Which artifacts on a MacOS system are commonly used by investigators to reconstruct user activity?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which artifacts on a MacOS system are commonly used by investigators to reconstruct user activity?

Explanation:
MacOS investigators reconstruct user activity by building a timeline from a mix of system-wide logs and user-specific history. The unified logging system, accessed via log show, aggregates events from the OS and applications with precise timestamps, providing a broad view of what happened and when. The user’s shell history (such as Bash or Zsh history files) captures commands entered in terminal sessions, revealing manual actions, software launches, and configuration changes. System receipts, stored in the receipts database, track installed or updated software, which can indicate actions taken on the machine and correlate events across time; lastlogin records show the most recent login times for user accounts, helping establish when a user accessed the system. Taken together, these artifacts give a cohesive timeline of user activity across sessions and system events. Browser history, cookies, and cached web data can reveal web activity but don’t provide the fuller picture of non-web actions. Kernel logs and crash dumps offer insight into system and driver issues but are less useful for reproducing typical user behavior. Network device configurations and firewall rules describe network posture rather than individual user actions.

MacOS investigators reconstruct user activity by building a timeline from a mix of system-wide logs and user-specific history. The unified logging system, accessed via log show, aggregates events from the OS and applications with precise timestamps, providing a broad view of what happened and when. The user’s shell history (such as Bash or Zsh history files) captures commands entered in terminal sessions, revealing manual actions, software launches, and configuration changes. System receipts, stored in the receipts database, track installed or updated software, which can indicate actions taken on the machine and correlate events across time; lastlogin records show the most recent login times for user accounts, helping establish when a user accessed the system. Taken together, these artifacts give a cohesive timeline of user activity across sessions and system events.

Browser history, cookies, and cached web data can reveal web activity but don’t provide the fuller picture of non-web actions. Kernel logs and crash dumps offer insight into system and driver issues but are less useful for reproducing typical user behavior. Network device configurations and firewall rules describe network posture rather than individual user actions.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy