Home / Companies / Crowdstrike / Blog / Post Details
Content Deep Dive

I Know What You Did Last Month: A New Artifact of Execution on macOS 10.13

Blog post from Crowdstrike

Post Details
Company
Date Published
Author
CoreAnalyticsParser
Word Count
3,765
Company Posts That Month
Language
English
Hacker News Points
-
Post removed?
No
Summary

CrowdStrike's blog post delves into the intricacies of CoreAnalytics, a feature introduced in macOS 10.13, which records program execution on Apple systems. This tool provides valuable insights for forensic analysis by tracking application usage, including execution times and user interactions, although it does not pinpoint exact execution moments. The post details how CoreAnalytics utilizes JSON records to log data in .core_analytics files and temporary staging files, offering a month-long view of system activity. The blog also introduces a Python script designed to parse these records into user-friendly formats, enhancing their utility for incident response and insider threat investigations. Overall, CoreAnalytics emerges as a critical resource for understanding system usage, aiding cybersecurity professionals in evidence collection and analysis on macOS systems.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
AI Agents 1 2,394 1,321 1 -
Zero Trust 1 1,843 1,331 3 +61333%
Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.