Posts Tagged ‘SYSTEM’

Mac OS X System Logs

Posted by:  /  Tags: , , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X System Logs
Artifact Description
Num. 1 is the main folder containing the system logs.

Num. 2 Contains Apple System Logs (asl). Filename format as YYYY.MM.DD.[UID].[GID].asl,

Num. 4 contains install date of system, as well as date of system and software updates
File Locations
1) System Log files main folder
– /var/log/*

2) Apple System Log
– /var/log/asl/*

3) Audit Log
– /var/audit/*

4) Installation log
– /var/log/install.log
Research Links
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
So that the effort is made only once, and the output reused everywhere.

Mac OS X Autorun Locations

Posted by:  /  Tags: , ,

Author Name
Submission Title
  Mac OS X Autorun Locations
Post Category
Submission Tags
  Apple, OSX, System
Artifact Description
  These artifacts refer to autorun programs and daemons that run at system startup.
File Locations
  Launch Agents files
– ‘/Library/LaunchAgents/*’
– ‘/System/Library/LaunchAgents/*’

Launch Daemons files
– ‘/Library/LaunchDaemons/*’
– ‘/System/Library/LaunchDaemons/*’

Startup Items file
– ‘/Library/StartupItems/*’
– ‘/System/Library/StartupItems/*’

Research Links
Any Other Information
  These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library

So that the effort is made only once, and the output reused everywhere.

System Version (Mac)

Posted by:  /  Tags: , , , , , ,

Author Name
Douglas Brush

Artifact Name

Artifact/Program Version
OS X 10.x (Client)

When you start your Macintosh investigation it is important to know
what version of the operating system is installed on the computer. The
version of OS X (10.4, 10.5, 10.6) can shape and direct the analysis
as each version has certain unique characteristics for other artifacts
as well as their locations on the disk.

Macintosh operating systems use plist files (.plist) as repositories
for system and program settings/information. Plist files can wither be
in a binary-encoded format (bplist file header) or as XML.

To get the operating system version the first plist files you will
want to examine is the “SystemVersion.plist” located in
“/System/Library/CoreServices/” folder. With this knowledge you
can be aware of other plists and system artifacts that are unique to
the OS under inspection.

File Locations

Research Links

Forensic Programs of Use
plist Edit Pro (Mac):

plist Editor Pro (Win):

System Install Date (Linux)

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
Hal Pomeranz

Artifact Name
Linux system install date

Operating System

In general it is rare for any Unix-like operating system to record its
system install date. So you’re left with using other artifacts on the
system as a proxy to deduce the install date.

One of the most popular methods for dating the system install is to
look at the time stamps on the SSH host key files under /etc/ssh.
These files are usually generated via the SSH startup script
(/etc/init.d/sshd or similar) during the first boot of the system,
which typically happens immediately after the system install is

$ ls -l /etc/ssh/ssh_host_*
-rw——- 1 root root 668 Jul 14 2007 /etc/ssh/ssh_host_dsa_key
-rw-r–r– 1 root root 590 Jul 14 2007 /etc/ssh/
-rw——- 1 root root 963 Jul 14 2007 /etc/ssh/ssh_host_key
-rw-r–r– 1 root root 627 Jul 14 2007 /etc/ssh/
-rw——- 1 root root 1675 Jul 14 2007 /etc/ssh/ssh_host_rsa_key
-rw-r–r– 1 root root 382 Jul 14 2007 /etc/ssh/

In the example above, it appears that the system was installed on Jul
14, 2007.

If you’d like to see a finer-grained time stamp, try the “stat”
command on any one of the above files:

$ stat /etc/ssh/ssh_host_key
File: `/etc/ssh/ssh_host_key’
Size: 963 Blocks: 16 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 1837188 Links: 1
Access: (0600/-rw——-) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2009-11-29 09:49:28.000000000 -0800
Modify: 2007-07-14 11:56:52.000000000 -0700
Change: 2007-07-14 11:56:52.000000000 -0700

The modify and change times generally reflect the file creation date
(on EXT4 file systems, there will be a file creation time stamp). The
access time is the last time is the last time the file was read.
Private key files such as /etc/ssh/ssh_host_key are generally only
read by the system SSH daemon, and then only when the daemon is
(re)started. Since the SSH daemon is fairly stable and is rarely
restarted, the last access time often correlates with the last time
the system was booted.

All of the usual caveats about file-based time stamps apply here. It’s
possible, though uncommon, that a site might choose to regenerate
their SSH host keys on a regular basis (doing this causes problems for
users, so it’s not normal practice). Time stamps can be easily
manipulated with programs like “touch”. Certain backup programs may
alter access times on files. Also modern Linux systems generally use
the “relatime” option on file systems by default, making last access
time information untrustworthy.

File Locations

Forensic Programs of Use
ls, stat

Default System Time Zone (Linux)

Posted by:  /  Tags: , ,

Author Name
Hal Pomeranz

Artifact Name
Linux default system time zone

Operating System

f you’re dealing with a live system, the time zone can be observed in
the output of the “date” command:

$ date
Sat May 28 05:07:15 PDT 2011

Look immediately after the time stamp– in this case, the system time
zone is “PDT”.

When investigating a system image, there are two places where the the
system time zone is generally recorded. The first is a configuration
file under /etc such as /etc/timezone on Ubuntu (Debian) Linux or
/etc/sysconfig/clock on Red Had Linux (and derivatives like Fedora and
CentOS). Here’s a sample /etc/sysconfig/clock file:

# The ZONE parameter is only evaluated by system-config-date.
# The timezone of the system is defined by the contents of

The “ZONE” parameter describes the time zone. It is common for Linux
systems to have the administrator configure their time zone by
choosing a well-known city in the given time zone. In this case,
“America/Los_Angeles” is synonymous with the US Pacific time zone, aka

Note the comment at the top of the file. The reason the data in these
configuration files is somewhat untrustworthy is that the applications
on a Linux system generally refer to /etc/localtime for time zone
configuration information. This file need not necessarily match the
setting in the configuration files described above.

