Monitor.app identifies system activities using a kernel extension
(kext). Its focus is on capturing data that matters, with context.
These events are presented in the UI with a rich search capability
allowing users to hunt through event data for areas of interest.
The goal of Monitor is simplicity. When launching Monitor, the user
is prompted for root credentials to launch a process and load our kext
(don’t worry, the main UI process doesn’t run as root). From there,
the user can click on the start button and watch the events roll in!
The UI is sparse with a few key features. There is the start/stop
button, filter buttons, and a search bar. The search bar allows us to
set simple filters on types of data we may want to filter or search
for over all events. The event table is a listing of all the events
Monitor is capable of presenting to the user. The filter buttons allow
the user to turn off some classes of events. For example, if a
TimeMachine backup were to kick off when the user was trying to
analyze a piece of malware, the user can click the file system filter
button and the file write events won’t clutter the display.
Current Version: Monitor.app 1.0.6
Release Date: March 31, 2017
- Supported Operating Systems: macOS 10.11, macOS 10.12
- File Size: 5.4 MB
- Integrity Hashes: