New macOS Tahoe 26 Forensic Artifact Enables Detailed User Activity Reconstruction
Unit 42 researchers have identified a previously unknown macOS Tahoe 26 forensic artifact that records user menu selections system-wide. This discovery is significant for digital forensics and incident response teams seeking to reconstruct user behaviour during investigations.
Affected
Unit 42 has identified a new forensic artefact in macOS Tahoe 26 that captures user menu selections across the operating system. This artefact provides forensic analysts with granular visibility into user actions that were previously difficult or impossible to reconstruct from standard system logs. The discovery expands the available evidence pool for incident response teams investigating compromised macOS systems.
From a forensic perspective, menu selection artefacts are valuable because they represent deliberate user actions and can establish timelines of user activity with precision. Unlike generic process execution logs, menu selections can reveal the specific applications and features a user accessed, providing context for suspicious behaviour or data exfiltration. The artefact appears to be stored in a persistent format accessible to forensic tools, making it recoverable even after user sessions end.
The significance of this finding lies in improving macOS incident investigation capabilities. Previous macOS forensic methodologies may have relied on application-specific logs, browser history, or file system metadata to infer user behaviour. This new artefact offers a more direct data source. Incident responders should incorporate this artefact into their collection and analysis playbooks when investigating compromised Tahoe 26 systems.
Defenders should consider this artefact when building detection baselines and forensic response procedures. Threat actors may not yet be aware of this artefact's existence or its evidentiary value, meaning it could preserve evidence of compromise that an attacker did not deliberately sanitise. Forensic tooling vendors should prioritise parsing and visualisation of this artefact to make it accessible to security teams without deep macOS internals expertise.
The broader implication is that macOS forensic visibility continues to improve through targeted research. As organisations adopt macOS at scale for sensitive workloads, having detailed forensic artefacts becomes critical for breach investigations and compliance obligations. This discovery demonstrates the value of persistent forensic research into operating system internals and reinforces why incident response teams should regularly update their collection and analysis toolkits.
Sources