Applications

CoreAnalytics

Overview

CoreAnalytics is a macOS diagnostic subsystem that records application execution data as part of Apple's anonymised telemetry. The resulting .core_analytics files contain JSON records documenting which applications were launched, how many times, and aggregate usage metrics. These files provide a rolling window (approximately 30 days) of program execution evidence that persists independently of any user-facing application.

For forensic investigators, CoreAnalytics is a reliable source of execution evidence — it demonstrates that a specific binary was run on the system, even if the binary has since been deleted.

Forensic Significance

Evidence TypeForensic Value
Application executionProof that a specific program was run
Execution countsHow many times an application was launched in a period
Execution datesDate ranges when an application was active
Background processesEvidence of non-GUI process execution
Deleted application evidenceRecords persist after app uninstallation

File Locations

ArtifactPathFormat
Analytics reports/Library/Logs/DiagnosticReports/Analytics_*.core_analyticsJSON (one per day)
Aggregated data/private/var/db/analyticsd/aggregates/JSON arrays

Files are named with the date they cover, e.g., Analytics_2026-02-19-120000_macOS.core_analytics.

Data Format

Each .core_analytics file contains newline-delimited JSON objects. The key record type for execution evidence is com.apple.osanalytics.addDaily:

{
  "message": {
    "processName": "Calculator",
    "foregroundNumericVersion": 0,
    "activations": 3,
    "activeTime": 142,
    "launches": 3,
    "activityPeriodDays": 1
  },
  "name": "com.apple.osanalytics.addDaily",
  "uuid": "...",
  "timestamp": "2026-02-19 12:00:00 +0000"
}

Key Fields

FieldDescription
processNameName of the executed process
activationsNumber of times the app came to the foreground
activeTimeTotal active time in seconds
launchesNumber of process launches
activityPeriodDaysNumber of days in the activity period
timestampDate the record covers

Key Fields for Analysis

Parse All Execution Records

# Extract all process names and launch counts
cat /Library/Logs/DiagnosticReports/Analytics_*.core_analytics | \
  python3 -c "
import sys, json
for line in sys.stdin:
    try:
        obj = json.loads(line.strip())
        if obj.get('name') == 'com.apple.osanalytics.addDaily':
            msg = obj['message']
            print(f\"{obj['timestamp']}\t{msg.get('processName','?')}\t{msg.get('launches',0)} launches\")
    except: pass
" | sort

Analysis Notes

  • Execution evidence: CoreAnalytics is one of the few macOS artifacts that provides direct evidence of program execution. It is particularly valuable when the original binary has been deleted.
  • 30-day window: Analytics files are typically retained for approximately 30 days. Older files are automatically purged. Collect these early in an investigation.
  • No path information: CoreAnalytics records the process name but not the full path. Correlate with FSEvents, KnowledgeC, or Unified Logs for path information.
  • Aggregate vs. daily: The /private/var/db/analyticsd/aggregates/ directory contains aggregated metrics that may cover longer time periods than the daily reports.
  • Background processes: CoreAnalytics records both GUI applications and background processes (daemons, agents), making it useful for detecting malicious background execution.
  • CrowdStrike research: CrowdStrike published foundational research on using CoreAnalytics for forensic execution evidence. See references below.

Version Differences

macOS VersionChanges
10.13 (High Sierra)CoreAnalytics introduced
10.15 (Catalina)Expanded metrics, more process types tracked
12 (Monterey)Additional aggregate data categories

Tool Support

ToolSupport
macforNot yet implemented (planned)
python3 / jqParse JSON analytics files
mac_aptOpen-source CoreAnalytics parser
AXIOM (Magnet)Commercial CoreAnalytics support

References

Previous
Applications Overview
Next
Installed Apps