System Version (Mac)

June 1, 2011, 9:46 pm

≫ Next: OS X Lion Artifacts

$

0

0

Author Name
Douglas Brush

Artifact Name
SystemVersion.plist

Artifact/Program Version
OS X 10.x (Client)

Description
When you start your Macintosh investigation it is important to know
what version of the operating system is installed on the computer. The
version of OS X (10.4, 10.5, 10.6) can shape and direct the analysis
as each version has certain unique characteristics for other artifacts
as well as their locations on the disk.

Macintosh operating systems use plist files (.plist) as repositories
for system and program settings/information. Plist files can wither be
in a binary-encoded format (bplist file header) or as XML.

To get the operating system version the first plist files you will
want to examine is the “SystemVersion.plist” located in
“/System/Library/CoreServices/” folder. With this knowledge you
can be aware of other plists and system artifacts that are unique to
the OS under inspection.

File Locations
/System/Library/CoreServices/SystemVersion.plist

Research Links

Forensic Programs of Use
plist Edit Pro (Mac):
plist Editor Pro (Win):

---

OS X Lion Artifacts

November 26, 2011, 11:31 am

≫ Next: iCloud Service on Windows

≪ Previous: System Version (Mac)

$

0

0

Author Name
Sean Cavanaugh – AppleExaminer

Artifact Name
OS X Lion Artifacts

Description
Sean Cavanaugh of AppleExaminer.com maintains a Google Spreadsheet at the link listed below. Since this list is community driven and may change, it is not republished here, however, here is a spreadsheet containing the artifacts as of 11-26-11. This list contains artifacts of User Directories, Safari, Mail, iChat, iPhoto, iTunes, Photo Booth, Address Book, Spotlight, RSS, Saved Application State, Preferences, Autorun Locations, Recent Items, browsers, and specific applications.

 

Research Links
https://docs.google.com/spreadsheet/ccc?key=0AkBdGlxJhW-ydDlxVUxWUVU0dXVzMzUxRzh2b2ZzaFE&hl=en_US#gid=0

 

Related Posts:

• System Version (Mac)
• Using Apple Time Capsule with Microsoft Windows
• iCloud Service on Windows
• Google Chrome Browser Profile (Mac OS X)
• Stickies (Mac)

iCloud Service on Windows

February 25, 2012, 6:42 pm

≫ Next: Using Apple Time Capsule with Microsoft Windows

≪ Previous: OS X Lion Artifacts

$

0

0

John Lukach

iCloud Control Panel for Windows v1.01

Apple is commonly known for artifacts left on the iPhone, iPad, iPod, and Mac but can also be found on Windows if the iCloud service was enabled. The goal of this post is to provide the application level artifacts that could potentially determine who, what, and when email, contacts, calendar items, tasks, bookmarks, and photos were transferred between devices. It is important to note that operating system artifacts such as registry, event logs, and others will be available for correlation and validation of your findings too.

iCloud maintains detailed logs located in C:\Users\\AppData\Roaming\Apple Computer\Logs to determine the time line of when the features provided by the service were used. Log file naming schema follows this example format asl.221320_23feb12.log based on initial start up and system reboots. Photo Stream log entries provide more granular information on when photos are transferred plus the Bookmark log entries even disclose the primary Apple ID.

The preferences defined for each specific user who used the iCloud service can be found in this directory C:\Users\\AppData\Roaming\Apple Computer\Preferences. Specifically the mobilemeaccounts.plist file contains the account information along with configuration details on each service being used. Additionally the com.apple.dav.bookmark.msie.plist file is of interest as it lists what bookmarks are being transferred to Internet Explorer or Safari.

Media Stream artifacts are located in the C:\Users\\AppData\Roaming\Apple Computer\MediaStream folder. The root level contains a SQLite database called local.db that has the Apple ID plus locations where pictures are uploaded and downloaded on the system. The same path has a DL and UL folder with logs indicating dates and times that a specific number of files were uploaded/downloaded to the locations defined in the database. Each file is assigned a unique asset number like this 0142e0bf66ffe3f3ed826c51e6d3cc4f0eaad7db8d in the logs. It would be nice to determine the algorithm used by Apple, allowing the identification of images outside the defined locations if anyone happens to know?

