Home » Updates » Mac OS X Forensics: Collecting & Analyzing Artifacts

Mac OS X Forensics: Collecting & Analyzing Artifacts

author
Published By Raj Kumar
Aswin Vijayan
Approved By Aswin Vijayan
Published On April 19th, 2022
Reading Time 4 Minutes Reading
Category Updates

Changes in technology marked the coming up of the computer era and there are many Operating Systems available such as Windows, Mac, Linux etc. for the operation. The changes have brought a new face to criminal activities and consequently to the investigation as well. For a clean closing of an investigation, it is important to know more about the platforms that come in use. Apple systems are always a unique company for the users because of their performance and security. The scale shows that in crime labs around 5-10 per cent of the systems are Mac OS X. Suppose, if the criminal activities carried out have a great involvement of these OS then, a study of these systems is essential in the way of investigation. This blog presents you with Mac OS X forensics analysis; helps in collecting the pieces of evidence, and makes you aware of the locations of files.

Here, the discussion is done from a very basic itself.

Collecting Artifacts – Mac OS X Forensics Analysis

System Version

Before starting the investigation, it is important to know which version of Mac you are working with. Once the version is clear then, it will be easy to identify the locations of other files. It uses plist files and the SystemVersion.plist file is located in;

/System/Library/CoreServices/SystemVersion.plist

Chrome Browser Profile

Chrome is one of the browsers that have gained the great attention of the users. People use these to surf the web. So, by analyzing the information stored in the folder, an investigator can collect the evidence. From the folder, agents will get details of

  • Cookies
  • History
  • Bookmarks
  • Web Logins, etc.

Location is;

mac os x forensics

Safari

The location of the files is;

analysis mac os x forensics

Safari is the default browser of Mac OS X. Like the other browsers, people also are fond of using this browser as well and from the ‘History’ file maintained, a forensic agent can dig out the evidence. The history recorded can be found from ‘History.plist’.

The information on the last session browsed is provided under the LastSession.plist file located at;

/Users/<user>/Library/Safari/ LastSession.plist

The cookies are present in;

/Users/<user>/Library/Cookies/Cookies.plist

Cache database file can be found from;

/Users/<user>/Library/Caches/com.apple.Safari/Cache.db

The sites that the suspects visited mainly can be found as well from;

/Users/<user>/Library/Safari/TopSites.plist

Apple Mail

Apple Mail is the default desktop mail client of Mac OS X. Below are the path of some of the files.

Default path;

/Library/Mail

  • Mailboxes are seen in;

/Library/Mail/[Mail Box]

  • RSS feeds in;

/Library/Mail/RSS/

  • The configuration file is located at;

/Library/Preferences/com.apple.mail.plist

  • The mail messages are stored in;

/Library/Mail/[Mail Box]/Messages

The messages stored with the file extension ‘emlx’, as single file.

Log files

The location of the log files are;

/Users/username/Library/Logs/*

/private/var/log/*

Bluetooth History

If the investigator doubts about the data exchange through the Bluetooth then, the information regarding the Bluetooth is available from;

mac os forensic artifacts

File sharing

Details of files shared are available from;

/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist

Recent Items

This contains the information on the recently opened files, server, applications etc. and it is located in;

browser history

  • QuickTime Recent Items are located at

mac os x forensics

  • The TextEdit recent items are found in;

text-edit-items

Firefox

Mozilla Firefox is another web browser used commonly, helps in browsing the web and you can find the files corresponding to Firefox located in;

analysis mac os x forensics

Cookies are located in;

mac os forensic artifacts

Also, from the history file, the investigator can collect the information on the URLs visited and is located in;

MAC OS X places.sqlite forensics

User Preference

This details the user preference settings for the utilities or applications.

Location;

preferences

The iDevice details are found in;

apple

iCloud preferences are seen in;

meAccounts

Bottom Line

Changes in technology have brought new applications as well. For the proper view of these files, many tools are available in the online market. Once the locations of the files are clear, an investigation will process faster. The information given in this Mac OS X Forensics Analysis blog may help you in the way of evidence collection.