According to the CHFI v11 Operating System Forensics curriculum, understanding the macOS boot process is essential for identifying boot-level attacks, rootkits, and system tampering. The Macintosh boot sequence follows a clearly defined order, and each stage plays a critical role in system initialization.

The process begins with BootROM , which performs initial hardware checks and firmware validation. On Intel-based Macs, BootROM invokes EFI (Extensible Firmware Interface) , which initializes hardware interfaces and locates a valid bootloader. Once this phase is complete, control is handed over to the boot loader —either BootX (on older PowerPC systems) or boot.efi (on Intel-based systems).

After the boot loader takes control, the next step is loading the pre-linked kernel . The boot loader loads a pre-linked kernel image , which includes the macOS kernel (XNU) along with essential kernel extensions (kexts) required for hardware and system functionality. CHFI v11 highlights this step as crucial because any compromise here can allow attackers to execute malicious code before user-level security controls are enforced.

The other options represent stages that occur earlier in the boot process. EFI initialization and OS selection happen before the boot loader stage, while BootROM activation is the very first step.

Therefore, in strict alignment with CHFI v11 operating system boot sequence documentation, the correct next step after the boot loader is that it loads a pre-linked version of the kernel , making Option B the correct answer.