OK forensics folks! What are some events you'd like to see from Mac logs? Here's the working list I have right now. User created User login/logoff (success & fail) group create group change sudo use app install/delete Please RT! Thanks in advance.
7
21
25
(USB) device connection startup service change/create/delete keyring access iCloud activity Apple ID changes
1
1
what sort of iCloud activities? That's hella broad. Any pointers would be appreciated.
1
Replying to @bettersafetynet
I鈥檓 thinking things that would point to exfil and/or exploitation. Moving files back and forth, etc.

Jan 28, 2021 路 12:05 AM UTC

1