or, Monitoring app installers/activity:
Clone entire boot volume with Carbon Copy Cloner 5 (or 6 via Legacy Bootable Copy Assistant)
Install or run app
Repeat step 1
Compare clones with Beyond Compare in a root session: sudo /Applications/Beyond\ Compare.app/Contents/MacOS/BCompare
Create a local snapshot:1 tmutil localsnapshot
Install or run app
Repeat step 1
Find snapshot names: tmutil listlocalsnapshots /
com.apple.TimeMachine.2023-10-16-184148.local com.apple.TimeMachine.2023-10-16-184247.local
Create mount points and attach snapshots:2
%mkdir ~/snapshot1 ~/snapshot2
%mount_apfs -o ro -s com.apple.TimeMachine.2023-10-16-184148.local /System/Volumes/Data ~/snapshot1
%mount_apfs -o ro -s com.apple.TimeMachine.2023-10-16-184247.local /System/Volumes/Data ~/snapshot2
Compare snapshots with Beyond Compare as above
Unmount snapshots and optionally delete mount points (~/snapshot1 & ~/snapshot2) and snapshots (e.g., tmutil deletelocalsnapshots 2023-10-16-184247
) when done.
fs_usage
, fseventer, etc.)Suspicious Package (mentioned in ‘12, ‘17, & ‘21): "An application for inspecting macOS installer packages."
How do I know what files are installed by an installer program?
How to Open .pkg Files to View What Will Install on Mac with Suspicious Package: "Longtime Mac users may recall that a package inspection feature used to exist in Mac OS X some time ago via the right-click menu, but that feature has since been removed. More advanced Mac users can still extract pkg files with pkgutil without actually installing them but it requires the use of the command line, and the Show Files method to see what files are going to be installed and where to is not always available or detailed enough."
File Buddy (mentioned in ‘05 & ‘17): "Create snapshots to track changes to a folder or disk, such as files installed by an installer. Use the results of snapshot comparisons to uninstall applications."
FileControl: "Determine exactly which files have been changed, anywhere on your system."
Virtual machines:
Windows:
Time Machine backups exclude a number of files and folders and others may be excluded via the com_apple_backup_excludeItem
extended attribute (uncover them via sudo mdfind "com_apple_backup_excludeItem = 'com.apple.backupd'"
). ↩
Grant Terminal Full Disk Access to avoid mount_apfs: volume could not be mounted: Operation not permitted
. ↩
/mac | Oct 17, 2023