Which artifact is commonly used to reconstruct macOS user activity?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which artifact is commonly used to reconstruct macOS user activity?

Explanation:
macOS unified logging provides a timeline of user activity by recording a wide range of events across the system, apps, and user sessions with precise timestamps. Each log entry ties together the action, the process that generated it, and when it happened, capturing events like user logins, application launches, file access, GUI interactions, and permissions changes. Because this data comes from multiple layers—kernel, system services, and user processes—it offers a coherent, queryable record of what the user did on the machine, which is exactly what you need to reconstruct activity over time. Kernel crash dumps show the state of the kernel at a crash and aren’t a reliable record of regular user behavior. Memory dumps capture live RAM contents and can reveal what was running, but they’re not organized into a user activity timeline. Network router logs track network traffic at the network device, not on-host actions, so they don’t provide a direct view of user actions on the macOS device itself.

macOS unified logging provides a timeline of user activity by recording a wide range of events across the system, apps, and user sessions with precise timestamps. Each log entry ties together the action, the process that generated it, and when it happened, capturing events like user logins, application launches, file access, GUI interactions, and permissions changes. Because this data comes from multiple layers—kernel, system services, and user processes—it offers a coherent, queryable record of what the user did on the machine, which is exactly what you need to reconstruct activity over time.

Kernel crash dumps show the state of the kernel at a crash and aren’t a reliable record of regular user behavior. Memory dumps capture live RAM contents and can reveal what was running, but they’re not organized into a user activity timeline. Network router logs track network traffic at the network device, not on-host actions, so they don’t provide a direct view of user actions on the macOS device itself.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy