Da So cosa hai fatto il mese scorso: un nuovo artefatto di esecuzione su macOS 10.13
Analysts that perform macOS forensics have had few, if any, artifacts of program execution to rely on during investigations — until now. In macOS 10.13 (High Sierra), Apple introduced CoreAnalytics, which is a system diagnostics mechanism that maintains a record of Mach-O programs that have executed on a system over approximately one month. CoreAnalytics can serve a number of valuable analytical purposes for both insider threat investigations and incident response. The artifact can be used to:
- Determine the extent to which a system was in use, with accuracy up to one day
- Determine which programs were run on a particular day, whether in the foreground or in the background
- Determine how long, approximately, a program was running and/or active, as well as provide an approximate number of times the program was launched or brought to the foreground interactively
Come disabilitare CoreAnalytics in modo permanente? Non solo un cronjob cancellando l'output.