Although macOS uses APFS now, not HFS+, there may be methods of filesystem anti-forensics similar to the use of Alternate Data Streams on NTFS volumes, by which an attacker might hide their presence on the filesystem.
Research and further detail is needed here, to determine what exactly should be getting detected. It might build upon issue #23
The feasibility challenge is that any kind of whole-filesystem activity monitoring is performance prohibitive.
Although macOS uses APFS now, not HFS+, there may be methods of filesystem anti-forensics similar to the use of Alternate Data Streams on NTFS volumes, by which an attacker might hide their presence on the filesystem.
Research and further detail is needed here, to determine what exactly should be getting detected. It might build upon issue #23
The feasibility challenge is that any kind of whole-filesystem activity monitoring is performance prohibitive.