Mac Forensic Artifacts

Below are a list of forensic artifacts for Mac devices, categorized by file location

*This is a running list of notes gathered based on experience investigating devices. This is very much an incomplete collection of artifacts*

Epoch Time = seconds since 1/1/1970

Mac Epoch Time = seconds since 1/1/2001

Difference = 978307200 seconds

mac time + 978307200 = epoch time

  • ~/System/Library/CoreServices/
    • SystemVersion.plist
      • ProductVersion: Operating System version.
        • 10.10.x  = Yosemite
        • 10.9.x = Mavericks
        • 10.8.x = Mountain Lion
        • 10.7.x = Lion
        • 10.6.x = Snow Leopard
  •  ~/Users/user/Library/Preferences
    • com.apple.finder.plist
      • FXDesktopVolumePositions – list of volume names
      • FXRecentFolders – string name for 10 most recent folders
    • com.apple.recentitems.plist
      • RecentApplications: CustomListItems contains 10 most recent applications
        • Application names
      • RecentDocuments: CustomListItems contains 10 most recent Documents
        • File names
      • RecentServers: CustomListItems contains 10 most recent connected servers
        • Server names
    • com.apple.sidebarlists.plist
      • FavoriteItems: Shares/Folders/Drives listed in “Favorites” in Finder
        • Names of items
      • FinderProjects: Tag colors
        • Red, Orange, Yellow, Green, Blue, Purple, Gray, Work, Home, Important
      • SystemItems > VolumesList: Mounted volumes
        • Volume names
    • com.apple.Safari.plist
      • DownloadsPath: Default location of downloaded files
      • HomePage: Default homepage settings
      • LastOSVersionSafariWasLaunchedOn: Version number
      • RecentSearchedStrings: recent strings searched in Address Bar
      • SuccessfulLaunchTimestamp: Last time Safari was launched successfully in Epoch time
  • ~/Users/user/Library/Safari
    • Browsing History
      • History.plist (10.9 and below)
      • History.db (10.10 and later)
        • Opened in a SQLite browser
        • History_items: Each URL visited, domain, and its associated ID #
        • History_Visits: Mac Epoch time associated with with history_item ID #
          • Need to associate history_item ID number in this table with the entry in History_items table to determine timestamps of visits
  • ~/.fseventsd
    • File system events daemon
    • System process that is responsible for handling changes to the file system
    • Writes file system event log files and monitors file system changes
    • /.fseventsd is a staging or buffer area
    • http://techblog.willshouse.com/2011/05/05/what-is-fseventsd/
  • ~/private/var/log
    • system.log
      • Logs all kernel related messages
      • Archives to compressed folders – .bx2 extensions
      • Old system log archived 12:30am local time if machine is left on at that time
      • Not comprehensive log
    • fsck_hfs.log
      • Shows disks/partitions mounted (no volume names)
      • Timestamps available (not Epoch in Plist Editor Pro)
      • i.e. /dev/rdisk3s2
    • hdieject.log
      • Limited eject notices for drives
      • can tie disks/partitions to volume names, but not for all instances
      • Timestamps available
  • ~/Library/Logs
    • DiskUtility.log
      • Individual user records for Disk Utility
      • Does not show every mount
      • Times of drives erased/renamed etc. in Disk Utility
      • Occasionally shows Volume names if logging the drive being renamed

Leave a Reply

Your email address will not be published. Required fields are marked *