macOS Collections

macOS Evidence and Artifacts List

macOS Evidence List

CategoryNameCollection Type

Processes

Auto Loaded Processes

Parsed & presented in Investigation Hub

Processes

Processes

Parsed & presented in Investigation Hub

Browser

Default Browser

Parsed & presented in Investigation Hub

Browser

Chrome Bookmarks

Parsed & presented in Investigation Hub

Browser

Chrome Cookies

Parsed & presented in Investigation Hub

Browser

Edge Cookies

Parsed & presented in Investigation Hub

Browser

Opera Cookies

Parsed & presented in Investigation Hub

Browser

Vivaldi Cookies

Parsed & presented in Investigation Hub

Browser

Arc Cookies

Parsed & presented in Investigation Hub

Browser

Brave Cookies

Parsed & presented in Investigation Hub

Browser

QQ Cookies

Parsed & presented in Investigation Hub

Browser

Chrome Bookmarks

Parsed & presented in Investigation Hub

Browser

Chrome User Profiles

Parsed & presented in Investigation Hub

Browser

Chrome Extensions

Parsed & presented in Investigation Hub

Browser

Chrome Local Storage

Parsed & presented in Investigation Hub

Browser

Chrome IndexedDB

Parsed & presented in Investigation Hub

Browser

Chrome Web Storage

Parsed & presented in Investigation Hub

Browser

Chrome Form History

Parsed & presented in Investigation Hub

Browser

Edge Form History

Parsed & presented in Investigation Hub

Browser

Opera Form History

Parsed & presented in Investigation Hub

Browser

Vivaldi Form History

Parsed & presented in Investigation Hub

Browser

Arc Form History

Parsed & presented in Investigation Hub

Browser

Brave Form History

Parsed & presented in Investigation Hub

Browser

QQ Form History

Parsed & presented in Investigation Hub

Browser

Chrome Thumbnails

Parsed & presented in Investigation Hub

Browser

Edge Thumbnails

Browser

Opera Thumbnails

Browser

Vivaldi Thumbnails

Browser

Arc Thumbnails

Browser

Brave Thumbnails

Browser

QQ Thumbnails

Browser

Chrome Favicons

Parsed & presented in Investigation Hub

Browser

Edge Favicons

Parsed & presented in Investigation Hub

Browser

Opera Favicons

Parsed & presented in Investigation Hub

Browser

Vivaldi Favicons

Parsed & presented in Investigation Hub

Browser

Arc Favicons

Parsed & presented in Investigation Hub

Browser

Brave Favicons

Parsed & presented in Investigation Hub

Browser

QQ Favicons

Parsed & presented in Investigation Hub

Browser

Chrome Login Data

Parsed & presented in Investigation Hub

Browser

Edge Login Data

Parsed & presented in Investigation Hub

Browser

Opera Login Data

Parsed & presented in Investigation Hub

Browser

Vivaldi Login Data

Parsed & presented in Investigation Hub

Browser

Arc Login Data

Parsed & presented in Investigation Hub

Browser

Brave Login Data

Parsed & presented in Investigation Hub

Browser

QQ Login Data

Parsed & presented in Investigation Hub

Browser

Chrome Sessions

Parsed & presented in Investigation Hub

Browser

Edge Sessions

Parsed & presented in Investigation Hub

Browser

Opera Sessions

Parsed & presented in Investigation Hub

Browser

Vivaldi Sessions

Parsed & presented in Investigation Hub

Browser

Arc Sessions

Parsed & presented in Investigation Hub

Browser

Brave Sessions

Parsed & presented in Investigation Hub

Browser

QQ Sessions

Parsed & presented in Investigation Hub

Browser

Chrome Browsing History

Parsed & presented in Investigation Hub

Browser

Edge Browsing History

Parsed & presented in Investigation Hub

Browser

Firefox Browsing History

Parsed & presented in Investigation Hub

Browser

Opera Browsing History

Parsed & presented in Investigation Hub

Browser

Safari Browsing History

Parsed & presented in Investigation Hub

Browser

Vivaldi Browsing History

Parsed & presented in Investigation Hub

Browser

Waterfox Browsing History

Parsed & presented in Investigation Hub

Browser

Brave Browsing History

Parsed & presented in Investigation Hub

Browser

Arc Browsing History

Parsed & presented in Investigation Hub

Browser

QQ Browsing History

Parsed & presented in Investigation Hub

Browser

Chrome Downloads

Parsed & presented in Investigation Hub

Browser

Safari Downloads

Parsed & presented in Investigation Hub

Browser

Firefox Downloads

Parsed & presented in Investigation Hub

Browser

Edge Downloads

Parsed & presented in Investigation Hub

Browser

Opera Downloads

Parsed & presented in Investigation Hub

Browser

Vivaldi Downloads

Parsed & presented in Investigation Hub

Browser

Arc Downloads

Parsed & presented in Investigation Hub

Browser

Brave Downloads

Parsed & presented in Investigation Hub

Browser

Waterfox Downloads

Parsed & presented in Investigation Hub

Browser

QQ Downloads

Parsed & presented in Investigation Hub

Browser

Firefox Cookies

Parsed & presented in Investigation Hub

System

Crashes

Parsed & presented in Investigation Hub

System

Gatekeeper

Parsed & presented in Investigation Hub

System

Gatekeeper Approved Apps

Parsed & presented in Investigation Hub

System

Installed Applications

Parsed & presented in Investigation Hub

System

Kernel Extensions Info

Parsed & presented in Investigation Hub

System

Launchd Overrides

Parsed & presented in Investigation Hub

System

Package Install History

Parsed & presented in Investigation Hub

System

System Extension Info

Parsed & presented in Investigation Hub

System

System Integrity Protection Status

Parsed & presented in Investigation Hub

System

Print Jobs

Parsed & presented in Investigation Hub

System

Printer Info

Parsed & presented in Investigation Hub

System

Transparency, Consent, and Control (TCC)

