For the “TL;DR crowd,”: fslogger-yaml project page.
The release of EmPyre caused me to start thinking about the Indicators of Compromise (IOC) associated with it being used to interact with a system. The network artifacts, while they do need to be investigated, seem fairly straight forward to me. I am more interested in the system-based IOCs.
Since I’ve been out of the forensic arena for a while, I quickly realized that I have no idea how to track changes to system running OSX. There are, of course, system logs and Apple System Log (ASL) files. These do provide valuable information but they do not track everything. I wanted something that would provide me with enough detail that would assist in the generation of consistent IOCs.