MX0 Module Summary

What this module established

Section 0.1 defined macOS endpoint investigation as evidence-based reconstruction from stores that differ from Windows in format and in what they record at all. There is no single execution oracle: execution is assembled from provenance, policy assessment, the log, receipts, and usage. You map the question to the store, recognize the formats that decide which tool opens each one, corroborate across independent stores, and reason about the four meanings of a missing artifact. The worked NE-VANCE-MBP finding stood on six stores recording through different mechanisms with no contradiction.

Section 0.2 explained the investigation-question structure. Twelve content modules move through four phases: foundations, acquisition and logging, the investigation questions, then integration and a capstone. Every section follows one rhythm, threat to artifact to baseline to reasoning to method to Fieldcraft, and the ordering rule is evidence before method. The material carries two releases at once, Sequoia 15 and Tahoe 26, so establishing the build first with sw_vers or the SystemVersion.plist is a habit, not an afterthought.

Section 0.3 mapped the toolstack by the job it does. Native binaries come first as ground truth: log, plutil, mdls, codesign, spctl, sfltool. mac_apt runs the breadth pass into a single SQLite database; sqlite3 reads a store directly, such as the TCC privacy grants and their timestamps; APOLLO, iLEAPP, ccl-segb, and FSEventsParser handle the stores with only one parser. The native log read settles a disagreement when an automated parser lags the release.

Section 0.4 covered where the method is applied: enterprise incident response, insider and intellectual-property cases, targeted malware, compromise assessment, detection engineering, and eDiscovery. One method serves all of them, shown concretely by the external-volume mount that an insider case turns on. The artifacts change with the case; the discipline does not, and the skill is scarce and durable.

Section 0.5 established evidence handling and honest limits. Hash on intake and keep the chain, treat the unlocked FileVault volume as the perishable resource it is, validate the parser against the specific release, and corroborate across stores. State what the platform did not record, measuring the Unified Logging retention floor rather than implying the log was clean, and attach a confidence level that matches the evidence with language precise enough to defend.

Section 0.6 set up the analysis environment. A Mac analysis host so the native ground-truth commands are available, a case structure that locks the original read-only and keeps working copies and output apart, the native toolchain confirmed on PATH, and the Python parsers isolated in a virtual environment with pinned versions. The evidence stays clean because the only writable thing in the case folder is a copy.

What comes next

Module 1 covers the macOS security model and the threat landscape it is built against. Every artifact you will read downstream is produced by this machinery: Gatekeeper and code signing decide what runs and leave the quarantine and assessment records, TCC governs the privacy grants you read straight from the database, System Integrity Protection sets what you can and cannot reach, and the sandbox shapes where an app can write.

Understanding the model is what turns an artifact from a value on a screen into evidence you can interpret, because you know the rule that produced it and what its presence or absence actually means.