Parsed & presented in Investigation Hub

System

Quarantine Events

Parsed & presented in Investigation Hub

System

Sudo Last Run

Parsed & presented in Investigation Hub

System

iMessage

Parsed & presented in Investigation Hub

System

Dock Items

Parsed & presented in Investigation Hub

System

Document Revisions

Parsed & presented in Investigation Hub

System

Apple System Logs

Parsed & presented in Investigation Hub

System

Apple Audit Logs

Parsed & presented in Investigation Hub

System

Shared File List (SFL)

Parsed & presented in Investigation Hub

System

Shell History

Parsed & presented in Investigation Hub

System

Downloaded File Information

Parsed & presented in Investigation Hub

System

Cron Jobs

Parsed & presented in Investigation Hub

System

Quick Look Cache

Parsed & presented in Investigation Hub

System

Event Taps

Parsed & presented in Investigation Hub

System

Re-Opened Apps

Parsed & presented in Investigation Hub

System

Most Recently Used (MRU)

Parsed & presented in Investigation Hub

System

Login Items

Parsed & presented in Investigation Hub

System

File System (FS) Events

Parsed & saved as CSV

Disk

Block Devices

Parsed & presented in Investigation Hub

Disk

Disk Encryption

Parsed & presented in Investigation Hub

File System

File System Enumeration

Parsed & saved as CSV

Configurations

ETC Hosts

Parsed & presented in Investigation Hub

Configurations

ETC Protocols

Parsed & presented in Investigation Hub

Configurations

ETC Services

Parsed & presented in Investigation Hub

Network

Listening Ports

Parsed & presented in Investigation Hub

Network

IP Routes

Parsed & presented in Investigation Hub

Network

Network Interfaces

Parsed & presented in Investigation Hub

Network

DNS Resolvers

Parsed & presented in Investigation Hub

Users

User Groups

Parsed & presented in Investigation Hub

Users

Users

Parsed & presented in Investigation Hub

Users

Logged Users

Parsed & presented in Investigation Hub

KnowledgeC

Application Usage

Parsed & presented in Investigation Hub

KnowledgeC

Bluetooth Connections

Parsed & presented in Investigation Hub

KnowledgeC

Notification Info

Parsed & presented in Investigation Hub

Unified Logs

Logind

Parsed & presented in Investigation Hub

Unified Logs

Tccd

Parsed & presented in Investigation Hub

Unified Logs

Sshd

Parsed & presented in Investigation Hub

Unified Logs

Command Line Activity

Parsed & presented in Investigation Hub

Unified Logs

Kernel Extension

Parsed & presented in Investigation Hub

Unified Logs

Screensharing

Parsed & presented in Investigation Hub

Unified Logs

Keychain

Parsed & presented in Investigation Hub

Unified Logs

Sessions creation and destruction

Parsed & presented in Investigation Hub

Unified Logs

XProtect Remediation

Parsed & presented in Investigation Hub

Unified Logs

Failed Sudo events

Parsed & presented in Investigation Hub

Unified Logs

Manuel Configuration Profile Install

Parsed & presented in Investigation Hub

Persistence

Mail Rules

Parsed & presented in Investigation Hub

Persistence

Login Hooks

Parsed & presented in Investigation Hub

Persistence

Logout Hooks

Parsed & presented in Investigation Hub

Persistence

Emond Clients

Parsed & presented in Investigation Hub

SSH

SSH Authorized Keys

Parsed & presented in Investigation Hub

SSH

SSH Configs

Parsed & presented in Investigation Hub

SSH

SSH Known Hosts

Parsed & presented in Investigation Hub

SSH

SSHD Configs

Parsed & presented in Investigation Hub

macOS Artifact List

CategoryNameCollection Type

Server

Apache Logs

File collected

Server

NGINX Logs

File collected

Server

MongoDB Logs

File collected

Server

MySQL Logs

File collected

Server

PostgreSQL Logs

File collected

System

System Logs

File collected

System

Install Logs

File collected

System

Wifi Logs

File collected

System

KnowledgeC

File collected

Docker

Docker Changes

Parsed & presented in Investigation Hub

Docker

Docker Containers

Parsed & presented in Investigation Hub

Docker

Docker Image History

Parsed & presented in Investigation Hub

Docker

Docker Images

Parsed & presented in Investigation Hub

Docker

Docker Info

Parsed & presented in Investigation Hub

Docker

Docker Networks

Parsed & presented in Investigation Hub

Docker

Docker Processes

Parsed & presented in Investigation Hub

Docker

Docker Volumes

Parsed & presented in Investigation Hub

Communication

AnyDesk Logs

File collected

Communication

Teamviewer Logs

File collected

Communication

Discord Desktop Cache

File collected

Communication

Splashtop Mac Logs

File collected

Utilities Artifacts

Parallels Logs

File collected

Utilities Artifacts

Homebrew Logs

File collected

Antivirus Logs

Sophos Event Database

File collected

Antivirus Logs

Sophos Logs

File collected

Last updated