Analysts that perform macOS forensics have had few, if any, artifacts of program execution to rely on during investigations — until now. In macOS 10.13 (High Sierra), Apple introduced CoreAnalytics, which is a system diagnostics mechanism that maintains a record of Mach-O programs that have executed on a system over approximately one month. CoreAnalytics can serve a number of valuable analytical purposes for both insider threat investigations and incident response. The artifact can be used to:- Determine the extent to which a system was in use, with accuracy up to one day- Determine which programs were run on a particular day, whether in the foreground or in the background- Determine how long, approximately, a program was running and/or active, as well as provide an approximate number of times the program was launched or brought to the foreground interactivelyThis article provides a technical overview and analysis of the CoreAnalytics artifacts found in macOS 10.13, as well as a means for investigators to parse this artifact into a more digestible format.meer...
ConclusionCoreAnalytics provides a trove of information about the usage of a system and its applications. Program execution history that covers a month of activity can serve a crucial purpose in investigations where collection of evidence is not immediately feasible. Though documentation from Apple may provide additional clarity into the purpose of certain fields and the nature of their values, the analysis above provides a strong basis on which analysts can begin to investigate application activity on macOS systems.
Gast
