macOS Triage Analysis — SIFT Workstation Runbook

What problem does it solve?

This runbook reduces the time and uncertainty of macOS DFIR triage by guiding analysts through consistent artifact-only collection triage and timeline reconstruction from a macOS triage package.

Core Features & Use Cases

• Artifact-first parsing with mac_apt: Use mac_apt artifact-only plugins to extract structured evidence such as browser history, downloads, quarantine events, persistence locations, TCC permissions, and application activity from a live-collected triage directory.
• Unified Log reconstruction: Parse macOS Unified Log archives into JSONL and use targeted searches to determine whether specific app launches succeeded or were blocked by security policy.
• SQLite/CoreData timestamp normalization: Run focused SQLite queries against macOS databases (including correct CoreData epoch conversion) to produce analyst-ready CSV timelines.

Quick Start

Ask Claude Code to run the macOS triage runbook by opening the case directory and invoking the investigation flow for the macOS host so it can start phase 0 log parsing immediately and then extract high-value artifacts like Safari, TCC, quarantine events, and persistence.