Posts Tagged ‘logs’

Mac OS X System Logs

Posted by:  /  Tags: , , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X System Logs
Artifact Description
Num. 1 is the main folder containing the system logs.

Num. 2 Contains Apple System Logs (asl). Filename format as YYYY.MM.DD.[UID].[GID].asl,

Num. 4 contains install date of system, as well as date of system and software updates
File Locations
1) System Log files main folder
– /var/log/*

2) Apple System Log
– /var/log/asl/*

3) Audit Log
– /var/audit/*

4) Installation log
– /var/log/install.log
Research Links
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
So that the effort is made only once, and the output reused everywhere.

Nmap / Zenmap

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name

Artifact/Program Version
4.6, 5.1

Artifacts remaining on system after a scan using Nmap/Zenmap (especially Zenmap).  This is not from the standpoint of showing that the application was run, or by whom (so no prefetch, user assist, etc), nor proving that the application was installed at some point. This is from the standpoint of showing the use (ie, how) an application was put to, and the timeframe (ie, when) involved.

In c:\program files\nmap\zenmap\ a file was created when a scan was saved.  This had the same user-selected name as the saved scan, with the extension USR.  So if the scan saved was “test” then the subsequent file would be “test.usr.”  If you find one of these, you can bet the user saved a scan; this file should be identical to that.  It is an XML file that has all the information about the scan.

In %User%\.zenmap (hidden folder) there are primarily three files of interest:  recent_scans.txt, target_list.txt and zenmap.db. Recent_scans.txt is a list of saved scans (or perhaps the .USR instance, it’s inconclusive at this point); all it has is a list of files with their paths.  Target_list.txt is a list of all target IP addresses, separated by semicolons; it has no other information, not even an associated date.  Zenmap.db is the fun one; it’s a SQLite database that contains a history of what scans were run – type of scan, target IP, XML output (ie, basic scan detail) and time.

%User%\%Local%\Temp has another potential treasure trove of evidence.  You may find temporary files (with no extension) located at this level.  Some contain no data, some contain only a small amount, and others provide a detailed breakdown of the scan, really the veritable motherlode, as it shows the time of the scan, each target port, protocol, scan times, and so on.  Very good stuff, when present.  The temporary files that had only a little content basically mirrored the type of content in the USR files, so if you don’t have one, you might have the other and still have some insight into the scan.

And a slightly tangential question posed on twitter was how to identify a scan with packets.  Fairly simple, right – just start Wireshark, run an Nmap scan, and review the results.  Turns out across multiple types of scans run, that there are 60-byte packets, and all have the following content:  00 0d 60 da b4 e7 00 11  25 d1 04 e0 08 00 45 00.  That’s obviously not the entire contents of each packet, but that was consistent across all packets I saw.

File Locations
c:\program files\nmap\zenmap\*.usr (where * is the user-provided filename)
%User%\.zenmap\zenmap.db (SQLite db)
%User%\%Local%\Temp\tmpf5nhgm (these all start with “tmp” and appear to have 6 more characters following)

Research Links

Forensic Programs of Use
Nmap for Windows (cli) –
Zenmap GUI for Nmap for Windows –
SQLite Database Browser –
Wireshark –



Posted by:  /  Tags: , , , ,  /  Comments: 4

Author Name

Artifact Name

Skype is a desktop application that enables voice and video calls, instant messaging, file transfers, and screen sharing between users.

Registry Keys

File Locations
C:\Documents and Settings\[Profile Name]\Application Data\Skype\[Skype User]

C:\Documents and Settings\[Profile Name]\AppData\Roaming\Skype\[Skype User]

Research Links

Subpoena Contact –

Forensic Programs of Use
Skype Log View –

Skype Parser –

Skype Analyzer –

SkypeAlyzer –