Mac OS X Forensics

Never give up, the answer is right in front of you...

Our Sponsors
Custom Search

only MacOSXForensics.com

Amazon Macintosh Deals

Initial Data Gathering

Every Macintosh examination involves looking at the data in a unique manner that likely leads the analyst down a new path each time. Yet, we can usually say that each examination will have a set of data that gathered each time for presentation to go along with the case at hand. This section is meant to present areas of the OS X structure where you can find data for presentation in your cases that many times apply in all circumstances.

Sponsored Advertisement

Operating System Installation Date

/var/log/OSInstall.custom

Operating System Version

/System/Library/CoreServices/SystemVersion.plist (OS X Client)
/System/Library/CoreServices/ServerVersion.plist (OS X Server)

Last Software Update

/Library/Preferences/com.apple.SoftwareUpdate.plist

Registation Information during Operating System Installation

/var/db/.AppleSetupDone

Current Time Zone

/etc/localtime (link file pointing to current time zone) OR
/Library/Preferences/.GlobalPreferences.plist

Auto-Login and Last Login User Info

/Library/Preferences/com.apple.loginwindow.plist

Deleted Users

/Library/Preferences/com.apple.preferences.accounts.plist

Home Folders

/Users/username

Attached Media

/Users/username/Library/Preferences/com.apple.sidebarlists.plist - history of attached media, volumes devices, etc.

iPhone/iPod

/Library/Preferences/com.apple.iPod.plist - history of iPhone and iPod connectivity

User Auto-Launch Items

/Users/username/Library/Preferences/loginwindow.plist

Network Settings

/Library/Preferences/com.apple.alf.plist - Firewall Settings
/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist - Airport (Wireless) Settings
/Library/Preferences/SystemConfiguration/com.apple.nat.plist - Internet Sharing Settings
/Library/Preferences/SystemConfiguration/com.apple.network.identification.plist - Historical Network TCP/IP Assignments with Timestamps
/Library/Preferences/SystemConfiguration/com.apple.NetworkInterfaces.plist - Onboard Interfaces
/Library/Preferences/SystemConfiguration/com.apple.preferences.plist - Network Configuration for each interface

Screen Sharing

~/Library/Application Support/Screen Sharing

Bluetooth History

/Library/Preferences/com.apple.Bluetooth.plist

Instant Messaging

/Library/Preferences/com.apple.iChat.AIM.plist
/Library/Preferences/com.apple.iChat.plist
/Library/Preferences/com.apple.iChat.SubNet.plist
/Users/username/Library/Preferences/com.aol.aim.plist
/Users/username/Library/Preferences/com.adiumX.adiumX.plist
/Users/username/Library/Preferences/com.apple.iChat.AIM.plist
/Users/username/Library/Preferences/com.apple.iChat.plist
/Users/username/Library/Preferences/com.apple.SubNet.plist
/Users/username/Library/Preferences/com.skype.skype.plist
/Users/username/Library/Preferences/com.yahoo.messenger3.plist
/Users/username/Library/Preferences/com.yahoo.messenger3.Users.screenname.plist

Peer to Peer

/Users//Library/Preferences/Limewire/*

Safari

/Users/username/Library/Safari/Bookmarks.plist - User's Bookmarks
/Users/username/Library/Safari/Downloads.plist - Contents of the user's Downloads window in Safari
/Users/username/Library/Safari/History.plist - Safari browser history
/Users/username/Library/Safari/LastSession.plist - defines the last browsing session (window and tabs that were open)

Log Files

/var/log/*
/Users/username/Library/Logs/*

Sleep File and Virtual Memory

/var/vm/sleepimage
/var/vm/swapfile0