info	Parsed & presented in Investigation Hub
System	Launchd Overrides	Parsed & presented in Investigation Hub
System	Package Install History	Parsed & presented in Investigation Hub
System	System Extension Info	Parsed & presented in Investigation Hub
System	System Integrity Protection Status	Parsed & presented in Investigation Hub
System	Print Jobs	Parsed & presented in Investigation Hub
System	Printer Info	Parsed & presented in Investigation Hub
System	Transparency, Consent, and Control (TCC)	Parsed & presented in Investigation Hub
System	Quarantine Events	Parsed & presented in Investigation Hub
System	Sudo Last Run	Parsed & presented in Investigation Hub
System	iMessage	Parsed & presented in Investigation Hub
System	Dock Items	Parsed & presented in Investigation Hub
System	Document Revisions	Parsed & presented in Investigation Hub
System	Apple System Logs	Parsed & presented in Investigation Hub
System	Apple Audit Logs	Parsed & presented in Investigation Hub
System	Shared File List (SFL)	Parsed & presented in Investigation Hub
System	Shell History	Parsed & presented in Investigation Hub
System	Downloaded File Information	Parsed & presented in Investigation Hub
System	Cron Jobs	Parsed & presented in Investigation Hub
System	Quick Look Cache	Parsed & presented in Investigation Hub
System	Event Taps	Parsed & presented in Investigation Hub
System	Re-Opened Apps	Parsed & presented in Investigation Hub
System	Most Recently Used (MRU)	Parsed & presented in Investigation Hub
System	Login Items	Parsed & presented in Investigation Hub
System	File System (FS) Events	Parsed & saved as CSV
Disk	Block Devices	Parsed & presented in Investigation Hub
Disk	Disk Encryption	Parsed & presented in Investigation Hub
File System	File System Enumeration	Parsed & saved as CSV
Configurations	ETC Hosts	Parsed & presented in Investigation Hub
Configurations	ETC Protocols	Parsed & presented in Investigation Hub
Configurations	ETC Services	Parsed & presented in Investigation Hub
Network	Listening Ports	Parsed & presented in Investigation Hub
Network	IP Routes	Parsed & presented in Investigation Hub
Network	Network Interfaces	Parsed & presented in Investigation Hub
Network	DNS Resolvers	Parsed & presented in Investigation Hub
Users	User Groups	Parsed & presented in Investigation Hub
Users	Users	Parsed & presented in Investigation Hub
Users	Logged Users	Parsed & presented in Investigation Hub
KnowledgeC	Application Usage	Parsed & presented in Investigation Hub
KnowledgeC	Bluetooth Connections	Parsed & presented in Investigation Hub
KnowledgeC	Notification Info	Parsed & presented in Investigation Hub
Unified Logs	Logind	Parsed & presented in Investigation Hub
Unified Logs	Tccd	Parsed & presented in Investigation Hub
Unified Logs	Sshd	Parsed & presented in Investigation Hub
Unified Logs	Command Line Activity	Parsed & presented in Investigation Hub
Unified Logs	Kernel Extension	Parsed & presented in Investigation Hub
Unified Logs	Screensharing	Parsed & presented in Investigation Hub
Unified Logs	Keychain	Parsed & presented in Investigation Hub
Unified Logs	Sessions creation and destruction	Parsed & presented in Investigation Hub
Unified Logs	XProtect Remediation	Parsed & presented in Investigation Hub
Unified Logs	Failed Sudo events	Parsed & presented in Investigation Hub
Unified Logs	Manuel Configuration Profile Install	Parsed & presented in Investigation Hub
Persistence	Mail Rules	Parsed & presented in Investigation Hub
Persistence	Login Hooks	Parsed & presented in Investigation Hub
Persistence	Logout Hooks	Parsed & presented in Investigation Hub
Persistence	Emond Clients	Parsed & presented in Investigation Hub
SSH	SSH Authorized Keys	Parsed & presented in Investigation Hub
SSH	SSH Configs	Parsed & presented in Investigation Hub
SSH	SSH Known Hosts	Parsed & presented in Investigation Hub
SSH	SSHD Configs	Parsed & presented in Investigation Hub

Category

Name

Collection Type

Processes

Auto Loaded Processes