Every Macintosh examination involves looking at the data in a unique manner that likely leads the analyst down a new path each time. Yet, we can usually say that each examination will have a set of data that gathered each time for presentation to go along with the case at hand. This section is meant to present areas of the OS X structure where you can find data for presentation in your cases that many times apply in all circumstances.
Operating System Installation Date
- /private/var/log/OSInstall.custom (10.5)
- /private/var/db/.AppleSetupDone (10.6) this file also contains the registration info entered by the user during initial setup
Operating System Version
- /System/Library/CoreServices/SystemVersion.plist (OS X Client)
- /System/Library/CoreServices/ServerVersion.plist (OS X Server)
Software Installation
- /Library/Receipts/InstallHistory.plist - History of installed applications and updates
- /Library/Preferences/com.apple.SoftwareUpdate.plist - Last Software Update
Current Time Zone
- /etc/localtime (link file pointing to current time zone) OR
- /Library/Preferences/.GlobalPreferences.plist
Auto-Login and Last Login User Info
- /Library/Preferences/com.apple.loginwindow.plist
Deleted Users
- /Library/Preferences/com.apple.preferences.accounts.plist
Home Folders
- /Users/username
Attached Media
- /Users/username/Library/Preferences/com.apple.sidebarlists.plist - history of attached media, volumes devices, etc.
- see our page on USB devices
File Sharing
- /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
iPhone/iPod
- see our page on USB devices
- /Users/username/Library/Application Support/MobileSync/Backup - folder where iPhone, iPod Touch and iPad sync their data to
- /Users/username/Library/Application Support/MobileSync/Backup/UUID/Info.plist - contains info on the exact device synced (Backup), modified date of this file is the last time it was synced
iTunes Information
- /Users/username/Music/iTunes/ - default location for iTunes Library
User Auto-Launch Items
- /Users/username/Library/Preferences/loginwindow.plist
Network Settings
- /Library/Preferences/com.apple.alf.plist - Firewall Settings
- /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist - Airport (Wireless) Settings
- /Library/Preferences/SystemConfiguration/com.apple.nat.plist - Internet Sharing Settings
- /Library/Preferences/SystemConfiguration/com.apple.network.identification.plist - Historical Network TCP/IP Assignments with Timestamps
- /Library/Preferences/SystemConfiguration/com.apple.NetworkInterfaces.plist - Onboard Interfaces
- /Library/Preferences/SystemConfiguration/com.apple.preferences.plist - Network Configuration for each interface
Screen Sharing
- /Users/username/Library/Application Support/Screen Sharing
Bluetooth History
- /Library/Preferences/com.apple.Bluetooth.plist
Instant Messaging
- /Library/Preferences/com.apple.iChat.AIM.plist
- /Library/Preferences/com.apple.iChat.plist
- /Library/Preferences/com.apple.iChat.SubNet.plist
- /Users/username/Library/Preferences/com.aol.aim.plist
- /Users/username/Library/Preferences/com.adiumX.adiumX.plist
- /Users/username/Library/Preferences/com.apple.iChat.AIM.plist
- /Users/username/Library/Preferences/com.apple.iChat.plist
- /Users/username/Library/Preferences/com.apple.SubNet.plist
- /Users/username/Library/Preferences/com.skype.skype.plist
- /Users/username/Library/Preferences/com.yahoo.messenger3.plist
- /Users/username/Library/Preferences/com.yahoo.messenger3.Users.screenname.plist
Peer to Peer
- /Users/
/Library/Preferences/Limewire/*
Safari
- /Users/username/Library/Safari/Bookmarks.plist - User's Bookmarks
- /Users/username/Library/Safari/Downloads.plist - Contents of the user's Downloads window in Safari
- /Users/username/Library/Safari/History.plist - Safari browser history
- /Users/username/Library/Safari/LastSession.plist - defines the last browsing session (window and tabs that were open)
Log Files
- /private/var/log/*
- /Users/username/Library/Logs/*
Sleep File and Virtual Memory
- /private/var/vm/sleepimage
- /private/var/vm/swapfile0