Crashes
Overview
Section titled “Overview”Evidence: Crashes
Description: Collect Crashes
Category: System
Platform: macos
Short Name: crsh
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”macOS automatically generates crash reports when applications or system processes terminate unexpectedly. These reports are stored in ~/Library/Logs/DiagnosticReports and /Library/Logs/DiagnosticReports, containing detailed information about the crash including stack traces, exception codes, register states, and responsible processes. Crash reports provide critical forensic evidence for understanding system stability, identifying malicious behavior, and detecting exploitation attempts.
Data Collected
Section titled “Data Collected”This collector gathers structured data about crashes.
Crashes Data
Section titled “Crashes Data”| Field | Description | Example |
|---|---|---|
Type | Type | Example value |
PID | PID | 123 |
Path | Path | Example value |
CrashPath | Crash Path | Example value |
Identifier | Identifier | Example value |
Version | Version | 123 |
Parent | Parent | 123 |
Responsible | Responsible | Example value |
UID | UID | 123 |
DateTime | Date Time | 2023-10-15 14:30:25+03:00 |
CrashedThread | Crashed Thread | 123 |
StackTrace | Stack Trace | Example value |
ExceptionType | Exception Type | Example value |
ExceptionCodes | Exception Codes | Example value |
ExceptionNotes | Exception Notes | Example value |
Registers | Registers | Example value |
Collection Method
Section titled “Collection Method”This collector uses osquery to query the crashes table, which parses crash report files from diagnostic report directories. It joins crash data with user information to provide comprehensive crash analysis including process details, crash paths, timestamps, exception types, stack traces, and registers. The collector captures both user-level and system-level crashes.
Forensic Value
Section titled “Forensic Value”Crash reports are essential for detecting exploitation attempts, identifying unstable or malicious software, understanding system reliability issues, and reconstructing incident timelines. Stack traces can reveal code execution paths and potential vulnerabilities. Exception codes and types help identify specific failure conditions. This evidence is particularly valuable for malware analysis, exploit detection, and investigating system compromises or denial-of-service conditions.