Prefetch Forensic

Prefetch files as defined in ForensicWiki is “Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process.” Prefetch files contained metadata of forensic interests are:

• Executable file name (Unicode),
• Last Executed Timestamp,
• Executed Count, abd
• Volume ID.

Notable mentions to Prefetch forensic articles are:

• ForensicWiki & Windows Prefetch File Format
• DFINews: Decoding Prefetch Files For Forensics Purpose
• Windows Incident Reponse: Prefetch Analysis

Further to that, you will probably find many tools and articles on Prefetch file analysis. So I am just going to write only very briefly on it.

Prefetch files can be found at c:\Windows\Prefetch\ folder. For the purpose of this post, I will only focus on the file articles with the ‘pf’ extension.

Windows XP

• OS Version: Offset 00, length of 4 bytes (LE)
  • 0x00000011: Windows XP
• File header: Offset 04, length of 4 bytes
  • SCCA (0x53, 0x43, 0x43, 0x41)
• Unicode filename: Offset 16, length of 30 bytes
• Last executed time: Offset 128, length of 8 bytes (LE), Windows Filetime format
• Executed count: Offset 144, length of 4 bytes (LE)
• VolumeID:
  • Reference to Forensicwiki, Offset 108, length of 4 bytes points to the offset of section D of the prefetch file.
  • Volume ID is located at Offset of section D + 16 bytes, for a length of 4 bytes

Windows Vista

• OS Version: Offset 00, Length of 4 bytes (LE)
  • 00000017: Windows Vista
• File header: Offset 04, Length of 4 bytes
  • SCCA (0x53, 0x43, 0x43, 0x41)
• Unicode filename: Offset 16, Length of 30 bytes
• Last executed time: Offset 128, Length of 8 bytes (LE), Windows Filetime format
• Executed count: Offset 152, length of 4 bytes (LE)
• VolumeID:
  • Reference to Forensicwiki, Offset 108, length of 4 bytes points to the offset of section D of the prefetch file.
  • Volume ID is located at Offset of section D + 16 bytes, for a length of 4 bytes

Windows 7

• OS Version: Offset 00, Length of 4 bytes (LE)
  • 00000017: Windows 7
• File header: Offset 04, Length of 4 bytes
  • SCCA (0x53, 0x43, 0x43, 0x41)
• Last executed time: Offset 128, Length of 8 bytes (LE), Windows Filetime format
• Executed count: Offset 152 length of 4 bytes (LE)
• VolumeID:
  • Reference to Forensicwiki, Offset 108, length of 4 bytes points to the offset of section D of the prefetch file.
  • Volume ID is located at Offset of section D + 16 bytes, for a length of 4 bytes

Windows 8

• OS Version: Offset 00, Length of 4 bytes (LE)
  • 0000001A: Windows 8
• File header: Offset 04, Length of 4 bytes
  • SCCA (0x53, 0x43, 0x43, 0x41)
• Last executed time: Offset 128, Length of 8 bytes (LE), Windows Filetime format
  • According to my colleagues (JS and TB), Prefetch captured the last 8 executed time starting at offset 128. Each record is stored in Windows Filetime format.
• Executed count: Offset 208, length of 4 bytes (LE)
• VolumeID:
  • Reference to Forensicwiki, Offset 108, length of 4 bytes points to the offset of section D of the prefetch file.
  • Volume ID is located at Offset of section D + 16 bytes, for a length of 4 bytes.

I wrote a simple EnScript to parse the Prefetch data and have tested it on limited numbers of prefetch files. This EnScript will parse Prefetch files with the file signature “SCCA”. The mode of operating the EnScript is illustrated in the following image:

Once the EnScript is run successfully, the output will save in the specified output file.

