I Know What You Did Last Month: A New Artifact of Execution on macOS 10.13

CrowdStrike's blog post delves into the intricacies of CoreAnalytics, a feature introduced in macOS 10.13, which records program execution on Apple systems. This tool provides valuable insights for forensic analysis by tracking application usage, including execution times and user interactions, although it does not pinpoint exact execution moments. The post details how CoreAnalytics utilizes JSON records to log data in .core_analytics files and temporary staging files, offering a month-long view of system activity. The blog also introduces a Python script designed to parse these records into user-friendly formats, enhancing their utility for incident response and insider threat investigations. Overall, CoreAnalytics emerges as a critical resource for understanding system usage, aiding cybersecurity professionals in evidence collection and analysis on macOS systems.