The Basic Security Module (BSM) is the native auditing framework in macOS, inherited from Sun's Solaris and BSD. It is designed to log a wide range of system-level events, including file access, process execution, and authentication attempts, for security and forensic purposes. BSM writes these events to a log file in a specific binary format. Each log entry, or record, is composed of a series of structures called "tokens." Each token represents a specific attribute of the event, such as the user ID, process ID, file path, or return value of a system call. This tokenized binary structure provides a detailed and tamper-evident audit trail.

A. Command-line inputs: These are typically stored in plain-text shell history files (e.g., .zshhistory, .bashhistory), not a binary format using tokens.

B. User account: This is a broad category representing user data and settings, not a specific logging mechanism that uses a binary token structure for events.

D. Kexts: Kernel Extensions (Kexts) are modules of code, akin to drivers, that extend the functionality of the macOS kernel. They are executable files, not event logs.

1. Apple, Inc. (2019). audit(4) Mac OS X Manual Page. This official developer documentation describes the BSM audit record format. It states, "The audit trail is a sequence of audit records. Each audit record is composed of one or more tokens..." It further details the binary structure of these tokens. (Available via the man audit command on macOS or online developer archives).

2. Casey, E., & Soules, G. (2011). Leveraging the Basic Security Module for Real-Time Forensics on Mac OS X. Digital Investigation, 8(Supplement), S38-S47. This peer-reviewed paper from the Digital Forensic Research Workshop (DFRWS) explicitly details the BSM's architecture. Section 3, "The Basic Security Module," explains, "BSM audit records are composed of a series of tokens... Each token has a type identifier and contains data specific to that type." (DOI: https://doi.org/10.1016/j.diin.2011.05.006)

3. Champlain College. (n.d.). CFS 410: Mac & Mobile Device Forensics Course Syllabus. University courseware for advanced digital forensics frequently covers BSM. Syllabi and lecture notes from such courses describe BSM as the primary low-level auditing mechanism on macOS, emphasizing its binary and tokenized log structure as a critical source of forensic evidence. (Specific course materials often reference BSM's role in system event logging).