Artifacts

Archive for the ‘OSX’ Category


OS X Lion Artifacts

Posted by:  /  Tags: , , ,

Author Name
Sean Cavanaugh – AppleExaminer

Artifact Name
OS X Lion Artifacts

Description
Sean Cavanaugh of AppleExaminer.com maintains a Google Spreadsheet at the link listed below. Since this list is community driven and may change, it is not republished here, however, here is a spreadsheet containing the artifacts as of 11-26-11. This list contains artifacts of User Directories, Safari, Mail, iChat, iPhoto, iTunes, Photo Booth, Address Book, Spotlight, RSS, Saved Application State, Preferences, Autorun Locations, Recent Items, browsers, and specific applications.

 

Research Links
https://docs.google.com/spreadsheet/ccc?key=0AkBdGlxJhW-ydDlxVUxWUVU0dXVzMzUxRzh2b2ZzaFE&hl=en_US#gid=0

 

Related Posts:

System Version (Mac)

Posted by:  /  Tags: , , , , , ,

Author Name
Douglas Brush

Artifact Name
SystemVersion.plist

Artifact/Program Version
OS X 10.x (Client)

Description
When you start your Macintosh investigation it is important to know
what version of the operating system is installed on the computer. The
version of OS X (10.4, 10.5, 10.6) can shape and direct the analysis
as each version has certain unique characteristics for other artifacts
as well as their locations on the disk.

Macintosh operating systems use plist files (.plist) as repositories
for system and program settings/information. Plist files can wither be
in a binary-encoded format (bplist file header) or as XML.

To get the operating system version the first plist files you will
want to examine is the “SystemVersion.plist” located in
“/System/Library/CoreServices/” folder. With this knowledge you
can be aware of other plists and system artifacts that are unique to
the OS under inspection.

File Locations
/System/Library/CoreServices/SystemVersion.plist

Research Links

Forensic Programs of Use
plist Edit Pro (Mac):

plist Editor Pro (Win):

Google Chrome Browser Profile (Mac OS X)

Posted by:  /  Tags: , , , , ,

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder (Mac OS X)

Artifact/Program Version
Mac OS X

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step.  Safari is the browser de facto on OS X & Firefox has a large user base, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining ground in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder on a Mac hard drive. Most times, the Profile will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you will need to bring it over to a Windows forensics box so that you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HDD\Users\USERNAME\Library\Application Support\Google\Chrome\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70

Stickies (Mac)

Posted by:  /  Tags: , , ,  /  Comments: 1

Author Name
Joe Garcia

Artifact Name
StickiesDatabase

Artifact/Program Version
Stickies on Mac OS X

Description
Stickies is a “sticky note” application that is installed by default on Mac OS X. This could be a potential source of information during a digital forensics examination. Think of the information that people leave on physical sticky notes around their desks and on their computers. Why should the digital ones be any different. You can use any Text Editor to parse the data included in this file. Once a new sticky is created or a previous one deleted, the StickiesDatabase file is immediately written to. There is no need for reboot for changes to take effect.









Directory/File Location
Macintosh HDD\Users\username\Library\StickiesDatabase

Forensic Programs of Use
TextEdit (Mac Text Editor)
OxED Hex Editor (Mac Application): http://www.suavetech.com/0xed/0xed.html

Other Info
Check out my SANS Forensics & Incident Response Blog post for more information:

Installed Printers (Mac)

Posted by:  /  Tags: , , , , ,

Author Name
Joe Garcia

Artifact Name
Installed Printers (Mac)

Artifact/Program Version
Mac OS X

Description
This property list (plist) on a Mac OS X machine will tell you what types of printers have been installed on that system. Be advised though, that a printer may have been uninstalled/removed by the user and if they have not restarted their computer, that printer’s entry will persist until the computer is rebooted. This plist will then be overwritten to reflect the change.





Property List
org.cups.printers.plist

File Locations
HDD/Library/Preferences

Research Links
Apple Developer Tools: http://developer.apple.com/technologies/tools/xcode.html

Forensic Programs of Use
plist Editor that is provided with XCode

Safari Browsing History (Mac)

Posted by:  /  Tags: , , , , , , ,  /  Comments: 2

Author Name

Joe Garcia

Artifact Name

Safari Browsing History (Mac)

Description

Safari is the default browser on the Mac OS X Operating System.  As with most browsers, there is a plethora of information to be found and Browsing History is one of them.  If you are looking into the Safari Browsing History on an Apple computer, you will have to find the History.plist to get that information.  For those that don’t know, a plist is a Preference file for an application on an Apple computer.  They usually contain user settings for that particular application.  They also hold information regarding that application.  The default setting for Browsing History in Safari 4 and 5 is one month.

Now, locate the Safari History plist by navigating to /username/Library/Safari/History.plist on the suspect machine.  Then export it out of your case.  If you are working in a Windows based forensics lab, you can download a copy of WOWSoft’s free plist Editor and install it.  Once installed, find the exported copy of the History.plist file and open it.  You will see the following screen:


If you are using a Mac as your forensics platform, I would suggest heading over to the Apple Developers site and register there to get a free copy of XCode 3.  XCode comes with a plist Editor included.  Once installed, it becomes your default viewer for plists.  Locate the History.plist file that you wish to view and double click on it.  It will open in the plist Editor and here is what you will see:



Now let’s say I want to find out the Last Visit Date & Time to a particular site.  I would locate the site in the History and look for the lastVisitedDate row and look across to the right to the third column:

In the XCode plist Editor:


In the WOWSoft plist Editor:


Now the value that you see recorded there is Mac Absolute Time. You are going to want to decode that into a readable format. In Windows, you can download a copy of R. Craig Wilson’s DCode to do that. For example, you would take the number shown in the lastVisitedDate row and enter all of the numbers in up to the period into DCode, choose Mac Absolute Time and make sure to adjust for the suspect machine’s Time Zone Settings and click on Decode. I have used the lastVisitedDate string from the example screenshots I have provided above and received the following results:



AUTHOR NOTE– As of this post, I am unfamiliar with a tool/utility that works in Mac OS X that has the same functionality. If someone can point me in the right direction, I will be more than happy to edit this post and give full credit.

File Location

/username/Library/Safari/History.plist

Forensic Tools of Use

Apple Developer Tools (XCode): http://developer.apple.com/programs/mac/

WOWSoft’s Free plist editor of Windows: http://www.icopybot.com/blog/free-plist-editor-for-windows-10-released.htm

DCode by R. Craig Wilson (Digital Detective UK): http://www.digital-detective.co.uk/freetools/decode.asp

First Post

Posted by:

This is a temporary placeholder.