Tag Archives: Mac

Mac Forensic Artifacts

Below are a list of forensic artifacts for Mac devices, categorized by file location

*This is a running list of notes gathered based on experience investigating devices. This is very much an incomplete collection of artifacts*

Epoch Time = seconds since 1/1/1970

Mac Epoch Time = seconds since 1/1/2001

Difference = 978307200 seconds

mac time + 978307200 = epoch time

  • ~/System/Library/CoreServices/
    • SystemVersion.plist
      • ProductVersion: Operating System version.
        • 10.10.x  = Yosemite
        • 10.9.x = Mavericks
        • 10.8.x = Mountain Lion
        • 10.7.x = Lion
        • 10.6.x = Snow Leopard
  •  ~/Users/user/Library/Preferences
    • com.apple.finder.plist
      • FXDesktopVolumePositions – list of volume names
      • FXRecentFolders – string name for 10 most recent folders
    • com.apple.recentitems.plist
      • RecentApplications: CustomListItems contains 10 most recent applications
        • Application names
      • RecentDocuments: CustomListItems contains 10 most recent Documents
        • File names
      • RecentServers: CustomListItems contains 10 most recent connected servers
        • Server names
    • com.apple.sidebarlists.plist
      • FavoriteItems: Shares/Folders/Drives listed in “Favorites” in Finder
        • Names of items
      • FinderProjects: Tag colors
        • Red, Orange, Yellow, Green, Blue, Purple, Gray, Work, Home, Important
      • SystemItems > VolumesList: Mounted volumes
        • Volume names
    • com.apple.Safari.plist
      • DownloadsPath: Default location of downloaded files
      • HomePage: Default homepage settings
      • LastOSVersionSafariWasLaunchedOn: Version number
      • RecentSearchedStrings: recent strings searched in Address Bar
      • SuccessfulLaunchTimestamp: Last time Safari was launched successfully in Epoch time
  • ~/Users/user/Library/Safari
    • Browsing History
      • History.plist (10.9 and below)
      • History.db (10.10 and later)
        • Opened in a SQLite browser
        • History_items: Each URL visited, domain, and its associated ID #
        • History_Visits: Mac Epoch time associated with with history_item ID #
          • Need to associate history_item ID number in this table with the entry in History_items table to determine timestamps of visits
  • ~/.fseventsd
    • File system events daemon
    • System process that is responsible for handling changes to the file system
    • Writes file system event log files and monitors file system changes
    • /.fseventsd is a staging or buffer area
    • http://techblog.willshouse.com/2011/05/05/what-is-fseventsd/
  • ~/private/var/log
    • system.log
      • Logs all kernel related messages
      • Archives to compressed folders – .bx2 extensions
      • Old system log archived 12:30am local time if machine is left on at that time
      • Not comprehensive log
    • fsck_hfs.log
      • Shows disks/partitions mounted (no volume names)
      • Timestamps available (not Epoch in Plist Editor Pro)
      • i.e. /dev/rdisk3s2
    • hdieject.log
      • Limited eject notices for drives
      • can tie disks/partitions to volume names, but not for all instances
      • Timestamps available
  • ~/Library/Logs
    • DiskUtility.log
      • Individual user records for Disk Utility
      • Does not show every mount
      • Times of drives erased/renamed etc. in Disk Utility
      • Occasionally shows Volume names if logging the drive being renamed

Mac OS X Internet History

As most forensicators would agree, index.dat files are an extremely valuable Windows artifact to an investigation. These files store all sorts of internet browsing history from Internet Explorer, as well as where a user browsed to within directories on the device using Windows Explorer. Even after clearing the internet history, emptying your cache, and removing cookies in Internet Explorer, the logs of where a user surfed on the internet remains stored within the file.

Even though Windows operating systems are still the most prevalent, what is the equivalent to Mac operating systems, which are quickly becoming just as popular? The sad revelation (in my mind) is that there is no exact equivalent of an index.dat file on a Mac. For Safari, internet browsing history is stored in a plist (property list file which stores application information) within the system library. This plist is located at:

/username/Library/Safari/History.plist

*One commonality between index.dat files and history.plist is that they are both stored locally under the user’s profile

To view plist files, I use a program called PlistEditor Pro which is a standalone version of the tool that is integrated with the Xcode 4 developer application. 

One Xcode4 is installed, navigating to the history.plist file and double-clicking it will automatically open the file in the PlistEditor. Under “WebHistoryDates” will be each entry in the browser history.

Screen Shot 2013-04-05 at 6.33.24 PM

 

The history.plist files are read in chronological order from the bottom to the top, meaning that the top entry (Item 0) is the most recently visited website.

Expanding each item in the history will show its contents

Screen Shot 2013-04-05 at 6.33.52 PMAs you can see, the browsing history is displayed. Although, by default the LastVisitedDate is displayed as a string. This can be changed by clicking “String” next to the value and selecting “Date”

Screen Shot 2013-04-05 at 6.34.13 PM

By doing this for the logs, the timestamps will be converted into date/time format.Screen Shot 2013-04-05 at 6.34.18 PM

Although, one flaw (forensically speaking) of this plist file is that unlike the index.dat files, the history.plist file gets cleared when the browsing history is cleared from Safari. Because of this, a lot of valuable data can become lost. When a user is in Safari and goes to History > Clear History (which is the easy way to clear browsing history) there are still some artifacts left behind that investigators can use to determine other sites that were browsed before history was cleared. One of these artifacts is the Cache.

The first method is to carve deleted browsing history from unallocated space. More details on this methodology can be found on Richard Drinkwater’s blog.

Cached entries are located at /username/Library/Caches/com.apple.Safari where there is a Cache.db (SQL Database file) and a folder called “Webpage Previews” The Webpage Previews folder will contain snapshots of webpages that were previewed even before the browser history was clearedScreen Shot 2013-04-05 at 6.50.54 PM Screen Shot 2013-04-05 at 6.51.28 PM

Opening the cache.db file is a bit different. A program I like best for opening these on a Mac is called File Juicer which will parse this database file and display its contents, including a range of image files, html files, javascripts, and text files

Screen Shot 2013-04-05 at 7.04.45 PM

In my opinion, analyzing the web browsing history on a Mac operating system can be much more work intensive than analyzing an index.dat file, seeing as an investigator has to look in multiple places on a Mac device to find the same information that can be found in the index.dat. Learning forensics on a Windows device, I was surprised when I found out that deleted browsing history is not kept on the device normally. On the other hand, when I mentioned this topic to a coworker, he was surprised that Windows actually kept that information.

If anyone has any further guidance or comments, please feel free to post. Mac analysis is extremely new to me, but what I’ve found so far is extremely interesting