Mac Forensics Part 4 (Mountain Lion 10.8 – System File Artifacts)

OS Version:

  • /System/Library/CoreServices/SystemVersion.plist

001

Timezone:

  • /Library/Preferences/.GlobalPreferences.plist

002

Language:

  • /Library/Preferences/.GlobalPreferences.plist

003

MAC Address:

  • /private/var/log/daily.out

004

Startup Folders:

  • /Library/LaunchAgents/
  • /Library/LaunchDaemons/
  • /System/Library/LaunchAgents/
  • /System/Library/LaunchDaemons/

System Preferences Apps:

  • /Library/PreferencePanes/

Firewall

  • /Library/Preferences/com.apple.alf.plist

005

Bluetooth:

  • /Library/Preferences/com.apple.Bluetooth.plist

006

Keyboard:

  • /Library/Preferences/com.apple.HIToolbox.plist

007

Last User Logged In:

  • /Library/Preferences/com.apple.loginwindow.plist

008

Last Update

  • /Library/Preferences/com.apple.SoftwareUpdate.plist

009

Time Machine:

Last Backup , Oldest Backup, No of snapshot

  • /Library/Preferences/com.apple.TimeMachine.plist

010

Time Machine – Snapshots:

  • /private/var/db/com.apple.TimeMAchine.SnapshotDates.plist

011

Printer:

  • /Library/Preferences/org.cups.printers.plist

Airport – Remembered Network:

  • /Library/Preferences/SystemConfigurations/com.apple.airport.preferences.plist

012

Last Sleep Time:

  • /Library/Preferences/SystemConfigurations/com.apple.PowerManagement.plist

013

Network Interface Name:

  • /Library/Preferences/SystemConfigurations/NetworkInterfaces.plist

014

Network Information:

  • /Library/Preferences/SystemConfigurations/preferences.plist

015

Hostname:

  • /Library/Preferences/SystemConfigurations/preferences.plist

016

VMWare Fusion Network:

  • /Library/Preferences/VMWare Fusion/networking

017

Keychains:

  • /Library/Keychains/ /System/Keychains/

Host file:

  • /private/etc/hosts Path /private/etc/paths

DNS:

  • /private/etc/resolv.conf

User’s account:

  • /private/var/db/dslocal/nodes/[user].plist

User’s account – picture:

  • /private/var/db/dslocal/nodes/[user].plist

018

User’s account – password hint:

  • /private/var/db/dslocal/nodes/[user].plist

019

User’s account:

Realname (full name) – name – UID – GID

  • /private/var/db/dslocal/nodes/[user].plist

020

Group:

Members and GID

  • /private/var/db/dslocal/nodes/[group].plist

022

* admin.plist for admin user * staff.plist for root user

Hibernation file:

  • /private/var/vm/sleepimage

Swap file:

  • /private/var/vm/swapfile[x]

Installed Printers:

  • /Library/Printers/
  • /Library/Printers/InstalledPrinters.plist

021

.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s