The /etc/localtime file itself is in a special binary format that’s
compiled from a text-based configuration file. If you’re doing your
investigation from a Linux system, you can use the “zdump” command to
output the current date in the time zone described by /etc/localtime:

$ zdump /etc/localtime
/etc/localtime Sat May 28 05:16:28 2011 PDT

Again, look immediately after the time stamp for the time zone name.

If you don’t have access to the zdump command for whatever reason, the
analyst can look for matching files in the system time zone directory
under /usr/share/zoneinfo. First compute the MD5 checksum of
/etc/localtime and then look for files matching this checksum under
/usr/share/zoneinfo. Here’s some sample commands for doing this with
the Linux command shell:

$ md5sum /etc/localtime
685e6cae6f7d63e690bf35b955ff4afb /etc/localtime
$ find /usr/share/zoneinfo -type f | xargs md5sum | grep
685e6cae6f7d63e690bf35b955ff4afb /usr/share/zoneinfo/posix/US/Pacific
685e6cae6f7d63e690bf35b955ff4afb /usr/share/zoneinfo/US/Pacific

It’s not uncommon for there to be several matching files under
/usr/share/zoneinfo. Typically these files are links to one another.
In this case the files under the “posix” directory are linked to each
other, and the other two copies are also linked to each other, but all
describe the same time zone.

File Locations

Forensic Programs of Use
find, md5sum, grep

Installed Printers (Mac)

Posted by:  /  Tags: , , , , ,

Author Name
Joe Garcia

Artifact Name
Installed Printers (Mac)

Artifact/Program Version
Mac OS X

This property list (plist) on a Mac OS X machine will tell you what types of printers have been installed on that system. Be advised though, that a printer may have been uninstalled/removed by the user and if they have not restarted their computer, that printer’s entry will persist until the computer is rebooted. This plist will then be overwritten to reflect the change.

Property List

File Locations

Research Links
Apple Developer Tools:

Forensic Programs of Use
plist Editor that is provided with XCode

Computer Name

Posted by:  /  Tags: , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Computer Name

Artifact/Program Version

Knowing the name of a computer that you are examining can be important for many reasons.  In a situation where you may need to examine a computer that was removed from a network, it will help you verify that it is indeed the computer in question.  Having the Computer Name is also used to correlate information found in Event Logs.

Also, for Law Enforcement you may have a situation where there is a high rate of laptop thefts in a particular area.  Let us say a suspect is apprehended for a crime while in possession of a laptop in that area.  He/she may claim that the laptop is theirs.  Well, if they offer consent or you are granted a search warrant to examine the laptop, this could help build your case against the suspect.  Is this the be all, end all to determine guilt?  No, but you can use this information to possibly help challenge their alibi and poke holes in their story if the Computer Name is completely off.

First things first though.  Using your favorite Registry Viewer determine the CurrentControlSet for the Windows machine you are examining.  You can follow the instructions for doing that HERE.  Once you have done that, proceed to SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName.  You will see the following:

AccessData’s Registry Viewer:

MiTeC Registry Analyzer:


To find this information in a Non-Forensic fashion, go to Control Panel > System > Computer Name Tab

Thanks to some help from Harlan Carvey (see Comments below), I have added the other Registry Keys of note to obtain a Computer Name from a Windows system.

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (Look for the value of Hostname):

SOFTWARE\Microsoft\SchedulingAgent (Look at the value of OldName):

Registry Keys
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (value: Hostname)
SOFTWARE\Microsoft\SchedulingAgent (value: OldName)

Forensic Programs of Use
AccessData Registry Viewer-


MiTeC Windows Registry Analyzer-

Research Links

CurrentControlSet (Windows)

Posted by:  /  Tags: , , , ,  /  Comments: 3

Author Name
Joe Garcia

Artifact Name
CurrentControlSet (Windows Registry)

A Control Set contains system configuration information for a Windows Operating System. Windows maintains two Control Sets and knowing which one to focus on during your examination is critical. Knowing the CurrentControlSet will be important to gather information of evidentiary importance such as Computer Name, Time Zone information, Shutdown Times, and even what USB Devices connected to the system.

Once you have exported out the Registry Hive of the computer that you are examining, you can use MiTeC’s Windows Registry Analyzer or AccessData’s Registry Viewer to determine what the CurrentControlSet is. Use either of those programs to open the SYSTEM Hive. You will see the following once it is open:

Now navigate to the SYSTEM\Select key. It is here you will see 4 entries. Current, Default, Failed and LastKnownGood. Current is the CurrentControlSet used last boot up the system. Default usually matches the Current. Failed denotes which control set that was unable to successfully boot into the system and LastKnownGood is the control set that last successfully booted into the system.

Going back to your registry viewer of choice, find the Select key and highlight it:

In the example above, you will see Current has a value of 0x1 or (1). This means that the CurrentControlSet is ControlSet001. That means you must focus on ControlSet001 to gather the information that you are looking for during your examination. As you can see in the above screenshots, the Default value matches the Current value. Looking at the Failed entry, it shows a value of 0x0 which means that there was no failed boot ups. Finally, the LastKnownGood value shows 0x2 or (2), meaning that ControlSet002 previously booted into the system successfully.

Registry Keys

Research Links

Forensic Programs of Use
MiTeC Windows Registry Analyzer (by Michal Mutl)- (found under Registry/INI Tools)

AccessData Registry Viewer-