Mac OS X Forensics: Collecting & Analyzing Artifacts
Changes in technology marked the coming up of the computer era and there are many Operating Systems available such as Windows, Mac, Linux etc. for the operation. The changes have brought a new face to criminal activities and consequently to the investigation as well. For a clean closing of an investigation, it is important to know more about the platforms that come in use. Apple systems are always a unique company for the users because of their performance and security. The scale shows that in crime labs around 5-10 per cent of the systems are Mac OS X. Suppose, if the criminal activities carried out have a great involvement of these OS then, a study of these systems is essential in the way of investigation. This blog presents you with Mac OS X forensics analysis; helps in collecting the pieces of evidence, and makes you aware of the locations of files.
Here, the discussion is done from a very basic itself.
Collecting Artifacts – Mac OS X Forensics Analysis
Before starting the investigation, it is important to know which version of Mac you are working with. Once the version is clear then, it will be easy to identify the locations of other files. It uses plist files and the SystemVersion.plist file is located in;
Chrome Browser Profile
Chrome is one of the browsers that have gained the great attention of the users. People use these to surf the web. So, by analyzing the information stored in the folder, an investigator can collect the evidence. From the folder, agents will get details of
- Web Logins, etc.
The location of the files is;
Safari is the default browser of Mac OS X. Like the other browsers, people also are fond of using this browser as well and from the ‘History’ file maintained, a forensic agent can dig out the evidence. The history recorded can be found from ‘History.plist’.
The information on the last session browsed is provided under the LastSession.plist file located at;
The cookies are present in;
Cache database file can be found from;
The sites that the suspects visited mainly can be found as well from;
Apple Mail is the default desktop mail client of Mac OS X. Below are the path of some of the files.
- Mailboxes are seen in;
- RSS feeds in;
- The configuration file is located at;
- The mail messages are stored in;
The messages stored with the file extension ‘emlx’, as single file.
The location of the log files are;
If the investigator doubts about the data exchange through the Bluetooth then, the information regarding the Bluetooth is available from;
Details of files shared are available from;
This contains the information on the recently opened files, server, applications etc. and it is located in;
- QuickTime Recent Items are located at
- The TextEdit recent items are found in;
Mozilla Firefox is another web browser used commonly, helps in browsing the web and you can find the files corresponding to Firefox located in;
Cookies are located in;
Also, from the history file, the investigator can collect the information on the URLs visited and is located in;
This details the user preference settings for the utilities or applications.
The iDevice details are found in;
iCloud preferences are seen in;
Changes in technology have brought new applications as well. For the proper view of these files, many tools are available in the online market. Once the locations of the files are clear, an investigation will process faster. The information given in this Mac OS X Forensics Analysis blog may help you in the way of evidence collection.