macOS Application Execution

Mac Application Usage & Execution Forensics

Independent forensic reconstruction of every application that ran on a Mac β€” who launched it, when, for how long, with what arguments, whether it was signed and notarized, and whether it was quarantined or blocked.

← Canonical HubThis page is part of the Mac Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Mac Application Usage Forensics answers “did this program run, and by whom” using KnowledgeC.db /app/inFocus and /app/usage streams, LaunchServices (com.apple.LaunchServices.QuarantineEventsV2 and ~/Library/Preferences/com.apple.LaunchServicesPrefs.plist), the UnifiedLog com.apple.launchd and com.apple.xpc.launchd subsystems, Spotlight kMDItemLastUsedDate, XProtect and Gatekeeper decisions, and β€” when available β€” ExecPolicy ES-endpoint events on macOS 11+.

KnowledgeC.db β€” the primary evidence of app usage

Each /app/inFocus row in KnowledgeC.db (~/Library/Application Support/Knowledge/knowledgeC.db) is a start/end interval a specific bundle identifier was frontmost, per user. Because the DB retains ~30 days of data and cannot be edited without root, it is the single most conclusive evidence of interactive app usage.

Related streams: /app/usage (aggregated), /app/activity (with declared document / URL), /app/webUsage (Safari), /app/intents (Siri-suggested).

LaunchServices, quarantine, and first-run

  • ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 β€” SQLite of every quarantined item with origin URL and event date.
  • com.apple.quarantine extended attribute on the binary β€” carries the flag until the user approves the app on first run, at which point the flag changes and the timestamp updates.
  • com.apple.macl extended attribute β€” Mandatory Access Control List entries added when apps are granted TCC permissions.
  • /private/var/db/com.apple.xpc.launchd/disabled.501.plist β€” user-disabled LaunchAgents.

Gatekeeper, XProtect, and code-signing decisions

macOS Gatekeeper decisions are logged under the com.apple.syspolicy subsystem β€” every “verifying ” and “allowed / denied” pair is recorded. spctl --assess -vv <path> reproduces the decision offline. XProtect updates and detections appear under com.apple.XProtectFramework.PluginAPI. Where the ExecPolicy database (/var/db/SystemPolicy) is preserved, it lists every notarized binary that has run on the machine.

Command-line execution β€” Terminal, zsh, and scripts

  • ~/.zsh_history and ~/.zsh_sessions/ β€” default zsh history since macOS 10.15 with timestamps when EXTENDED_HISTORY is enabled.
  • ~/.bash_history β€” legacy.
  • KnowledgeC.db /app/inFocus for com.apple.Terminal and com.googlecode.iterm2 β€” proves an interactive shell was in front.
  • Unified Log com.apple.launchd service invocations from LaunchAgents / Daemons.
  • AppleScript execution β€” osascript invocations recorded in the process lineage.

Ruling programs in or out

A defense-favorable outcome commonly relies on demonstrating a program did not run. We show negative evidence by enumerating: (a) absence of the bundle ID in KnowledgeC.db, (b) absence of a QuarantineEventsV2 row, (c) absence of Spotlight kMDItemLastUsedDate on the binary, and (d) absence of com.apple.launchd invocation. Reports state confidence explicitly and describe the coverage window that supports the conclusion.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.

Related Mac forensics pages

Frequently asked questions

Can you tell how long an app was actually in use?

Yes. KnowledgeC.db /app/inFocus records the start and end of each focus interval to the second. We sum the intervals over the case window to produce a total usage figure per app per day.

What if the program was renamed or moved?

The bundle identifier is stable across renames. LaunchServices tracks apps by bundle ID and inode, so renaming a binary does not hide its execution history from KnowledgeC.db, LaunchServices, or Spotlight.

Does macOS record command-line arguments?

Not by default in a persistent store, but Endpoint Security agents, third-party EDR, and enabled auditd all capture argv. Shell history captures interactive invocations.

Ready to move on your mac application usage & execution matter?

Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Apple: Notarizing macOS software. developer.apple.com
  2. Apple: Endpoint Security. developer.apple.com
  3. Sarah Edwards: KnowledgeC research. www.mac4n6.com

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#MacForensics #Execution #Gatekeeper #KnowledgeC #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder