System
Crash Reports & Diagnostics
Overview
macOS generates detailed diagnostic reports when applications crash, hang, or encounter errors. These reports contain stack traces, memory state, and system information at the time of the crash. For forensic investigators, crash reports can reveal evidence of exploitation attempts, malware behaviour, and system stability issues. System-level logs also record shutdown causes, power events, and hardware failures.
Forensic Significance
| Evidence Type | Forensic Value |
|---|---|
| Application crashes | Evidence of unstable or malicious software execution |
| Exploitation indicators | Stack traces showing buffer overflows, null dereferences |
| Kernel panics | System-level instability or rootkit indicators |
| Shutdown causes | Why the system was last shut down or restarted |
| Process information | Full path, PID, UID, parent process of crashed applications |
| Timestamps | Precise timing of crashes for timeline correlation |
File Locations
| Artifact | Path | Format |
|---|---|---|
| User crash reports | ~/Library/Logs/DiagnosticReports/ | .crash, .ips |
| System crash reports | /Library/Logs/DiagnosticReports/ | .crash, .ips |
| Kernel panics | /Library/Logs/DiagnosticReports/ | .panic |
| Shutdown stall logs | /Library/Logs/DiagnosticReports/shutdown_stall_*.log | Text |
| Power diagnostics | /Library/Logs/DiagnosticReports/powerstats_*.diag | Binary |
| System log | /var/log/system.log | Text |
| Install log | /var/log/install.log | Text |
| Daily maintenance | /var/log/daily.out | Text |
Data Format
Crash Report Structure (.crash / .ips)
Modern macOS uses JSON-formatted .ips files:
| Field | Description |
|---|---|
procName | Process name |
procPath | Full path to the crashed binary |
bundleID | Application bundle identifier |
pid | Process ID |
ppid | Parent process ID |
userID | User ID of the process |
timestamp | Crash timestamp (ISO 8601) |
exception | Exception type (e.g., EXC_BAD_ACCESS, EXC_CRASH) |
termination | Termination reason |
threads | Array of thread states with stack frames |
usedImages | Loaded libraries and frameworks |
Kernel Panic (.panic)
Contains the full kernel state at the time of the panic, including:
- Panic string and trigger
- Kernel backtrace
- Loaded kernel extensions
- Hardware state
Shutdown Cause
# Query last shutdown cause from Unified Logs
log show --predicate 'eventMessage contains "Previous shutdown cause"' --last 1d
Common shutdown causes:
| Code | Meaning |
|---|---|
| 5 | Normal shutdown |
| 3 | Hard shutdown (power button held) |
| 0 | Power loss |
| -3 | Multiple temperature sensors exceeded limits |
| -60 | Bad master directory block (filesystem corruption) |
| -128 | Unknown |
Key Fields for Analysis
# List recent crash reports
ls -lt ~/Library/Logs/DiagnosticReports/ | head -20
# List kernel panics
ls -lt /Library/Logs/DiagnosticReports/*.panic 2>/dev/null
# Search for crashes of a specific app
ls ~/Library/Logs/DiagnosticReports/ | grep -i "safari"
# Read a crash report
cat ~/Library/Logs/DiagnosticReports/SomeApp_*.ips | python3 -m json.tool | head -50
Analysis Notes
- Exploitation evidence: Crash reports with
EXC_BAD_ACCESS (SIGSEGV)orEXC_BAD_ACCESS (SIGBUS)in unusual contexts may indicate buffer overflow exploitation attempts. Look for crashes in processes that shouldn't normally crash. - Malware behaviour: Crashes in processes launched from unusual paths (
/tmp/,/var/folders/) or with suspicious parent processes warrant investigation. - Timeline value: Crash timestamps provide precise evidence of process execution, complementing CoreAnalytics and KnowledgeC data.
- Loaded libraries: The
usedImagessection of crash reports lists all loaded dynamic libraries, which can reveal injected dylibs or suspicious frameworks. - Kernel panic analysis: Kernel panics caused by third-party kexts may indicate rootkit or kernel-level exploit activity. Check the loaded kext list in panic reports.
- Shutdown forensics: Unexpected shutdown causes (power loss, hard shutdown) combined with other evidence may indicate the system was forcibly powered down to prevent forensic collection.
Tool Support
| Tool | Support |
|---|---|
| macfor | Not yet implemented (planned) |
| Console.app (macOS built-in) | GUI crash report viewer |
| log (macOS built-in) | Query shutdown causes |
| plutil / python3 | Parse .ips JSON reports |
References
- Apple Diagnosing Issues with Crash Reports
- Apple Technical Note TN2151 - Crash Reporting
- SANS FOR518: Mac and iOS Forensic Analysis