System Artifacts

System-level artifacts on macOS provide evidence of system configuration, security state, service management, credential storage, user authentication, and system stability. These are essential for understanding the overall state of a system, detecting persistence mechanisms, and establishing user activity timelines.

Categories

• System Info — OS version, hardware, security state
• Unified Logs — Comprehensive system logging (tracev3)
• Keychain — Credential metadata and certificate storage
• Launch Agents and Daemons — launchd persistence mechanisms
• User Accounts — Local accounts, login history, SSH configuration
• Login Items & Persistence — Login items, cron jobs, hooks, kernel extensions
• Audit Trail (BSM) — OpenBSM audit logs for process and file access
• Crash Reports — Application crashes, kernel panics, shutdown causes