At this time, there does not appear to be any application specific artifacts for Mail, Calendar, Contacts and Tasks in the iCloud service thus you should be able to use the forensic tool of choice to parse Microsoft Outlook information from the system.

Final artifact of interest is when the iCloud Control Panel is opened you are presented the option to manage the service storage. Looking at the Backups section may give you some insight on the number of mobile devices such as iPhones, iPads, and iPods that are archiving to iCloud with the last successful completion date.

Using Apple Time Capsule with Microsoft Windows

July 20, 2012, 6:45 pm

≫ Next: Mac OS X Autorun Locations

≪ Previous: iCloud Service on Windows

$

0

0

John Lukach

AirPort Utility 5.6.1 for Windows

The AirPort Utility for Windows allows Microsoft computers using Bonjour to access the Apple Time Capsule hard disk. The drive is available as a network share through UNC mapping on your PC. The binary data stored in HKEY_Users\S-1-5-1234567890-1234567890-123456789-1000\Software\AppleInc.\Preferences\com.apple.airport.diskagent will provide confirmation of which volume is associated with your Apple Time Capsule. An external USB connection is available so you could have two volumes listed.

If the end-user setup Windows Backups than you will be able to gain additional insight into the size of the disk with the free space available that may be beneficial in identifying the external USB drive.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\Rules\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\PresentableName

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\UniqueName

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\TargetDevices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\UserDataExclusions

User defined inclusions are listed as numbered keys under the Rules folder containing specific paths.

Mac OS X Autorun Locations

August 16, 2015, 2:20 pm

≫ Next: Mac OS X Sleep/Hibernate and Swap Image File

≪ Previous: Using Apple Time Capsule with Microsoft Windows

$

0

0

Author Name   pstirparo Submission Title   Mac OS X Autorun Locations Post Category   System Submission Tags   Apple, OSX, System Artifact Description   These artifacts refer to autorun programs and daemons that run at system startup. File Locations   Launch Agents files – ‘/Library/LaunchAgents/*’ – ‘/System/Library/LaunchAgents/*’ Launch Daemons files – ‘/Library/LaunchDaemons/*’ – ‘/System/Library/LaunchDaemons/*’ Startup Items file – ‘/Library/StartupItems/*’ – ‘/System/Library/StartupItems/*’ Research Links   https://github.com/pstirparo/mac4n6 http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4 Any Other Information   These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via: – yaml library – ForensicsWiki.org – ForensicsArtifacts.com So that the effort is made only once, and the output reused everywhere.

Mac OS X Sleep/Hibernate and Swap Image File

October 7, 2015, 9:00 am

≫ Next: Mac OS X System Logs

≪ Previous: Mac OS X Autorun Locations

$

0

0

Author Pasquale Stirparo, @pstirparo Artifact Description Contents of RAM are written into the sleepimage file when the computer is put to sleep. Numerous swap files may be found in the /var/vm/ directory with the naming convention of swapfile# (swapfile0, swapfile1, swapfile2, etc.) File Locations /var/vm/sleepimage /var/vm/swapfile# Research Links https://github.com/pstirparo/mac4n6 http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4 Any Other Information These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via: – yaml library – ForensicsWiki.org – ForensicsArtifacts.com So that the effort is made only once, and the output reused everywhere.

 

Mac OS X System Logs

October 7, 2015, 11:30 am

≫ Next: Mac OS X “Recent Items”

≪ Previous: Mac OS X Sleep/Hibernate and Swap Image File

$

0

0

Author Name Pasquale Stirparo, @pstirparo Submission Title Mac OS X System Logs Artifact Description Num. 1 is the main folder containing the system logs. Num. 2 Contains Apple System Logs (asl). Filename format as YYYY.MM.DD.[UID].[GID].asl, Num. 4 contains install date of system, as well as date of system and software updates File Locations 1) System Log files main folder – /var/log/* 2) Apple System Log – /var/log/asl/* 3) Audit Log – /var/audit/* 4) Installation log – /var/log/install.log Research Links https://github.com/pstirparo/mac4n6 http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4 Any Other Information These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via: – yaml library – ForensicsWiki.org – ForensicsArtifacts.com So that the effort is made only once, and the output reused everywhere.

Mac OS X “Recent Items”

October 7, 2015, 1:00 pm

≫ Next: Mac OS X: iOS device backup locations

≪ Previous: Mac OS X System Logs

$

0

0

Author Name Pasquale Stirparo, @pstirparo Submission Title Mac OS X “Recent Items” Artifact Description Num. 1 contains info about the recently opened applications, files, and servers Num. 2 contains info about the recently opened files specific for each application File Locations 1) Recent Items – %%users.homedir%%/Library/Preferences/com.apple.recentitems.plist 2) Recent Items application specific – %%users.homedir%%/Library/Preferences/*LSSharedFileList.plist Research Links https://github.com/pstirparo/mac4n6 http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4 Any Other Information These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via: – yaml library – ForensicsWiki.org – ForensicsArtifacts.com So that the effort is made only once, and the output reused everywhere.

 

---

Mac OS X: iOS device backup locations

October 8, 2015, 8:00 am

≫ Next: Mac OS X User Preference Settings

≪ Previous: Mac OS X “Recent Items”

$

0

0

Author Name Pasquale Stirparo, @pstirparo Submission Title Mac OS X: iOS device backup locations Artifact Description Num. 1 is the main directory inside a Mac containing iOS device backups Num. 2 is a plist file in plain text. It stores data about the backed up device (such as device name, GUID, ICCID, IMEI, Product type, iOS version, serial numbers, UDID etc.) and the iTunes software used to create the backup (iTunes version number, iTunes settings). Num. 3 is a plist file in plain text and it describes the content of the backup. Inside this file we can find the list of applications installed on the backed up device. For every application there are the name and the particular version. Inside the file there is also the date the backup was made, the backup type (encrypted vs. unencrypted) and some information about the iDevice and the iTunes software used. Num. 4 is a binary file that stores the descriptions of all the other files in the backup directory. It contains a record for each element in the backup. Num. 5 It’s a plist file in binary format and it stores information about the completion of the backup File Locations 1) iOS device backups directory – %%users.homedir%%/Library/Application Support/MobileSync/Backup/* 2) iOS device backup information – %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist 3) iOS device backup apps information – %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist 4) iOS device backup files information – %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd 5) iOS device backup status information – %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist Research Links https://github.com/pstirparo/mac4n6 http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4 Any Other Information These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via: – yaml library – ForensicsWiki.org – ForensicsArtifacts.com So that the effort is made only once, and the output reused everywhere.

 

Mac OS X User Preference Settings

October 8, 2015, 2:00 pm

≪ Previous: Mac OS X: iOS device backup locations

$

0

0

Author Name Pasquale Stirparo, @pstirparo Submission Title Mac OS X User Preference Settings Artifact Description Num. 1 is the directory containing user preference settings for applications and utilities Num. 3 is the plists containing the names of volumes mounted on the desktop that have appeared in the sidebar list Num. 4 is Global Preferences Plist Num. 5 contains directories, files, and apps that have appeared in the Dock Num 6 contains the list of attached iDevices Num 7 is the SQLite database that keeps track of files that have the quarantine extended attribute that is given to applications, scripts, and executables downloaded from potentially untrustworthy locations/people. The SQLite database contains URLS, email addresses, email subjects, and other potentially useful information. File Locations 1) User preferences directory – %%users.homedir%%/Library/Preferences/* 2) iCloud user preferences – %%users.homedir%%/Library/Preferences/MobileMeAccounts.plist 3) Sidebar Lists Preferences – %%users.homedir%%/Preferences/com.apple.sidebarlists.plist 4) Global Preferences – %%users.homedir%%/Library/Preferences/.GlobalPreferences.plist 5) Dock database – %%users.homedir%%/Library/Preferences/com.apple.Dock.plist 6) Attached iDevices – %%users.homedir%%/Library/Preferences/com.apple.iPod.plist 7) Quarantine Event Database – %%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents – %%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 Research Links https://github.com/pstirparo/mac4n6 http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4 Any Other Information These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via: – yaml library – ForensicsWiki.org – ForensicsArtifacts.com So that the effort is made only once, and the output reused everywhere.