Link for Prefetch Parser 0.2

This EnScript is tested on limited number of Prefetch files. If you have any question or clarification or you find any bug, please contact me at davidkoepi – gm ail

UserAssist Forensic

Recently, I have been spending a little more time on EnScript. I did a simple Enscript to parse UserAssist registry key. There have been many good references on UserAssist. Notable mentioned are:

• UserAssist Forensics (timelines, interpretation, testing, & more) by 4n6K
• SANS Forensic Artifact 6: UserAssist by Sploited
• UserAssist by Didier Stevens
• intotheboxes 0x00 Windows 7 UserAssist Registry Keys

In a statement, UserAssist keep track of the applications ran by the users and stored them in the NTUSER.DAT registry. The data is then used to display the frequently used program in Windows. UserAssist registry key on Windows XP, Vista, 7 and 8 is located at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\[GUID]\Count\. Using a limited set of registry files and references, the respective OS and the UserAssist’s GUID are as follows:

Windows XP

• {75048700-EF1F-11D0-9888-006097DEACF9}
• {5E6AB780-7743-11CF-A12B-00AA004AE837\}

Windows Vista

• {75048700-EF1F-11D0-9888-006097DEACF9}
• {5E6AB780-7743-11CF-A12B-00AA004AE837}

Windows 7

• {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
• {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}

Windows 8

• {FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}
• {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
• {F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}
• {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
• {CAA59E3C-4792-41A5-9909-6A6A8D32490E}
• {B267E3AD-A825-4A09-82B9-EEC22AA3B847}
• {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}
• {9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}

Registry Name are encoded using ROT13 algorithm. Registry Value are stored in binary value. The registry value of discussion are the:

• 16 bytes values on Windows XP and Vista,
• 72 bytes values on Windows 7 and 8,
• Other sizes of registry values exists on the system but there is not the point of this discussion.,
• Detailed reference can be referred to http://www.aldeid.com/wiki/Windows-userassist-keys

Registry Values of forensic interest are:

• Last executed time in 8 bytes Filetime value,
• Executed counts

So I using my amateurish programming skill and wrote a simple EnScript. The Enscript work is as follows:

• Ability to parse UserAssist registry key on Windows XP, Vista, 7 and 8,
• Parse all selected registry files (NTUSER.DAT),
• Dialog box to specify destination folder,
• Output file in TSV format, FileID of the selected file is appended to the output file,
• Determine the OS version using the buildnumber registry value (NTUSER.DAT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and based on the reference http://www.gaijin.at/en/lstwinver.php,
• Based on the OS Version, it will parse the registry value based on the respective OS’s GUID,
• Check the registry value size (16 or 72 bytes) and parse the value for “last executed time” and “executed count”.

The EnScript is coded and test on EnCase version 7.0.7. The EnScript is tested based on a small set of Registry files. The EnScript can be downloaded at Link. If you find any bug, please contact me. Thank You!!

UserAssist Parser 0.1

iPhoto Forensic on Mac OS X (10.8)

According to Wikipedia, iPhoto is a digital image manipulating software application and is installed on all Mac OS X as part of the iLife digital multimedia management applications. iPhoto can import, edit, organize and print digital photos.

The iPhoto preferences and settings named “com.apple.iPhoto.plist” is stored in ~/Library/Preferences/. Notable settings includes:

Recent iPhoto  Library folder path

PublishLastPollTime

Path of album folder

Online account sharing: Username and Service

Another notable Plist file is ~/Library/Preferences/iApps.plist which detailed the last opened iPhoto Library

Default path for iPhoto library is ~/Pictures/iPhoto Library.photolibrary. It is also possible that multiple iPhoto Library may be present on the system. On a Mac, the iPhoto Library appears as a single file but it is a folder containing the photos and metadata files of the library files. To explore the contents, you can right-click on the file and select “Show Package Contents”.

One of the way is to copy the iPhoto library file to your Mac Forensic workstation. Use “Switch” to analyse the images and metadata or information attached to the albums/images.

Version of iPhoto can be found in a file named “info.plist” in the Library folder.

Images imported into iPhoto are placed in 3 of the folders in the iPhoto Library:

• Masters (imported images)
• Previews (edited images)
• Thumbnails (thumbnail of images)

Images are placed in the folders created with respect to YYYY\MM\DD\YYYYMMDD-hhmmss.

Another file of interest is AlbumData.xml which contained metadata pertaining to the photo albums, such as the album name and number of images.

.

Plist View using Plist Viewer Plugin EnScript

Just completed my EnCase training and was playing around in my free time on EnCase 7.07. I must say the training received did help me out in navigating the complicated features in EnCase must better. This post is not about EnCase but I find the “Plist Viewer Plugin” EnScript useful for doing MacForensic using EnCase. You can download the EnScript file on https://store.encase.com/appcentral/Pages/default.aspx. I tried out this EnScript on a handful of Plist files and here is one of the output.

