TERMSESSIONS
The TERMSESSIONS plugin collects terminal history and sessions from users. The plugin pulls the .sh_history file for the root and the .bash_history file from every user's profile folder. For macOS El Capitan and higher, it will also parse the bash session contained in the ~/.bash_sessions folder for each user. Read more about how this is interpreted here.
Since macOS Catalina (10.15), the default terminal now uses zsh instead of bash. This plugin will also pull its history files stored at ~/zsh_history . If zsh is set as the default shell, no bash_sessions are recorded. However, if you are using macOS Catalina upgraded from an older macOS, then by default, it will retain the old bash shell, and bash_sessions artifacts will be present.
This plugin does not support standalone mode.
$ python mac-apt.py -x -o ~/Case_Output E01 ~/Acquisition.E01 TERMSESSIONS
| Field Name | Notes |
|---|---|
| Source_Type | Bash_Session or Bash_History or Zsh_history |
| Session_Start | Timestamp when session (terminal) windows was launched |
| Session_End | Timestamp when session was closed |
| new_content | Content from this session |
| all_content | All previous session content + this session content |
| User | User who launched terminal |
| Session_GUID | UUID for session |
| Source | Source File |
Output shown above is incomplete.