Artifacts

Posts Tagged ‘Mac OS X’


System Version (Mac)

Posted by:  /  Tags: , , , , , ,

Author Name
Douglas Brush

Artifact Name
SystemVersion.plist

Artifact/Program Version
OS X 10.x (Client)

Description
When you start your Macintosh investigation it is important to know
what version of the operating system is installed on the computer. The
version of OS X (10.4, 10.5, 10.6) can shape and direct the analysis
as each version has certain unique characteristics for other artifacts
as well as their locations on the disk.

Macintosh operating systems use plist files (.plist) as repositories
for system and program settings/information. Plist files can wither be
in a binary-encoded format (bplist file header) or as XML.

To get the operating system version the first plist files you will
want to examine is the “SystemVersion.plist” located in
“/System/Library/CoreServices/” folder. With this knowledge you
can be aware of other plists and system artifacts that are unique to
the OS under inspection.

File Locations
/System/Library/CoreServices/SystemVersion.plist

Research Links

Forensic Programs of Use
plist Edit Pro (Mac):

plist Editor Pro (Win):

Google Chrome Browser Profile (Mac OS X)

Posted by:  /  Tags: , , , , ,

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder (Mac OS X)

Artifact/Program Version
Mac OS X

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step.  Safari is the browser de facto on OS X & Firefox has a large user base, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining ground in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder on a Mac hard drive. Most times, the Profile will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you will need to bring it over to a Windows forensics box so that you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HDD\Users\USERNAME\Library\Application Support\Google\Chrome\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70