Monitor.app identifies system activities using a kernel extension (kext). Its focus is on capturing data that matters, with context. These events are presented in the UI with a rich search capability allowing users to hunt through event data for areas of interest.
The goal of Monitor is simplicity. When launching Monitor, the user is prompted for root credentials to launch a process and load our kext (don’t worry, the main UI process doesn’t run as root). From there, the user can click on the start button and watch the events roll in!
The UI is sparse with a few key features. There is the start/stop button, filter buttons, and a search bar. The search bar allows us to set simple filters on types of data we may want to filter or search for over all events. The event table is a listing of all the events Monitor is capable of presenting to the user. The filter buttons allow the user to turn off some classes of events. For example, if a TimeMachine backup were to kick off when the user was trying to analyze a piece of malware, the user can click the file system filter button and the file write events won’t clutter the display.
Current Version: Monitor.app 1.0.6
Release Date: March 31, 2017
- Supported Operating Systems: macOS 10.11, macOS 10.12
- File Size: 5.4 MB
- Integrity Hashes:
- MD5: 3FDCBB3A8D1186BA95AD6F2628360841
- SHA-1: A78210140F1563EBD14056F1B10DA9DCAB489166