In case you want to know. I am not in anyway associate with Guidance Software or their products. I just want think it is a pretty good EnScript if you are working on MacForensic on a Windows. Do let me know if you find any tools to do it better. And don’t send me any “hate” comments how much you feel about it. Good Day! : ) I am still exploring the 30+ EnScript I had downloaded.

Mac Forensic Part 6 (Mountain Lion 10.8 – Logs)

Application Firewall

• /private/var/log/appfirewall.log
• /private/var/log/appfirewall.log.[x].bz2

System Logs

• /private/var/log/asl/YYYY.MM.DD.U[XX].asl
• /private/var/log/DiagnosticMessages/YYYY.MM.DD.asl
• /private/var/log/install.log
• /private/var/log/install.log.[x].bz2
• /private/var/log/opendirectoryd.log
• /private/var/log/opendirectoryd.log.[x].bz2
• /private/var/log/system.log
• /private/var/log/system.log.[x].bz2
• /private/var/log/vnetlib
• /private/var/log/weekly.out
• /private/var/log/zzz.log

Last shutdown logs

• /private/var/log/com.apple.launchd/launchd-shutdown.system.log
• /private/var/log/com.apple.launchd/launchd-shutdown.system.log

System setup information (if available)

a. wirelessconnection
b. registered country and city
c. firmware version at logged time
d. created username
e. Install apps

• /private/var/log/install.log

Disk status (at logged time)

• /private/var/log/daily.out MAC address/

Network Status (at logged time)

• /private/var/log/daily.out

Connecting USB Device
(Look for “USBMSC”)

• /private/var/log/System.log

Bootup time
(Look for “BOOT_TIME”)

• /private/var/log/System.log

Proper Shutdown time
(Look for “SHUTDOWN_TIME”)

• /private/var/log/System.log

User’s Logs

• ~/Library/Logs/AMRestore.txt
• ~/Library/Logs/appstore.log
• ~/Library/Logs/DiagnosticReports/
• ~Library/Logs/SMSMigrator/SMSMigrator.log
• ~/Library/Logs/sync/syncservices.log
• ~/Library/Logs/Ubiquity/[User]/ubiquity-digest.log
• ~/Library/Logs/Ubiquity/[User]/ubiquity.log

Disc burning log

• ~/Library/Logs/DiskRecording.log

Disk Utility log

• ~/Library/Logs/DiskUtility.log

File system log

• ~/Library/Logs/fsck_hfs.log

VMWare

• ~/Library/Logs/VMWare
• ~/Library/Logs/VMWare Fusion/

.

Mac Forensics Part 5 (Mountain Lion 10.8 – User Profile)

User Default Folder

• Deleted files (Trash bin): ~/.Trash/
• Desktop files: ~/Desktop/
• Document folder (default): ~/Documents/
• Download folder (default): ~/Downloads/
• Library – configurations and settings: ~/Library/
• Movies folder (default): ~/Movies/
• Music folder (default): ~/Music/
• Public – file sharing, if it is enabled: ~/Public

User Profile Artifacts

Bash command history

• ~/bash_history

SSH connection detail:

• ~/.ssh/known_hosts

Settings for Apps to access contacts

• ~/Library/Application Support/com.apple.TCC/TCC.db

CrashReporter – Apps crashed timestamp

• ~/Library/Application Support/CrashReporter/[App]_[GUID].plist

CrashReporter – Crash count

• ~/Library/Application Support/User_Crash_History_[GUID].plist

Dock – Apps appear/Keep in Dock

• ~/Library/Application Support/Dock/[GUID].db

Notification Center

• ~/Library/Application Support/NotificationCenter/[GUID].db

Sandbox container

• ~/Library/Containers/

Keychains (User)

• ~/Library/Keychains/
• ~/Library/Keychains/login.keychain
• ~/Library/Keychains/metadata.keychain
• ~/Library/Keychains/[XXXX].keychain

LaunchAgents (User)

• ~/Library/LaunchAgents/[App].plist

Quicktime – URL to online multimedia

• ~/Library/Caches/Quicktime/downloads/TOC.plist

Recent folders

• ~/Library/Preferences/com.apple.finder.plist

Language

• ~/Library/Preferences/.GlobalPreferences.plist

AppStore – available update

• ~/Library/Preferences/com.apple.appstore.plist

Recent disk image (ISO/DMG)

