ETC Files
Overview
Section titled “Overview”Evidence: ETC Files
Description: Collect all files in etc directories
Category: System
Platform: macos
Short Name: etcf
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The /private/etc directory on macOS contains system configuration files that define services, networking, authentication, and other OS behavior. Reviewing these files provides visibility into security posture and configuration drift.
Data Collected
Section titled “Data Collected”This collector gathers structured data about etc files.
Collection Method
Section titled “Collection Method”This collector walks the /private/etc directory, captures metadata (times, modes, sizes) and copies regular files into the case content for preservation and review.
Forensic Value
Section titled “Forensic Value”Configuration files reveal service enablement, policy changes, malicious tampering, and indicators of persistence. They are essential for baselining and detecting unauthorized modifications.