Mac Evaluation Utility for macOS DFIR and Malware Analysis
- malwr4n6
- Mar 16
- 3 min read
Updated: Mar 17
![Mac Evaluation Utility [MEU]](https://static.wixstatic.com/media/8faeda_0133775fb5cc4b43b1cecd9c50a43005~mv2.png/v1/fill/w_274,h_280,al_c,q_85,enc_avif,quality_auto/8faeda_0133775fb5cc4b43b1cecd9c50a43005~mv2.png)
Background:
During the beta testing phase of macOS Sequoia with AppleSeed for IT, I discovered this intriguing application called "Mac Evaluation Utility". This app, which I had never encountered before, was not only functional but also offered features that seemed to be very useful for DFIR and Malware Analysis.
Overview of Mac Evaluation Utility
According to Apple's official documentation on MEU:
Mac Evaluation Utility evaluates your organization’s ability to deploy Mac computers. The app checks the network to help verify that critical hosts and services are reachable for essential services like Automated Device Enrollment and software updates. It also examines the device’s management configuration to help make sure you're aligned with best practices. The results can be shared with colleagues to help you build a plan to succeed at deploying Mac computers at scale.

Once the test is run, you will see output as Fig 2 and Fig 3 shown below. There are 2 tabs: Overview and Results.
Overview tab shows the results in a good User Interface with broad categories.

Results tab, shows more detailed view of the specific outcome of each test shown in Fig 3 and Fig 4


How can MEU aid in DFIR and Malware Analysis?
It provides a quick snapshot of the macOS environment
Although originally designed for macOS Admins, it offers many features useful for DFIR and Malware Analysis purposes
DFIR Use cases:
The report can be extremely helpful in Forensic & Incident Response setting to get a snaptshot of the macOS as it provides crucial information like:
Applications
Persistence
System Settings and Preferences
Network Information
Bonjour Services
MDM related details
Management information to get an idea what features were turned on the macOS like
Apple Intelligence
Security
Gatekeeper
iPhone Mirroring
Filevault status
Guest User Config
Gatekeeper Status
SIP status
Malware Analysis Use Cases:
Capture/Export reports and compare it for identifying how the suspicious software made changes to macOS. (Think of this like RegShot for Registry analysis on Windows)
Before execution of malware
After a dynamic ececution of malware
Shows status of
Applications:
Notarized Applications
Unsigned Applications
Non-universal Binaries
Persistence:
Launch Agents
Launch Daemons
Login Items
Kernel Extensions
Third-Party KEXTs
System Extensions
Network Information
Public IP
Public DNS Domain
Private IP
Host File Status
MEU DFIR and Malware Analysis Use Cases Images (Click to expand)
MEU Pros:
Provided by Apple
It is super fast and free!
Results in under a minute :)
Great and easy to use UI
Provides a better UI compared to System Information.app
When clicked on the result category, it provides a good description about what this is about and what command can you run on macOS terminal to fetch the same details
I absolutely love this!
Data Exported in a comprehensive manner and different formats like:
MEU
Can only be imported and opened in the Mac Evaluation Tool (MEU) application
JSON
CSV
PDF
MEU Cons:
Only available to beta testers! :(
You can download it by enrolling your Apple Account for Apple Seed program or VirusTotal
There is no Find/Search functionality
Lacks essential details available in System Information.app like:
Installed Applications and when was it installed
Firewall status
Extensions
Logs!
Printer
Profiles
No integration with Apple Intelligence yet :(
This would have been a very cool feature if enabled
Report Comparison not available
This would have been extremely useful in macOS Malware Analysis.
What changes were seen after a suspicious file/binary was executed on the machine? This could be easily answered
Conclusion:
Mac Evaluation Tool is a treasure trove of data for macOS DFIR and Malware Analysis but should be used alongside System Information.app output.
However, I still don't understand why this app has been kept hidden from the general public and is only available to a select group of beta testers.
It raises questions about the decision-making process behind its limited accessibility. Is there a concern regarding its stability or performance that the developers are still addressing? Or perhaps they are looking to gather more feedback from a controlled group of users before launching it to a broader audience?
The secrecy surrounding this application is puzzling, especially considering the potential benefits it could bring to everyday users who are eager for innovative tools. The anticipation builds as I wonder when, or if, this app will finally be unveiled to the wider macOS community, allowing more users to experience its unique functionalities and advantages.