> For the complete documentation index, see [llms.txt](https://pellaeon.gitbook.io/mobile-forensics/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pellaeon.gitbook.io/mobile-forensics/mac/processes.md). # Review Running Processes A computer infected with spyware should have some malicious processes running at all times, monitoring the system and collecting data to be transmitted to the [Command & Control server](https://securitywithoutborders.org/resources/digital-security-glossary.html#cnc) of the attackers. Therefore, another required step in triaging a suspected MacOS computer is to extract the list of running processes and find if any of them display suspicious characteristics The best tool to do so is [TaskExplorer](https://objective-see.com/products/taskexplorer.html) developed by Objective-See. You first need to download the program from [its official page](https://objective-see.com/products/taskexplorer.html), unzip the archive containing the program (double-clicking on it should work in most cases) and double-click on the TaskExplorer program to launch it. On startup, it will ask for your password in order to get administrator privileges to list all the processes running. ![](/files/1f8l4S3ZkrDHbHEE0sKV) Before proceeding with this check, it is advisable that you close all visible running applications, in order to reduce the outputs of the tools you will run to the bare minimum. ### 1. Verify Image Signature Similarly to KnockKnock, TaskExplorer verifies the signature of applications running. This information is shown with a loc icon near the Application name, a green closed lock ![](/files/mtxBCxr7hWCCFJ1XHsR5) means that an application belong to Apple, a black closed lock ![](/files/ikLLlMphzOvihzsePyWL) means that it is a Non-Apple signed application and an open orange lock ![](/files/ECif02DohHwic2vsAlSX) means that the application is not signed. You can filter tasks to see only non-signed applications by writing `#unsigned` in the filtering bar and hit enter : ![](/files/qvC5HQxFsY8Fh2ynMju6) ### 2. Check for Suspicious Application Name and Path As in the startup section, it is interesting to check for any application that has a suspicious name and path. The name of the application can be faked but in some cases, malware are using either spoofed name with typos (such as `Crhome`) or random strings. The path of the application gives indication on where the application is running from. Any application running from a location other than `/Library` or `/Applications` should be investigated further. To avoid checking legitimate applications signed by Apple, you can filter the tasks with the hashtag `#nonapple` in the fitering bar : ![](/files/ehgqyAGt1pmYsvZGTq4m) ### 3. Looking up Programs on VirusTotal Similarly to [Autoruns](/mobile-forensics/mac/autoruns.md) section, TaskExplorer also checks file fingerprint on VirusTotal. On the right of each task running, you will see two numbers representing first the number of antiviruses that identified this file as malicious and then the total number of antiviruses tested. An question mark will appear if this program is not known by VirusTotal. ![](/files/6HRoU9EH5X7qxCOTmi8k) You should investigate further any task identified by at least one antivirus as malicious or not known by VirusTotal. **Please note:** the same considerations and warnings explained in the [previous section](/mobile-forensics/mac/autoruns.md) apply here too. Make sure to read them before proceeding. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://pellaeon.gitbook.io/mobile-forensics/mac/processes.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.