• ~/Library/Preferences/com.apple.DiskUtility.plist

Dock – Persistent apps

• ~/Library/Preferences/com.apple.dock.plist

Dock – Other persistent items

• ~/Library/Preferences/com.apple.dock.plist

Dashboard – gadget/widget

• ~/Library/Preferences/com.apple.dashboard.plist

Recent Applications * Default is 10

• ~/Library/Preferences/com.apple.recentitems.plist

Recent Documents * Default is 10

• ~/Library/Preferences/com.apple.recentitems.plist

Scheduler

• ~/Library/Preferences/com.apple.scheduler.plist

Screensaver – Password enabled

• ~/Library/Preferences/com.apple.screensaver.plist

Finder Sidebar

• ~/Library/Preferences/com.apple.sidebarlists.plist

Spaces

• ~/Library/Preferences/com.apple.spaces.plist

Printers

• ~/Library/Printers/

Connected iDevices

a) Type of device
b) Last connected timestamp
c) Firmware version
d) Serial number and IMEI

• ~/Library/Preferences/com.apple.iPod.plist Connected storage ~/Library/Preferences/com.apple.sidebarlists.plist

Connected storage

• ~/Library/Preferences/com.apple.sidebarlists.plist

Flash Cookies

• ~/Library/Preferences/Macromedia/Flash Player/

Last Used Printers

• ~/Library/Preferences/org.cups.PrintingPrefs.plist

Preview – Recent Documents

• ~/Library/Preferences/com.apple.Preview.plist

Quicktime – Recent documents

• ~/Library/Preferences/com.apple.QuickTimePlayerX.LSSharedFileList.plist

Console – Recent documents

• ~/Library/Preferences/com.apple.Console.LSSharedFileList

Textedit – Recent documents

• ~/Library/Preferences/com.apple.TextEdit.LSSharedFileList.plist

Saved Application Stated

– folders of application’s saved state

• ~/Library/Saved Application State/

RSS

• ~/Library/PubSub/Database/Database.sqlite3
• ~/Library/PubSub/Clients.plist
• ~/Library/PubSub/Feeds/

Spotlight folder

• ~/.Spotlight-V100/

Download Quarantine Events

• ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

.

Mac Forensics Part 4 (Mountain Lion 10.8 – System File Artifacts)

OS Version:

• /System/Library/CoreServices/SystemVersion.plist

Timezone:

• /Library/Preferences/.GlobalPreferences.plist

Language:

• /Library/Preferences/.GlobalPreferences.plist

MAC Address:

• /private/var/log/daily.out

Startup Folders:

• /Library/LaunchAgents/
• /Library/LaunchDaemons/
• /System/Library/LaunchAgents/
• /System/Library/LaunchDaemons/

System Preferences Apps:

• /Library/PreferencePanes/

Firewall

• /Library/Preferences/com.apple.alf.plist

Bluetooth:

• /Library/Preferences/com.apple.Bluetooth.plist

Keyboard:

• /Library/Preferences/com.apple.HIToolbox.plist

Last User Logged In:

• /Library/Preferences/com.apple.loginwindow.plist

Last Update

• /Library/Preferences/com.apple.SoftwareUpdate.plist

Time Machine:

Last Backup , Oldest Backup, No of snapshot

• /Library/Preferences/com.apple.TimeMachine.plist

Time Machine – Snapshots:

• /private/var/db/com.apple.TimeMAchine.SnapshotDates.plist

Printer:

• /Library/Preferences/org.cups.printers.plist

Airport – Remembered Network:

• /Library/Preferences/SystemConfigurations/com.apple.airport.preferences.plist

Last Sleep Time:

• /Library/Preferences/SystemConfigurations/com.apple.PowerManagement.plist

Network Interface Name:

• /Library/Preferences/SystemConfigurations/NetworkInterfaces.plist

Network Information:

• /Library/Preferences/SystemConfigurations/preferences.plist

Hostname:

• /Library/Preferences/SystemConfigurations/preferences.plist

VMWare Fusion Network:

• /Library/Preferences/VMWare Fusion/networking

Keychains:

• /Library/Keychains/ /System/Keychains/

Host file:

• /private/etc/hosts Path /private/etc/paths

DNS:

• /private/etc/resolv.conf

User’s account:

• /private/var/db/dslocal/nodes/[user].plist

User’s account – picture:

• /private/var/db/dslocal/nodes/[user].plist

User’s account – password hint:

• /private/var/db/dslocal/nodes/[user].plist

User’s account:

Realname (full name) – name – UID – GID

• /private/var/db/dslocal/nodes/[user].plist

Group:

Members and GID

• /private/var/db/dslocal/nodes/[group].plist

* admin.plist for admin user * staff.plist for root user

Hibernation file:

• /private/var/vm/sleepimage

Swap file:

• /private/var/vm/swapfile[x]

Installed Printers:

• /Library/Printers/
• /Library/Printers/InstalledPrinters.plist

.

