Pro plugin

CoreAnalytics

Collects macOS CoreAnalytics program execution evidence, application usage metrics, system telemetry, and DiagnosticMessages from the analyticsd subsystem

system.coreanalyticsPromacOS 10.13+v1.0.0logsconfigmetadata

Run this plugin

Trigger collection for CoreAnalytics on its own with the --plugin flag, or include it in a wider sweep by category.

# Just this plugin
macfor-pro collect --plugin system.coreanalytics --output ./evidence.zip

# Dry run — list what would be collected
macfor-pro collect --plugin system.coreanalytics --dry-run

Compatibility

macOS 10.13+

Licensing: ships in the macfor-pro binary. See Community vs Pro.

Artifacts collected (12)

Each row corresponds to an entry in the plugin's artifacts.yaml manifest. Optional artifacts are skipped unless explicitly enabled.

logs

Artifact	Format	Path	Notes
CoreAnalytics App Usage ca_app_usage	jsonl	`/Library/Logs/DiagnosticReports/Analytics.core_analytics` +1 more /Library/Logs/DiagnosticReports/Retired/Analytics.core_analytics	Per-application usage records showing process name, bundle ID, launch count, uptime, and active time.
CoreAnalytics MAS App Usage ca_mas_app_usage	jsonl	`/Library/Logs/DiagnosticReports/Analytics*.core_analytics`	Mac App Store application usage records with identifier, version, and launch count.
CoreAnalytics System Usage ca_system_usage	jsonl	`/Library/Logs/DiagnosticReports/Analytics*.core_analytics`	System-wide usage records with uptime, active time, activations, and idle timeouts.
CoreAnalytics Events ca_events	jsonl	`/Library/Logs/DiagnosticReports/Analytics*.core_analytics`	Post-Catalina (10.15+) event records with variable schemas including power metrics, TLS events, and service activity.
CoreAnalytics Intervals App ca_intervals_app	binary_plist	`~/Library/Application Support/CrashReporter/Intervals_*.plist`	Cumulative per-application execution records with lifetime launch count, uptime, and active time.
CoreAnalytics Intervals System ca_intervals_system	binary_plist	`~/Library/Application Support/CrashReporter/Intervals_*.plist`	Cumulative system-wide usage record with boot count, uptime, and power time.
CoreAnalytics Aggregates ca_aggregates	json	`/private/var/db/analyticsd/aggregates/*`	In-progress aggregate data from analyticsd staging directory. Requires root access.
CoreAnalytics Crash Metadata ca_crash_metadata	binary_plist	`~/Library/Application Support/CrashReporter/_.plist`	Per-application last crash date and force-quit date from CrashReporter plists.
DiagnosticMessages ca_diagnostic_messages	binary	`/private/var/log/DiagnosticMessages/*.asl`	MessageTracer events from DiagnosticMessages ASL store including TLS, sync, and service activity. Requires root.

metadata

Artifact	Format	Path	Notes
CoreAnalytics Census ca_census	jsonl	`/Library/Logs/DiagnosticReports/Analytics-Census-*.core_analytics`	Weekly device census records with aggregation period, device ID, and opt-in status.

config

Artifact	Format	Path	Notes
CoreAnalytics Report Metadata ca_report_metadata	jsonl	`/Library/Logs/DiagnosticReports/Analytics*.core_analytics`	Report header and metadata with OS version, reporting period, rollover reason, and submission mode.
CoreAnalytics Configuration ca_config	binary_plist	`/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist` +1 more /private/var/db/analyticsd/Library/Preferences/com.apple.analyticsd.plist	Analytics configuration including sharing state, submission status, and device identity.