Changes in technology marked the coming up of computer era and there are many Operating Systems available such as Windows, Mac, Linux etc. for the operation. The changes have brought new face for criminal activities and consequently to the investigation as well. For a clean closing of an investigation, it is important to know more about the platforms that come in use. Apple systems are always a unique company for the users because of its performance and security. The scale shows that in crime labs around 5-10 percent of the systems are Mac OS X. Suppose, if the criminal activities carried out has a great involvement of these OS then, a study of these systems is essential in the way of investigation. This blog presents you Mac OS X forensics analysis; helps in collecting the pieces of evidence out, make you aware of the locations of files.
Here, the discussion is done from the very basic itself.
Before starting the investigation, it is important to know that which version of Mac you are working with. Once if the version is clear then, it will be easy to identify the locations of other files. It uses plist files and the SystemVersion.plist file is located in;
/System/Library/CoreServices/SystemVersion.plist
Chrome is one of the browsers that have gained a great attention of the users. People use these to surf through the web. By analyzing the information stored in the folder, an investigator can collect the evidence. From the folder, agents will get details of
Location is;
Location of the files is;
Safari is meant to be the default browser of Mac OS X. Like the other browsers, people also are fond of using this browser as well and from the ‘History’ file maintained, a forensic agent can dig out the evidence. The history recorded can be found from ‘History.plist’.
The information on the last session browsed is provided under the LastSession.plist file located at;
/Users/<user>/Library/Safari/ LastSession.plist
The cookies are present in;
/Users/<user>/Library/Cookies/Cookies.plist
Cache database file can be found from;
/Users/<user>/Library/Caches/com.apple.Safari/Cache.db
The sites that the suspects visited mainly can be found as well from;
/Users/<user>/Library/Safari/TopSites.plist
Apple Mail is the default desktop mail client of Mac OS X. Below are the path of some of the files.
Default path;
/Library/Mail
/Library/Mail/[Mail Box]
/Library/Mail/RSS/
/Library/Preferences/com.apple.mail.plist
/Library/Mail/[Mail Box]/Messages
The messages are stored with the file extension ‘emlx’, as single file.
The location of the log files are;
/Users/username/Library/Logs/*
/private/var/log/*
If the investigator doubts about the data exchange through the Bluetooth then, the information regarding the Bluetooth is available from;
Details of file shared are available from;
/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
This contains the information on the recently opened files, server, applications etc. and it is located in;
Mozilla Firefox is another web browser used commonly, helps in browsing the web and you can find the files corresponding to Firefox located in;
Cookies are located in;
From the history file, investigator can collect the information of the URLs visited and is located in;
This details the user preference settings for the utilities or applications.
Location;
The iDevice details are found in;
iCloud preferences are seen in;
Changes in the technology have brought new applications as well. For the proper view of these files, many tools are available in the online market. Once if the locations of the files are made clear, an investigation will process faster. The information given in this Mac OS X Forensics Analysis blog may help you in the way of evidence collection.
