Artifacts

Archive for the ‘OSX’ Category


Mac OS X User Preference Settings

Posted by:  /  Tags: , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X User Preference Settings
Artifact Description
Num. 1 is the directory containing user preference settings for applications and utilities


Num. 3 is the plists containing the names of volumes mounted on the desktop that have appeared in the sidebar list


Num. 4 is Global Preferences Plist


Num. 5 contains directories, files, and apps that have appeared in the Dock


Num 6 contains the list of attached iDevices


Num 7 is the SQLite database that keeps track of files that have the quarantine extended attribute that is given to applications, scripts, and executables downloaded from potentially untrustworthy locations/people. The SQLite database contains URLS, email addresses, email subjects, and other potentially useful information.
File Locations
1) User preferences directory
– %%users.homedir%%/Library/Preferences/*


2) iCloud user preferences
– %%users.homedir%%/Library/Preferences/MobileMeAccounts.plist


3) Sidebar Lists Preferences
– %%users.homedir%%/Preferences/com.apple.sidebarlists.plist


4) Global Preferences
– %%users.homedir%%/Library/Preferences/.GlobalPreferences.plist


5) Dock database
– %%users.homedir%%/Library/Preferences/com.apple.Dock.plist


6) Attached iDevices
– %%users.homedir%%/Library/Preferences/com.apple.iPod.plist


7) Quarantine Event Database
– %%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
– %%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

 

Mac OS X: iOS device backup locations

Posted by:  /  Tags: , , , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X: iOS device backup locations
Artifact Description
Num. 1 is the main directory inside a Mac containing iOS device backups


Num. 2 is a plist file in plain text. It stores data about the backed up device (such as device name, GUID, ICCID, IMEI, Product type, iOS version, serial numbers, UDID etc.) and the iTunes software used to create the backup (iTunes version number, iTunes settings).


Num. 3 is a plist file in plain text and it describes the content of the backup. Inside this file we can find the list of applications installed on the backed up device. For every application there are the name and the particular version. Inside the file there is also the date the backup was made, the backup type (encrypted vs. unencrypted) and some information about the iDevice and the iTunes software used.


Num. 4 is a binary file that stores the descriptions of all the other files in the backup directory. It contains a record for each element in the backup.


Num. 5 It’s a plist file in binary format and it stores information about the completion of the backup
File Locations
1) iOS device backups directory
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*


2) iOS device backup information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist


3) iOS device backup apps information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist


4) iOS device backup files information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd


5) iOS device backup status information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

 

Mac OS X “Recent Items”

Posted by:  /  Tags: , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X “Recent Items”
Artifact Description
Num. 1 contains info about the recently opened applications, files, and servers


Num. 2 contains info about the recently opened files specific for each application
File Locations
1) Recent Items
– %%users.homedir%%/Library/Preferences/com.apple.recentitems.plist


2) Recent Items application specific
– %%users.homedir%%/Library/Preferences/*LSSharedFileList.plist
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

 

Mac OS X System Logs

Posted by:  /  Tags: , , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X System Logs
Artifact Description
Num. 1 is the main folder containing the system logs.


Num. 2 Contains Apple System Logs (asl). Filename format as YYYY.MM.DD.[UID].[GID].asl,


Num. 4 contains install date of system, as well as date of system and software updates
File Locations
1) System Log files main folder
– /var/log/*


2) Apple System Log
– /var/log/asl/*


3) Audit Log
– /var/audit/*


4) Installation log
– /var/log/install.log
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

Mac OS X Sleep/Hibernate and Swap Image File

Posted by:  /  Tags: , , ,

Author
Pasquale Stirparo, @pstirparo
Artifact Description
Contents of RAM are written into the sleepimage file when the computer is put to sleep.
Numerous swap files may be found in the /var/vm/ directory with the naming convention of swapfile# (swapfile0, swapfile1, swapfile2, etc.)
File Locations
/var/vm/sleepimage
/var/vm/swapfile#
Research Links
https://github.com/pstirparo/mac4n6

http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location

https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

 

