惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cisco Talos Blog
Cisco Talos Blog
V
V2EX
C
Check Point Blog
GbyAI
GbyAI
D
Docker
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
B
Blog RSS Feed
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
Netflix TechBlog - Medium
T
Troy Hunt's Blog
博客园 - Franky
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Security Blog
Microsoft Security Blog
P
Privacy & Cybersecurity Law Blog
WordPress大学
WordPress大学
The Cloudflare Blog
S
SegmentFault 最新的问题
Latest news
Latest news
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
I
InfoQ
博客园 - 【当耐特】
NISL@THU
NISL@THU
A
About on SuperTechFans
T
Tailwind CSS Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Scott Helme
Scott Helme
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
Security Latest
Security Latest
V
Vulnerabilities – Threatpost
Security Archives - TechRepublic
Security Archives - TechRepublic
A
Arctic Wolf
Hacker News: Ask HN
Hacker News: Ask HN
N
News and Events Feed by Topic
IT之家
IT之家
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
SecWiki News
SecWiki News
大猫的无限游戏
大猫的无限游戏
S
Security Affairs
The Register - Security
The Register - Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
L
LINUX DO - 热门话题
T
Tor Project blog

Unit 42

TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development No Manners Here: The Ruthless Rise of The Gentlemen Ransomware Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation How We Added WebAuthn to a Browser-Based RDP Client Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration Threat Brief: Mitigating Large-Scale Credential Attacks Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE Inside the Modern SOC: The 72-Minute Race Trust No Skill: Integrity Verification for AI Agent Supply Chains Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility When “Hi, This Is IT” Comes Through Microsoft Teams Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface Out of the Crypt: The Evolving Cyber Extortion Economy Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns Paved With Intent: ROADtools and Nation-State Tactics in the Cloud Tracking TamperedChef Clusters via Certificate and Code Reuse Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years Essential Data Sources for Detection Beyond the Endpoint That AI Extension Helping You Write Emails? It’s Reading Them First TGR-STA-1030: New Activity in Central and South America Frontier AI and the Future of Defense: Your Top Questions Answered Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System
Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered
Chip Riley · 2026-06-13 · via Unit 42

Surfacing a New Artifact

Forensic examiners are constantly hunting for data that reveals not just what happened on a system, but the user's intent behind it. With the release of macOS Tahoe 26, a new artifact has surfaced that provides exactly this level of granularity. We have identified a new Biome stream, App.MenuItem, which logs specific menu selections made by users across the operating system.

This artifact offers a step-by-step record of user actions — from compressing files to emptying the trash — providing critical context for user activity across the operating system. This blog outlines where to find this artifact, how to process it and what stories the data can tell.

Apple Biome – A Gold Mine for Forensic Investigators

The Apple Biome system has long been a gold mine for forensic investigators, tracking everything from app usage to media consumption. In macOS Tahoe 26.x, Apple appears to have introduced a new stream specifically designed to track menu selections, likely to facilitate user suggestions or learning behavior.

Location and Structure

The artifact is located at ~/Library/Biome/streams/restricted/App.MenuItem/local. Unlike simple logs, this file contains SEGB-encapsulated protobuf entries. SEGB is the file format used by the Biome. While this format requires specific tooling to parse, the payoff is significant. The stream captures the exact text of menu items selected by the user, along with the timestamp of the activity, providing a narrative of their interaction with the interface.

Parsing the Artifact

Because standard forensic tools may not yet parse this specific stream, examiners can utilize open-source tools like ccl-segb to extract the raw data. In our testing, this artifact is not parsed by the most common commercially available digital forensic tools available.

To process the file:

  1. Export the file(s) from the directory ~/Library/Biome/streams/restricted/App.MenuItem/local.
  2. Run the ccl-segb Python script: python ccl_segb_cli.py <exportedfilename> > outputfilename.txt.
  3. Convert the resulting text output into a CSV format for easier filtering and analysis using a Python script.

Analyzing User Intent

The true value of App.MenuItem lies in its ability to reconstruct a user's workflow. Where a file system event might simply show a file was deleted, this artifact can show the deliberate action of selecting "Move to Trash" followed by "Empty Trash.”

Consider the following sequence of events observed in our sample analysis:

  • 18:32:37: The user navigates using Go > Go to Folder… in Finder.
  • 18:36:59: In TextEdit, the user selects File > Save…, followed by typing "u42validation".
  • 18:37:54: The user highlights a folder named "stolendata" and selects Compress “stolendata”.
  • 18:38:19: The user selects Move to Trash.
  • 18:38:41: The user interacts with the Dock to select Empty Trash.

In this scenario, we see a clear pattern: data creation, compression (likely for exfiltration) and subsequent cleanup. We even see interaction with specific UI elements, such as Copy and Paste Item later in the timeline.

Limitations

While powerful, this artifact is not without limitations. It relies on the menu item text itself. If a menu option does not explicitly contain the file or folder name (e.g., a generic "Open" command vs. "Compress 'Report'"), the specific target of the action might not be visible in this stream alone. However, when correlated with file system logs, App.MenuItem provides the "human" context that technical logs often miss.

Final Thoughts

The discovery of the App.MenuItem artifact in MacOS Tahoe 26 adds a powerful new layer to forensic investigations. By capturing the specific menu choices a user makes, examiners can reconstruct digital intent with greater precision than before. Whether you are investigating data exfiltration or trying to understand a sequence of events, this Biome stream provides a narrative view of user behavior.

As macOS continues to evolve, so must our forensic methodologies. We encourage all examiners working with Tahoe images to verify if this artifact is present and incorporate it into their standard analysis workflows.