{"id":22255,"date":"2018-07-25T16:29:17","date_gmt":"2018-07-25T20:29:17","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=22255"},"modified":"2025-07-08T21:52:48","modified_gmt":"2025-07-09T01:52:48","slug":"i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/07\/25\/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13\/","title":{"rendered":"I Know What You Did Last Month: a New Artifact of Execution on macOS 10.13"},"content":{"rendered":"<p><a href=\"https:\/\/www.crowdstrike.com\/blog\/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13\/\">Kshitij Kumar and Jai Musunuri<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.crowdstrike.com\/blog\/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13\/\">\n<p>In macOS 10.13 (High Sierra), Apple introduced CoreAnalytics, which is a system diagnostics mechanism that maintains a record of Mach-O programs that have executed on a system over approximately one month. CoreAnalytics can serve a number of valuable analytical purposes for both insider threat investigations and incident response. The artifact can be used to:<\/p>\n<ul>\n<li>Determine the extent to which a system was in use, with accuracy up to one day<\/li>\n<li>Determine which programs were run on a particular day, whether in the foreground or in the background<\/li>\n<li>Determine how long, approximately, a program was running and\/or active, as well as provide an approximate number of times the program was launched or brought to the foreground interactively<\/li>\n<\/ul>\n<\/blockquote>\n\n<p>Update (2018-08-06): <a href=\"https:\/\/www.mac4n6.com\/blog\/2018\/8\/5\/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage\">Sarah Edwards<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.mac4n6.com\/blog\/2018\/8\/5\/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage\">\n<p>The knowledgeC.db database can be found on macOS and iOS devices. On Mac systems there will be a system context database located in the \/private\/var\/db\/CoreDuet\/Knowledge directory, while a user context database is located in the user&rsquo;s ~\/Library\/Application Support\/Knowledge\/ directory.<\/p>\n<p>[&#8230;]<\/p>\n<p>The database has many tables which have many columns. This article will only go over three of these that I have found to be particularly interesting. I encourage you to look at your own data to discover other items of investigative value.<\/p>\n<\/blockquote>\n\n<p id=\"i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13-update-2018-09-14\">Update (2018-09-14): <a href=\"https:\/\/www.mac4n6.com\/blog\/2018\/9\/12\/knowledge-is-power-ii-a-day-in-the-life-of-my-iphone-using-knowledgecdb\">Sarah Edwards<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.mac4n6.com\/blog\/2018\/9\/12\/knowledge-is-power-ii-a-day-in-the-life-of-my-iphone-using-knowledgecdb\">\n<p>This database holds a serious amount of data and it can be easy to get tunnel vision. Think about correlating this data with the location data I&rsquo;ve presented in other presentations and blog articles. Where was the user when they were looking at a specific app or browsing to a specific website? Were they driving distracted and watching YouTube when they shouldn&rsquo;t have? If the user was using a specific app during a time of interest, go to that app&rsquo;s data and look to see if it may contain data relevant to your investigation.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Kshitij Kumar and Jai Musunuri: In macOS 10.13 (High Sierra), Apple introduced CoreAnalytics, which is a system diagnostics mechanism that maintains a record of Mach-O programs that have executed on a system over approximately one month. CoreAnalytics can serve a number of valuable analytical purposes for both insider threat investigations and incident response. The artifact [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2018-08-06T18:47:00Z","apple_news_api_id":"a2ca6224-0f94-4c86-870d-11b18aa79293","apple_news_api_modified_at":"2025-07-09T01:52:51Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAw==","apple_news_api_share_url":"https:\/\/apple.news\/AospiJA-UTIaHDRGxiqeSkw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[31,1472,30,2792,1529,355],"class_list":["post-22255","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-ios","tag-ios-11","tag-mac","tag-mach-o","tag-macos-10-13","tag-privacy"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=22255"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22255\/revisions"}],"predecessor-version":[{"id":22767,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22255\/revisions\/22767"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=22255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=22255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=22255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}