The Macintosh operating system is a well organized, multi-user system that contains a wealth of data for administrators to troubleshoot problems, as well as analysts to perform digital forensics. Knowing the layout of the file system is one of the first steps in successfully processing data and making excellent conclusions. In this article we will begin to look at the structure of the file system of the 10.7, Lion, operating system, to better understand where data is kept and how best to reach conclusions on usage.
From a standard installation, the file system can be seen in one of two ways, the Finder or the Terminal. The Finder offers the Graphical User Interface (GUI) version of the file system to the user, while the Terminal offers the command line view of the file system. The Finder has been programmed to hide many aspects of the file system from the user. Further, the Finder comes configured from Apple in the latest 10.7 version of the OS to hide many items from showing on the Desktop. The Terminal offers a much greater view of the file system, showing file that have been marked as hidden of items that might not display on a User’s Desktop due to Finder preferences set. However, even the Terminal does not show everything. Apple still keep certain aspects of the file system hidden away, such that even the ‘root’ user, the most powerful user on the system, cannot access and see these areas thru normal means.
In this article, we will explore the areas the areas that an analyst should be familiar with for the approach of a 10.7, Lion, based Macintosh, and how to access each area.
At the root of each hard drive, a standard installation will include the following directories:
10.7 Lion Standard Directory Structure
Each of the directories shown in this window capture has been taken from the Terminal. There are two notes to be made here. First, many of the directories seen here will not be visible when displaying with the Finder. Any file or folder that begins with a period, ‘.’, will not be displayed in the Finder by default, as well as any file or folder that has the invisibility extended attribute applied. From the Finder, the same view would look like this:
10.7 Lion Finder Standard Directory Structure
The second note to be made is for the “opt” directory. The directory is not from the Apple standard installation. However, I choose to include it in this article because I so often find users with “MacPorts” or other forms of the UNIX port system being used which causes this directory to be created. Familiarity with this folder is important.
So, at this point, we have found that the Finder does not display to us several areas of the file system. How many of these areas are important when performing an analysis? One never knows that answer until the analysis is conducted. However, when triaging a case, certain areas may stand out as locations of first interest.
- System - This folder is normally reserved for Apple, and would contain items that are a part of OS X
- Library - This folder will contain many third party operating system add-ons. Items in here will affect the global functionality of the system and will apply to all users unless something specific has been done to alter this.
- Network - This folder relates to domain control, Open Directory or Active Directory. Without this environment in use, its unlikely to find data of value here.
- Volumes - This is the mount point for all attached media by default. Mount points are typically dynamic and the will be removed upon disconnect. One can equate this folder to the “/mnt” or “/media” directories in Linux
- Users - all home folders for local users are created here. The folders will be named using the “short name” of the user. There will also the a “Shared” user folder for exchange of files since users do not have access to each others’ home folders.
- Applications - all installed applications will typically be installed here. However, an application can be run from almost any location. It is possible to find applications in a user’s “Downloads” folder and run directly from that location, as an example.
With those main top-level folder described, we have begun to look at a few of the most important areas to begin any triage. There are still many other directories at this level that require explanation, and that will be shown in Part 2 of this series.
In Part 3 of this series, we will begin to look at the layout of the User’s Home folder from both the Finder GUI and the Terminal.
In Part 4, we will return to the top level of the file system and show data that is not seen from either the Finder or the Terminal, but will be seen during a digital analysis of a Mac system.