This 1+ minute video introduces the concept of provenance chains, tracking how one instance of the GoogleUpdater program got started.

Audio transcript:

Software updates and software builds produce wonderfully long provenance chains, where process A creates process B, process B creates process C, and so on.

I’ve selected an execution of the GoogleUpdater program with its many arguments.

Down below is the provenance chain that eventually created this execution.

It begins at the top with the first process, launchd, forking itself, followed by this new process executing the program xpcproxy.

At the bottom, the 18th event in the provenance chain, is the execution of the GoogleUpdater program, the one selected in the list above.

Whether you are a student learning about computers, a system administrator responsible for keeping a computer running smoothly, a cybersecurity investigator needing to know what is running on a computer and how any suspicious process got started, or just a person curious to know how computers work, discovering these provenance chains can provide you with valuable knowledge of what is happening behind the scenes on your computer.

Download the program:

The Mac app used for this video is Ennetix xTend with then endpoint system extension added. Both Ennetix xTend and Ennetix Endpoint are free.

Download Ennetix xTend from the Apple App Store.

Download Ennetix Endpoint from the Ennetix web site (in Section 2.1).