macOS Collections
macOS Evidence List
Category | Name | Collection Type |
---|---|---|
Processes | Auto Loaded Processes | Parsed & presented in Investigation Hub |
Processes | Processes | Parsed & presented in Investigation Hub |
Browser | Default Browser | Parsed & presented in Investigation Hub |
Browser | Chrome Bookmarks | Parsed & presented in Investigation Hub |
Browser | Chrome Cookies | Parsed & presented in Investigation Hub |
Browser | Chrome User Profiles | Parsed & presented in Investigation Hub |
Browser | Chrome Extensions | Parsed & presented in Investigation Hub |
Browser | Chrome Local Storage | Parsed & presented in Investigation Hub |
Browser | Chrome IndexedDB | Parsed & presented in Investigation Hub |
Browser | Chrome Web Storage | Parsed & presented in Investigation Hub |
Browser | Chrome Form History | Parsed & presented in Investigation Hub |
Browser | Chrome Thumbnails | Parsed & presented in Investigation Hub |
Browser | Chrome Favicons | Parsed & presented in Investigation Hub |
Browser | Chrome Sessions | Parsed & presented in Investigation Hub |
Browser | Chrome Login Data | Parsed & presented in Investigation Hub |
Browser | Chrome Browsing History | Parsed & presented in Investigation Hub |
Browser | Edge Browsing History | Parsed & presented in Investigation Hub |
Browser | Firefox Browsing History | Parsed & presented in Investigation Hub |
Browser | Opera Browsing History | Parsed & presented in Investigation Hub |
Browser | Safari Browsing History | Parsed & presented in Investigation Hub |
Browser | Vivaldi Browsing History | Parsed & presented in Investigation Hub |
Browser | Waterfox Browsing History | Parsed & presented in Investigation Hub |
Browser | Brave Browsing History | Parsed & presented in Investigation Hub |
Browser | Arc Browsing History | Parsed & presented in Investigation Hub |
Browser | Chrome Downloads | Parsed & presented in Investigation Hub |
Browser | Safari Downloads | Parsed & presented in Investigation Hub |
Browser | Firefox Downloads | Parsed & presented in Investigation Hub |
Browser | Edge Downloads | Parsed & presented in Investigation Hub |
Browser | Opera Downloads | Parsed & presented in Investigation Hub |
Browser | Vivaldi Downloads | Parsed & presented in Investigation Hub |
Browser | Arc Downloads | Parsed & presented in Investigation Hub |
Browser | Brave Downloads | Parsed & presented in Investigation Hub |
Browser | Waterfox Downloads | Parsed & presented in Investigation Hub |
Browser | QQ Downloads | Parsed & presented in Investigation Hub |
Browser | Firefox Cookies | Parsed & presented in Investigation Hub |
System | Crashes | Parsed & presented in Investigation Hub |
System | Gatekeeper | Parsed & presented in Investigation Hub |
System | Gatekeeper Approved Apps | Parsed & presented in Investigation Hub |
System | Installed Applications | Parsed & presented in Investigation Hub |
System | Kernel Extensions Info | Parsed & presented in Investigation Hub |
System | Launchd Overrides | Parsed & presented in Investigation Hub |
System | Package Install History | Parsed & presented in Investigation Hub |
System | System Extension Info | Parsed & presented in Investigation Hub |
System | System Integrity Protection Status | Parsed & presented in Investigation Hub |
System | Print Jobs | Parsed & presented in Investigation Hub |
System | Printer Info | Parsed & presented in Investigation Hub |
System | Transparency, Consent, and Control (TCC) | Parsed & presented in Investigation Hub |
System | Quarantine Events | Parsed & presented in Investigation Hub |
System | Sudo Last Run | Parsed & presented in Investigation Hub |
System | iMessage | Parsed & presented in Investigation Hub |
System | Dock Items | Parsed & presented in Investigation Hub |
System | Document Revisions | Parsed & presented in Investigation Hub |
System | Apple System Logs | Parsed & presented in Investigation Hub |
System | Apple Audit Logs | Parsed & presented in Investigation Hub |
System | Shared File List (SFL) | Parsed & presented in Investigation Hub |
System | Shell History | Parsed & presented in Investigation Hub |
System | Downloaded File Information | Parsed & presented in Investigation Hub |
System | Cron Jobs | Parsed & presented in Investigation Hub |
