Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
Snow Leopard
- Put Back
Snow Leopard has introduced a 'not so new feature', yet new to Mac OS X. "Put Back" in OS X 10.6 allows a user to delete a file to the Trash and recover the same file from the Trash to the original location with a simple Right-Click (Control-Click). Windows users have had this type of feature for years and digital investigators have become very accustomed to looking for the INFO2 records.
On a Mac running OS X 10.6, here is how it all works. A user's Trash starts out empty. Let's look at that from a Terminal view since Terminal will allow for a view of hidden files as well.
Terminal View of User's Trash When Empty
Next, a user places a file into the Trash by either 'Drag & Drop' in the Finder or a Right-Click (Control-Click) in the Finder. Notice how "in the Finder" is stressed. The delete must take place thru the Finder and not another application or the Terminal. Let's look at the contents of the Trash now with a sample deleted file "Test FIle.rtf"
Terminal View of User's Trash with 1 deleted file
Notice now how a hidden file has been created automatically, ".DS_Store". This file is not new to OS X users. It has traditionally kept information about folders such as icon location or other view settings. In the case of the Trash, it has now taken on a new role. This file now contains the information of where the deleted file came from. Let's take a look at the contents of ".DS_Store" using the great application 0xED.
".DS_Store" contents after a file has been deleted
From this view, we can see the user 'moof' deleted the file from his Desktop by reading the Unicode path. This would contain other paths and names of files if others had been deleted. No dates or times are contained within this file as with a Windows INFO2 file. If the user goes into the Trash and selects to 'Put Back' this file, the file goes back to its original location. The ".DS_Store" file is not deleted however as seen in this next view.
Terminal View of User's Trash after Put Back
However, the contents of the ".DS_Store" file have been altered and do not contain the path to this file anymore.
".DS_Store" contents after a file has been Put Back
A few very interesting notes on this article:
Snow Leopard has introduced a 'not so new feature', yet new to Mac OS X. "Put Back" in OS X 10.6 allows a user to delete a file to the Trash and recover the same file from the Trash to the original location with a simple Right-Click (Control-Click). Windows users have had this type of feature for years and digital investigators have become very accustomed to looking for the INFO2 records.
Sponsored Advertisement
On a Mac running OS X 10.6, here is how it all works. A user's Trash starts out empty. Let's look at that from a Terminal view since Terminal will allow for a view of hidden files as well.
Terminal View of User's Trash When Empty
Next, a user places a file into the Trash by either 'Drag & Drop' in the Finder or a Right-Click (Control-Click) in the Finder. Notice how "in the Finder" is stressed. The delete must take place thru the Finder and not another application or the Terminal. Let's look at the contents of the Trash now with a sample deleted file "Test FIle.rtf"
Terminal View of User's Trash with 1 deleted file
Notice now how a hidden file has been created automatically, ".DS_Store". This file is not new to OS X users. It has traditionally kept information about folders such as icon location or other view settings. In the case of the Trash, it has now taken on a new role. This file now contains the information of where the deleted file came from. Let's take a look at the contents of ".DS_Store" using the great application 0xED.
".DS_Store" contents after a file has been deleted
From this view, we can see the user 'moof' deleted the file from his Desktop by reading the Unicode path. This would contain other paths and names of files if others had been deleted. No dates or times are contained within this file as with a Windows INFO2 file. If the user goes into the Trash and selects to 'Put Back' this file, the file goes back to its original location. The ".DS_Store" file is not deleted however as seen in this next view.
Terminal View of User's Trash after Put Back
However, the contents of the ".DS_Store" file have been altered and do not contain the path to this file anymore.
".DS_Store" contents after a file has been Put Back
A few very interesting notes on this article:
- It took quite a bit of testing for what seems to be such a simple concept. While testing OS X 10.6 (not 10.6.1) I had varying results with 1 of my Mac test machines. One Mac would not "forget" the paths of files that had been deleted or Put Back in the ".DS_Store". This could be great news for digital analysis. I cannot replicate this error under OS X 10.6.1.
- I found under 10.6 that even the Macs that would "forget" the paths of files that were deleted or Put Back, it would take a Reboot for this to occur. This leads me to think it could be EXTREMELY important for you to consider adding to your Live Analysis procedures, making a copy of the ".DS_Store". The file contents contained valuable information prior to Reboot or Shut Down.