Mick Douglas 🇺🇦🌻 · Jan 27, 2021 · 10:10 PM UTC

Mick Douglas 🇺🇦🌻

Mick Douglas 🇺🇦🌻 @bettersafetynet

27 Jan 2021

OK forensics folks! What are some events you'd like to see from Mac logs? Here's the working list I have right now. User created User login/logoff (success & fail) group create group change sudo use app install/delete Please RT! Thanks in advance.

Hal Pomeranz · Jan 27, 2021 · 10:27 PM UTC

Hal Pomeranz · Jan 27, 2021 · 10:27 PM UTC

Hal Pomeranz @hal_pomeranz

27 Jan 2021

Replying to @bettersafetynet

(USB) device connection startup service change/create/delete keyring access iCloud activity Apple ID changes

Jan 27, 2021 · 10:27 PM UTC

Mick Douglas 🇺🇦🌻 · Jan 27, 2021 · 10:53 PM UTC

Mick Douglas 🇺🇦🌻 @bettersafetynet

27 Jan 2021

Replying to @hal_pomeranz

what sort of iCloud activities? That's hella broad. Any pointers would be appreciated.

Hal Pomeranz · Jan 28, 2021 · 12:05 AM UTC

Hal Pomeranz @hal_pomeranz

28 Jan 2021

I’m thinking things that would point to exfil and/or exploitation. Moving files back and forth, etc.