Mac Forensic Part 3 (Filesystem)

Supported Filesystem in Mac OS X

HFS Plus or HFS+ is a file system developed by Apple Inc and is the primary file system used in Macintosh computers. Another version of HFS Plus called HFSX is introduced in OS X 10.3.

MAC OS X support the following filesystem:

• Read/Write:
  • Mac OS X Extended (Journaled)
  • Mac OS X Extended (Journaled, Encrypted)
  • Mac OS X Extended (Case-sensitive, Journaled)
  • Mac OS X Extended (Case-sensitive, Journaled, Encrypted)
  • MS-DOS (FAT)
  • ExFat
• Read Only:
  • NTFS

Partition in OS X

There are 3 choices of partitioning in OS X:

• GUID Partition Table (GPT), primarily used in Intel-based Mac. GPT uses Extensible Firmware Interface (EFI) in place of a BIOS
• Apple Partition Map, mainly used in PowerPC based MAC
• Master Boot Record (MBR) for Windows compatibility system

Files in HFS are made up of 2 parts; data fork and resource fork. Data fork contains the actual data of the file. Resource fork contain information of the file. Resource fork may contain icon, metadata, preferences and application code. Volumes in HFS are divided into 512-byte logical blocks. A group of 8 blocks is known as an allocation block.

Like NTFS, HFS also use metadata files to keep track of the volume:

• Volume header: information of the volume; total files, size of allocation table, number of allocation block and write-protected status.
• Catalog File: keep track of folders and files on the volume
• Extents overflow: hold the location of the extents that are greater than 8.
• Allocation File: keep track of the allocation block on a volume
• Attributes File: Used to store extended metadata attributes and additional files’ forks.

Folders in OS X

The key folders are as follows:

• Applications/: Default folder for applications
• Library/: Contained OS X files and supported operating system items for system global functionality and apply to all users. Network/: Network domain, open directory or active directory
• System/: Reserved for OS X System files and contained items such as system setup and functionality of the system
• Users/: Home folders for local users. There will also be a “Public” folder for sharing of files between users.
• .DocumentRevisions/: Contain files of previous versions of documents. (Root access only)
• .fseventsd/: Logging of filesystem events. (Root access only)
• .Trashes (Empty)
• mach_kernel:  OS X Mach kernel
• etc or private/etc/: Configurations and other system files
• private/sbin/: Linux-styled binaries for admin
• var/ or private/var
• Volumes/: Mounted devices such as harddisk, CD, DMG and USB drives.

Mac Forensics Part 2 (Acquisition)

Method 1: Remove harddisk and image harddisk using forensic equipments/software.

• Advantage: This is generally accepted method for all systems. Imaging using this method can be applied using all common forensic equipments/software.
• Drawback: Require to disassemble the system. Apple are using custom screws on some of their models. To add on, Apple is using a different SSD connector for it’s MacBook Air model [Link].

Method 2: Forensic Linux Boot CD.

• Advantage: Many options are available (eg Sumuri’s Paladin). Typically, Read-only are enable on boot for all storage media.
• Drawback: Remember to test (and retest) before using it. Some Linux CDs are not updated frequently or lack drivers supports. One limitation is that some Linux CD do not provide imaging to a NTFS or HFS partition.

Method 3: Target Disk Mode

• Advantage:Allow a Mac to turn into an external harddisk. Quick and easy way to image the harddisk without opening the system. Allow ‘field mode’ or instantly view artifacts on a Mac before imaging.
• Drawback: FireWire Target Disk Mode works on internal PATA or SATA drives only. Target Disk Mode only connects to the master PATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI, or SCSI drives [Link]. Remember to put device into write-block mode!!

Method 4: Commercial Mac Imaging Tool

• Advantage: Most tools are generally work well for most models. Supports and bug-fix are usually promptly.
• Drawback: Remember to test these tools on the latest Mac you can lay your hands on. Usually take awhile before upgrades are available.

As a rule of thumb, a good forensic examiner must be armed with more than one method to image a system, especially when you are on the field. This is also important to monitor upgrades, test (retest) and keep on open mind to try out new methods/tools. Do let me know if you have new methods. Thanks!!

Mac OS X Start up command

• Available Startup Option: (Hold) Option
• Boot from CD: (Hold) C
• Target Disk Mode: (Hold) T
• Start in Hardware Test Mode: (Hold) D
• Force Mac to startup: (Hold) X
• Safe Boot Mode: (Hold) Shift
• Network Boot: (Hold) N
• Bypass primary startup volume: Option + Command + Shift + Delete
• Reset PRAM and NVRAM: Option + Command + P + R
• Verbose Boot: (Hold) Command + V
• Single User Mode: (Hold) Command + S
• Start in Recovery: (Hold) Command + R
• Eject CD: Hold mouse button, or Fn + F12, Eject button

Common Shortcut in Mac OS X system

• Right Click: Control + Mouse Click
• Switch applications: Command + Tab
• Screen Capture (Full): Command + Shift + 3
• Screen Capture (Selective): Command + Shift + 4
• Screen Capture (Windows): Command + Shift + 4 + spacebar
• Close Window: Command + W
• Hide Finder: Command + H
• Save: Command + S
• Print: Command + P
• Show Info: Command + I
• Connect to Server: Command + K
• Copy: Command + C
• Paste: Command + V
• Quit Application: Command + Q

Mac Forensics Part 1

Just completed my work on Mac Forensic. I decided to remove the previous “mini-series” and re-post my work.

OS X is a series of Unix-based graphical interface operating systems developed, marketed, and sold by Apple Inc. It is designed to run exclusively on Mac computers. Version of OS X releases:

• Rhapsody Developer Release – 31 Aug 1997
• Mac OS X Server 1.0 (Hera) – 16 Mar 1999
• Mac OS X Developer Preview – 16 Mar 1999
• Public Beta (Kodiak) – 13 Sep 2000
• Mac OS X 10.0 (Cheetah) – 24 Mar 2001
• Mac OS X 10.1 (Puma) – 18 Jul 2001
• Mac OS X 10.2 (Jaguar) – 6 May 2002
• Mac OS X 10.3 (Panther) – 23 Jun 2003
• Mac OS X 10.4 (Tiger) – 4 May 2004
• Mac OS X 10.5 (Leopard) – 26 Jun 2006
• Mac OS X 10.6 (Snow Leopard) – 9 Jun 2008
• Mac OS X 10.7 (Lion) – 20 Oct 2010
• Mac OS X 10.8 (Mountain Lion) – 16 Feb 2012

* source from http://en.wikipedia.org/wiki/OS_X

OS X originally was developed and ran on PowerPC-based Macs. In 2006, Macs developed a version of OS X 10.4 for ‘Intel’ system. In 2007, 10.5 “Leopard” was first to run on both PowerPC and Intel Macs. OS X 10.6 (Snow Leopard) was the first version of OS X to replace PowerPC Macs with Intel Macs. Mac OS X 10.7 “Lion” was the first version of OS X to drop support for 32-bit Intel processors and run on 64-bit Intel CPUs.

Mac Products (as of Mar 2013)

• MacBook Air 11 inch (default with 64 GB /128GB SSD)
• MacBook Air 13 inch (default with 128GB/ 256GB SSD)
• MacBook Pro 13 inch (default with 500GB/ 750GB HDD)
• MacBook Pro 15 inch (default with 500GB HDD)
• MacBook Pro 13 inch Retina Display (default with 128GB/ 256GB SSD)
• MacBook Pro 15 inch Retina Display (default with 256GB/ 512GB SSD)
• Mac Mini (default with 500GB/1TB HDD, or 2X1TB HDD)
• iMac 21.5 inch (default with 1TB HDD)
• iMac 27 inch (default with 1TB HDD)

** for more details, please refer to apple.com.

Apple products also includes “Mac Pro” computers and a variant of “Mac Mini” running OS X server operating system. There is also a hacking project to run OS X on non-apple computer computers and these computers are known as “Hackintosh”. However this is not licensed by Apple and may be illegal in some countries.