System | Quick Look Cache | Parsed & presented in Investigation Hub |
System | Event Taps | Parsed & presented in Investigation Hub |
System | Re-Opened Apps | Parsed & presented in Investigation Hub |
System | Most Recently Used (MRU) | Parsed & presented in Investigation Hub |
System | Login Items | Parsed & presented in Investigation Hub |
System | File System (FS) Events | Parsed & saved as CSV |
Disk | Block Devices | Parsed & presented in Investigation Hub |
Disk | Disk Encryption | Parsed & presented in Investigation Hub |
File System | File System Enumeration | Parsed & saved as CSV |
Configurations | ETC Hosts | Parsed & presented in Investigation Hub |
Configurations | ETC Protocols | Parsed & presented in Investigation Hub |
Configurations | ETC Services | Parsed & presented in Investigation Hub |
Network | Listening Ports | Parsed & presented in Investigation Hub |
Network | IP Routes | Parsed & presented in Investigation Hub |
Network | Network Interfaces | Parsed & presented in Investigation Hub |
Network | DNS Resolvers | Parsed & presented in Investigation Hub |
Users | User Groups | Parsed & presented in Investigation Hub |
Users | Users | Parsed & presented in Investigation Hub |
Users | Logged Users | Parsed & presented in Investigation Hub |
KnowledgeC | Application Usage | Parsed & presented in Investigation Hub |
KnowledgeC | Bluetooth Connections | Parsed & presented in Investigation Hub |
KnowledgeC | Notification Info | Parsed & presented in Investigation Hub |
Unified Logs | Logind | Parsed & presented in Investigation Hub |
Unified Logs | Tccd | Parsed & presented in Investigation Hub |
Unified Logs | Sshd | Parsed & presented in Investigation Hub |
Unified Logs | Command Line Activity | Parsed & presented in Investigation Hub |
Unified Logs | Kernel Extension | Parsed & presented in Investigation Hub |
Unified Logs | Screensharing | Parsed & presented in Investigation Hub |
Unified Logs | Keychain | Parsed & presented in Investigation Hub |
Unified Logs | Sessions creation and destruction | Parsed & presented in Investigation Hub |
Unified Logs | XProtect Remediation | Parsed & presented in Investigation Hub |
Unified Logs | Failed Sudo events | Parsed & presented in Investigation Hub |
Unified Logs | Manuel Configuration Profile Install | Parsed & presented in Investigation Hub |
Persistence | Mail Rules | Parsed & presented in Investigation Hub |
Persistence | Login Hooks | Parsed & presented in Investigation Hub |
Persistence | Logout Hooks | Parsed & presented in Investigation Hub |
Persistence | Emond Clients | Parsed & presented in Investigation Hub |
SSH | SSH Authorized Keys | Parsed & presented in Investigation Hub |
SSH | SSH Configs | Parsed & presented in Investigation Hub |
SSH | SSH Known Hosts | Parsed & presented in Investigation Hub |
SSH | SSHD Configs | Parsed & presented in Investigation Hub |
macOS Artifact List
Category | Name | Collection Type |
---|---|---|
Server | Apache Logs | File collected |
Server | NGINX Logs | File collected |
Server | MongoDB Logs | File collected |
Server | MySQL Logs | File collected |
Server | PostgreSQL Logs | File collected |
System | System Logs | File collected |
System | Install Logs | File collected |
System | Wifi Logs | File collected |
System | KnowledgeC | File collected |
Docker | Docker Changes | Parsed & presented in Investigation Hub |
Docker | Docker Containers | Parsed & presented in Investigation Hub |
Docker | Docker Image History | Parsed & presented in Investigation Hub |
Docker | Docker Images | Parsed & presented in Investigation Hub |
Docker | Docker Info | Parsed & presented in Investigation Hub |
Docker | Docker Networks | Parsed & presented in Investigation Hub |
Docker | Docker Processes | Parsed & presented in Investigation Hub |
Docker | Docker Volumes | Parsed & presented in Investigation Hub |
Communication | AnyDesk Logs | File collected |
Communication | Teamviewer Logs | File collected |
Communication | Discord Desktop Cache | File collected |
Communication | Splashtop Mac Logs | File collected |
Utilities Artifacts | Parallels Logs | File collected |
Utilities Artifacts | Homebrew Logs | File collected |
Antivirus Logs | Sophos Event Database | File collected |
Antivirus Logs | Sophos Logs | File collected |
Last updated