Mac OS X Autorun Locations

Posted by:  /  Tags: , ,

Author Name
  pstirparo
Submission Title
  Mac OS X Autorun Locations
Post Category
  System
Submission Tags
  Apple, OSX, System
Artifact Description
  These artifacts refer to autorun programs and daemons that run at system startup.
File Locations
  Launch Agents files
– ‘/Library/LaunchAgents/*’
– ‘/System/Library/LaunchAgents/*’

Launch Daemons files
– ‘/Library/LaunchDaemons/*’
– ‘/System/Library/LaunchDaemons/*’

Startup Items file
– ‘/Library/StartupItems/*’
– ‘/System/Library/StartupItems/*’

Research Links
  https://github.com/pstirparo/mac4n6
http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location
https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
  These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com

So that the effort is made only once, and the output reused everywhere.

OS X Lion Artifacts

Posted by:  /  Tags: , , ,

Author Name
Sean Cavanaugh – AppleExaminer

Artifact Name
OS X Lion Artifacts

Description
Sean Cavanaugh of AppleExaminer.com maintains a Google Spreadsheet at the link listed below. Since this list is community driven and may change, it is not republished here, however, here is a spreadsheet containing the artifacts as of 11-26-11. This list contains artifacts of User Directories, Safari, Mail, iChat, iPhoto, iTunes, Photo Booth, Address Book, Spotlight, RSS, Saved Application State, Preferences, Autorun Locations, Recent Items, browsers, and specific applications.

 

Research Links
https://docs.google.com/spreadsheet/ccc?key=0AkBdGlxJhW-ydDlxVUxWUVU0dXVzMzUxRzh2b2ZzaFE&hl=en_US#gid=0

 

Related Posts:

System Version (Mac)

Posted by:  /  Tags: , , , , , ,

Author Name
Douglas Brush

Artifact Name
SystemVersion.plist

Artifact/Program Version
OS X 10.x (Client)

Description
When you start your Macintosh investigation it is important to know
what version of the operating system is installed on the computer. The
version of OS X (10.4, 10.5, 10.6) can shape and direct the analysis
as each version has certain unique characteristics for other artifacts
as well as their locations on the disk.

Macintosh operating systems use plist files (.plist) as repositories
for system and program settings/information. Plist files can wither be
in a binary-encoded format (bplist file header) or as XML.

To get the operating system version the first plist files you will
want to examine is the “SystemVersion.plist” located in
“/System/Library/CoreServices/” folder. With this knowledge you
can be aware of other plists and system artifacts that are unique to
the OS under inspection.

File Locations
/System/Library/CoreServices/SystemVersion.plist

Research Links

Forensic Programs of Use
plist Edit Pro (Mac):

plist Editor Pro (Win):

Google Chrome Browser Profile (Mac OS X)

Posted by:  /  Tags: , , , , ,

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder (Mac OS X)

Artifact/Program Version
Mac OS X

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step.  Safari is the browser de facto on OS X & Firefox has a large user base, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining ground in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder on a Mac hard drive. Most times, the Profile will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you will need to bring it over to a Windows forensics box so that you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HDD\Users\USERNAME\Library\Application Support\Google\Chrome\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70

Stickies (Mac)

Posted by:  /  Tags: , , ,  /  Comments: 1

Author Name
Joe Garcia

Artifact Name
StickiesDatabase

Artifact/Program Version
Stickies on Mac OS X

Description
Stickies is a “sticky note” application that is installed by default on Mac OS X. This could be a potential source of information during a digital forensics examination. Think of the information that people leave on physical sticky notes around their desks and on their computers. Why should the digital ones be any different. You can use any Text Editor to parse the data included in this file. Once a new sticky is created or a previous one deleted, the StickiesDatabase file is immediately written to. There is no need for reboot for changes to take effect.









Directory/File Location
Macintosh HDD\Users\username\Library\StickiesDatabase

Forensic Programs of Use
TextEdit (Mac Text Editor)
OxED Hex Editor (Mac Application): http://www.suavetech.com/0xed/0xed.html

Other Info
Check out my SANS Forensics & Incident Response Blog post for more information: