Blog

Mac OS X Forensics: Collecting & Analyzing Artifacts

Eva Mendis | October 17th, 2017 | Updates

Changes in technology marked the coming up of computer era and there are many Operating Systems available such as Windows, Mac, Linux etc. for the operation. The changes have brought new face for criminal activities and consequently to the investigation as well. For a clean closing of an investigation, it is important to know more about the platforms that come in use. Apple systems are always a unique company for the users because of its performance and security. The scale shows that in crime labs around 5-10 percent of the systems are Mac OS X. Suppose, if the criminal activities carried out has a great involvement of these OS then, a study of these systems is essential in the way of investigation. This blog presents you Mac OS X forensics analysis; helps in collecting the pieces of evidence out, make you aware of the locations of files.

Here, the discussion is done from the very basic itself.

Collecting Artifacts – Mac OS X Forensics Analysis

  1. System Version

Before starting the investigation, it is important to know that which version of Mac you are working with. Once if the version is clear then, it will be easy to identify the locations of other files. It uses plist files and the SystemVersion.plist file is located in;

/System/Library/CoreServices/SystemVersion.plist

  1. Chrome Browser Profile

Chrome is one of the browsers that have gained a great attention of the users. People use these to surf through the web. By analyzing the information stored in the folder, an investigator can collect the evidence. From the folder, agents will get details of

  • Cookies
  • History
  • Bookmarks
  • Web Logins, etc.

Location is;

mac os x forensics

  1. Safari

Location of the files is;

analysis mac os x forensics

Safari is meant to be the default browser of Mac OS X. Like the other browsers, people also are fond of using this browser as well and from the ‘History’ file maintained, a forensic agent can dig out the evidence. The history recorded can be found from ‘History.plist’.

The information on the last session browsed is provided under the LastSession.plist file located at;

/Users/<user>/Library/Safari/ LastSession.plist

The cookies are present in;

/Users/<user>/Library/Cookies/Cookies.plist

Cache database file can be found from;

/Users/<user>/Library/Caches/com.apple.Safari/Cache.db

The sites that the suspects visited mainly can be found as well from;

/Users/<user>/Library/Safari/TopSites.plist

  1. Apple Mail

Apple Mail is the default desktop mail client of Mac OS X. Below are the path of some of the files.

Default path;

/Library/Mail

  • Mailboxes seen in;

/Library/Mail/[Mail Box]

  • RSS feeds in;

/Library/Mail/RSS/

  • The configuration file is located at;

/Library/Preferences/com.apple.mail.plist

  • The mail messages are stored in;

/Library/Mail/[Mail Box]/Messages

The messages are stored with the file extension ‘emlx’, as single file.

  1. Log files

The location of the log files are;

/Users/username/Library/Logs/*

/private/var/log/*

  1. Bluetooth History

If the investigator doubts about the data exchange through the Bluetooth then, the information regarding the Bluetooth is available from;

mac os forensic artifacts

  1. File sharing

Details of file shared are available from;

/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist

  1. Recent Items

This contains the information on the recently opened files, server, applications etc. and it is located in;

browser history

  • QuickTime Recent Items are located at

mac os x forensics

  • The TextEdit recent items are found in;

text-edit-items

  1. Firefox

Mozilla Firefox is another web browser used commonly, helps in browsing the web and you can find the files corresponding to Firefox located in;

analysis mac os x forensics

Cookies are located in;

mac os forensic artifacts

From the history file, investigator can collect the information of the URLs visited and is located in;

MAC OS X places.sqlite forensics

  1. User Preference

This details the user preference settings for the utilities or applications.

Location;

preferences

The iDevice details are found in;

apple

iCloud preferences are seen in;

meAccounts

Bottom Line

Changes in the technology have brought new applications as well. For the proper view of these files, many tools are available in the online market. Once if the locations of the files are made clear, an investigation will process faster. The information given in this Mac OS X Forensics Analysis blog may help you in the way of evidence collection.