Sean Cavanaugh – AppleExaminer
OS X Lion Artifacts
Sean Cavanaugh of AppleExaminer.com maintains a Google Spreadsheet at the link listed below. Since this list is community driven and may change, it is not republished here, however, here is a spreadsheet containing the artifacts as of 11-26-11. This list contains artifacts of User Directories, Safari, Mail, iChat, iPhoto, iTunes, Photo Booth, Address Book, Spotlight, RSS, Saved Application State, Preferences, Autorun Locations, Recent Items, browsers, and specific applications.
Google Chrome Browser Profile Folder (Mac OS X)
Mac OS X
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step. Safari is the browser de facto on OS X & Firefox has a large user base, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining ground in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder on a Mac hard drive. Most times, the Profile will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you will need to bring it over to a Windows forensics box so that you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:
History (Web, bookmarks, downloads and search terms)
Archived History (Web History and search terms)
Bookmarks (This is in a non-SQLite format)
Get Google’s Chrome Browser HERE
Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx
ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70
Stickies on Mac OS X
Stickies is a “sticky note” application that is installed by default on Mac OS X. This could be a potential source of information during a digital forensics examination. Think of the information that people leave on physical sticky notes around their desks and on their computers. Why should the digital ones be any different. You can use any Text Editor to parse the data included in this file. Once a new sticky is created or a previous one deleted, the StickiesDatabase file is immediately written to. There is no need for reboot for changes to take effect.
Forensic Programs of Use
TextEdit (Mac Text Editor)
OxED Hex Editor (Mac Application): http://www.suavetech.com/0xed/0xed.html
Check out my SANS Forensics & Incident Response Blog post for more information:
Copyright 2012, ForensicArtifacts.com. All rights reserved.