Artifacts

Mac OS X User Preference Settings

Posted by:  /  Tags: , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X User Preference Settings
Artifact Description
Num. 1 is the directory containing user preference settings for applications and utilities


Num. 3 is the plists containing the names of volumes mounted on the desktop that have appeared in the sidebar list


Num. 4 is Global Preferences Plist


Num. 5 contains directories, files, and apps that have appeared in the Dock


Num 6 contains the list of attached iDevices


Num 7 is the SQLite database that keeps track of files that have the quarantine extended attribute that is given to applications, scripts, and executables downloaded from potentially untrustworthy locations/people. The SQLite database contains URLS, email addresses, email subjects, and other potentially useful information.
File Locations
1) User preferences directory
– %%users.homedir%%/Library/Preferences/*


2) iCloud user preferences
– %%users.homedir%%/Library/Preferences/MobileMeAccounts.plist


3) Sidebar Lists Preferences
– %%users.homedir%%/Preferences/com.apple.sidebarlists.plist


4) Global Preferences
– %%users.homedir%%/Library/Preferences/.GlobalPreferences.plist


5) Dock database
– %%users.homedir%%/Library/Preferences/com.apple.Dock.plist


6) Attached iDevices
– %%users.homedir%%/Library/Preferences/com.apple.iPod.plist


7) Quarantine Event Database
– %%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
– %%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

 

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment