Tools

TrueTree

TrueTree is an incident response tool for building a pstree like output on macOS. It can be used to build a tree based on standard pids and ppids or it can be used to build a tree based on the TrueTree concept.

View the TrueTree change log here

Read more about the TrueTree concept here.

SpriteTree

SpriteTree is an application written purely in Swift that can take  a capture from Apple’s ESLogger command-line tool and allow users to interact with the data using Apple’s 2D Game Engine providing various ways to build the process tree. Users can create their own eslogger captures using “sudo eslogger fork exec rename create” or you can download our examples of previously created json captures and load one into the app. 

ESFPlayground

ESFPlayground is a tool that lets you print out the notify events of the Apple Endpoint Security Framework as they happen in real time

Read more about ESFPlayground here.

The change log for ESFPlayground can be found here

MonitorUI

MonitorUI is a tool that can be used to load output from both ESFPlayground and Objective-See’s ProcessMonitor.app. It color codes different process data making it easier to track the life of a selected process and includes a handy process tree display. It can also load file events from Objective-See’s FileMonitor.app.

Read more about MonitorUI here.