macOS Forensics Artifacts and Commands

When conducting a digital forensic investigation on macOS systems, understanding where to find critical artifacts and how to extract meaningful data is crucial. Unlike Linux, macOS uses unique system components and logging mechanisms that require specialized knowledge. This post highlights the most vital macOS forensic artifacts and the terminal commands you can use to gather evidence during incident response or threat hunting.

macOS Commands

In macOS digital forensics and incident response, selecting the right artifacts to analyze is crucial for efficiently uncovering evidence of compromise. These forensic artifacts and corresponding commands represent the data sources that provide comprehensive visibility into user activity, system behavior, persistence mechanisms, and kernel integrity. Leveraging native macOS tools, investigators can reconstruct timelines, detect malicious footholds, and verify system integrity, thereby forming the backbone of any effective macOS forensic investigation.

User Sessions and Login Tracking: last, who, w

last Historical Login Sessions

last reads from the system’s login records (usually /var/log/wtmp or macOS’s equivalent database) and shows a chronological list of past login and logout events. It covers:

• Local console logins

• Remote SSH sessions

• Reboots and shutdowns

• System crashes (marked by the absence of a proper logout)

Why it’s valuable:

• Helps reconstruct user access timelines.

• Reveals suspicious login times (odd hours, weekends).

• Indicates whether an attacker has logged in remotely via SSH.

• Identifies reused or shared accounts.

• Track system reboots or crashes possibly caused by an attacker.

who Current Logged-In Users

What it does: Shows who is currently logged in and on which terminal or remote session.

Why it’s valuable:

• Detect live active sessions during incident response.

• Spot concurrent sessions under the same username (may indicate compromise).

• Identify terminals or TTY devices in use.

w Current User Activity

What it does: Similar to who, but adds more detail, including what commands users are running, their login time, idle time, and CPU load.

Why it’s valuable:

• Reveals what active users are doing in real time.

• Helps detect suspicious interactive commands.

• Provides insight into user session duration and idle times.

Notes

• last on macOS, it can be limited by log rotation; make sure to archive and review older /var/log files.

• Use log show --predicate 'eventMessage contains "authentication"' to find detailed login events.

• Cross-check login IPs with firewall logs or network logs for suspicious origins.

• Use last -F (if supported) to show full login and logout timestamps.

These commands help you detect suspicious login times, unusual users, or concurrent sessions.

System Logs: log show

macOS introduced the Unified Logging System in macOS 10.12 Sierra, replacing traditional plain-text logs with a high-performance, indexed system. You can query and filter logs using the log command:

log show --last 1d --predicate 'eventMessage contains "error"'

This command displays all error events from the past day, enabling you to pinpoint anomalies, crashes, or security-relevant incidents.

In a DFIR context, the Unified Logging System is a treasure trove of structured event data that can help investigators piece together attack timelines and uncover suspicious activity. Filtering logs for "error" Messages using the above command focus your investigation on events that likely indicate system faults, failed security checks, or abnormal behavior, common footprints of malicious activity, or system compromise.

Search for failed or denied authentication attempts

log show --last 1d --predicate 'eventMessage contains[c] "fail" OR eventMessage contains[c] "deny"'

List launchd job failures or crashes

log show --last 1d --predicate 'eventMessage contains[c] "launchd" AND (eventMessage contains[c] "crash" OR eventMessage contains[c] "fail")'

Find System Integrity Protection (SIP) related errors or warnings

log show --last 1d --predicate 'eventMessage contains[c] "SIP" OR eventMessage contains[c] "System Integrity Protection"'

System Extensions: systemextensionsctl list

Kernel extensions (kexts) and system extensions can be loaded by macOS or third-party software. Listing them reveals drivers and components that interact at a low system level:

Investigating loaded extensions can uncover unauthorized or malicious drivers installed for persistence or rootkit activity.

Combine with log filtering for extension-related events:

log show --last 1d --predicate 'eventMessage contains "systemextension" OR eventMessage contains "extension"'

Analyzing these entries can reveal malicious launch agents or daemons configured to run at startup or on events.

Running Processes: ps aux

A snapshot of all running processes provides insight into active programs and potential malicious tools:

ps aux

Look for unknown or suspicious processes, especially those running under unusual user accounts or with elevated privileges.

Shell History

Shell history files, like .bash_history and .zsh_history, record the sequence of commands executed by users in their interactive shell sessions. For forensic investigators, these files offer a direct window into user or attacker activity on the endpoint.

cat ~/.bash_history
cat ~/.zsh_history

These logs reveal executed commands, tools used, and may help identify attacker activity or insider threats.

Kernel Extensions: kextstat

Kernel extensions (kexts) are modules that are loaded into the kernel to provide additional functionality. Listing non-Apple kexts is crucial to detecting rootkits or unauthorized drivers:

kextstat | grep -v com.apple

Any third-party or unknown kexts should be investigated for legitimacy.

System Integrity Protection Status: csrutil

System Integrity Protection (SIP) prevents unauthorized users or processes from modifying system files. Check its status to determine if system protections are disabled, which can indicate compromise:

csrutil status

Disabled SIP is a red flag during incident response.

Kernel and System Settings: sysctl

Sysctl is a powerful tool that allows for the reading and writing of kernel state parameters at runtime. The -a option dumps all kernel and system parameters, providing a comprehensive snapshot of the system’s current configuration and state.

Why is it sysctl -a useful in DFIR?

Detect kernel-level manipulations: Attackers targeting macOS at the kernel level may modify system parameters to evade detection or disable security features.

Verify system integrity: Parameters related to security features, such as ASLR, SIP enforcement, kernel debugging, and network settings, can be checked to confirm that protections are intact.

Uncover persistence techniques: Some rootkits or advanced malware tweak sysctl settings to maintain stealth or persistence.

Gather baseline for comparison: Capturing sysctl -a output over time helps identify anomalous changes during investigations.

Useful commands that can help:

Dump all kernel parameters

sysctl -a > sysctl_full_$(date +%F).log

Check kernel debugging status (suspicious if enabled):

sysctl kern.kdebug

Verify System Integrity Protection enforcement (some related parameters):

sysctl security.mac.*

Inspect network forwarding settings (may indicate routing or proxy behavior):

sysctl net.inet.ip.forwarding

Analyzing these parameters can reveal tampering or system hardening levels.

Conclusion

Mastering these macOS forensic artifacts and commands provides a strong foundation for investigations and threat hunting on Apple systems. Unlike Linux, macOS’s distinct logging, persistence, and system management tools require targeted approaches, but armed with these commands, you can rapidly build timelines, detect persistence, and uncover stealthy activity.

If you would like to automate data collection or build a forensic playbook tailored to macOS, please don’t hesitate to reach out. The correct tooling and process make all the difference.