Daily Blog #629: Coreanalytics Update

Coreanalytics Update by David Cowen - Hacking Exposed Blog

Hello Reader,
         Back in July of 2018 Crowdstrike wrote a very interesting post all about Core Analytics a service that runs by default on OSX that tracks aggregate daily data about executables run on the system for a month. You can read their original work here: https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/

I've noticed that most of the writeups that I've seen about OSX artifacts don't list Core Analytics which seems strange to me. Outside of KnowledgeC there isn't many other execution artifacts that I'm aware of on OSX. So in checking Mojave on a couple of systems I can report that Core Analytics is still alive and kicking in one of two directories.

If the user when setting up their Mac opted to send data to Apple then the month worth of data will be found under:

If the user opted out of sending data to Apple the data will be found under:

Otherwise all the data is in place and Crowdstrike's script still works. 

Also Read: Daily Blog #628

Post a Comment