F o r e n s i c at e D i f f e r e n t ly !

Mac and iOS

Forensic Analysis
and Incident File and Folder
Response Program Execution/
Application Usage
Sharing
[macOS] Extended Attributes
Description
A few extended attributes can reveal file sharing, including the sender,
Terminal History – recipient, and application used.
[macOS 10.7+] AirDrop allows users to “drop” files to another user’s
Executed Commands
Network Information
device if that device is close by using WiFi or Bluetooth. Extended
attributes for a file will show the name of the device the file was sent
Description from using AirDrop.
Each user account stores a list of commands run in a bash or zsh shell
terminal within a hidden file in their home folder. Location
Everywhere! See extended attribute names for files:
Network Interfaces Location
• ~/bash_history
• ls -l@
- com.apple.metadata:kMDItemUserShared<Sent/Received>Date
digital-forensics.sans.org Description
These are the network interfaces on the system, interface types, and
macOS 10.15+:
• ~/.zsh_history
includes when an item was shared.
- com.apple.metadata:kMDItemUserShared<Sent/
Mac addresses. macOS 11+: Received>Sender shows the sender of the file.
DFPS_FOR518_0823
• ~/.zsh_sessions/<GUID>.history - com.apple.metadata:kMDItemUserShared<Sent/
Location Received>SenderHandle provides account info for the sender.
macOS 10.11–10.14:
Poster was created by Kathryn Hedley and Sarah Edwards based on macOS:
• ~/.bash_sessions/<GUID>.history - com.apple.metadata:kMDItemUserShared<Sent/
many years of research and macOS and iOS knowledge by Sarah Edwards. • /
 Library/Preferences/SystemConfiguration/NetworkInterfaces.plist Received>Recipient shows the recipient of the file.
©2023 SANS Institute. All Rights Reserved • /
 Library/Preferences/SystemConfiguration/preferences.plist Interpretation - com.apple.metadata:kMDItemUserShared<Sent/
iOS physical: • These are Plaintext files containing up to 1000 (zsh) or 500 (bash) Received>ReceipientHandle provides account info for the
• /
 private/var/preferences/SystemConfiguration/ commands run in order of execution. recipient.
NetworkInterfaces.plist • The files are created the first time the Terminal application is run. - com.apple.metadata:kMDItemUserShared<Sent/
iOS: • History files are not updated until the user account logs out. Received>Transport shows the application used.
• [/private/var]/preferences/SystemConfiguration/preferences.plist Session files are updated when the Terminal is exited. - com.apple.metadata:kMDItemTransportService shows the
• Files can be viewed on a live system using the history command. application used.

Native Apple Applications

Interpretation • <GUID>.history files contain commands executed in that session. - com.apple.metadata:kMDItemWhereFroms provides the time
• E
 ach interface has an Item key in NetworkInterfaces.plist and application, (e.g., “Received via Messages file transfer”).
- S
 CNetworkInterfaceType is IEEE802.11 for wireless interfaces, • For files shared via AirDrop, this attribute provides the name
and Ethernet for wired interfaces. [macOS 10.15+, iOS 13+] Screen Time of the device the item was sent from.
- It also contains the device model. View extended attributes for a file:
Description
Apple Mail – com.apple.mail/ Calendar – com.apple.iCal/ Notes – com.apple.notes/ This tracks time spent in applications, notifications, and device
• xattr -xl <file>

com.apple.mobilemail com.apple.mobilecal com.apple.mobilenotes DHCP Settings pickups by the user following a notification. Interpretation
Description Location • It shows files shared using AirDrop, email, Messages, and other
Description Description Description This is the last known network settings for those interfaces using DHCP. macOS 10.15+:
applications.
This is a default email application that can be configured to use a This is the native calendar application on macOS and iOS with which Notes of various types can be created on macOS, iOS, and on iCloud.com. • Spotlight database can be searched for these attributes to look for
• /var/folders/<darwin_user_dir>/0/com.apple.ScreenTimeAgent/
number of email clients. items can be synced from a variety of accounts. It can include both These can also be synced to all devices associated with the same iCloud Location RMAdminStore-Cloud.sqlite
evidence of file sharing.
personal and shared calendars. account. • [/private/var]/db/dhcpclient/leases/ • Be aware that a device name can be changed by the user.
• /var/folders/<darwin_user_dir>/0/com.apple.ScreenTimeAgent/
Location RMAdminStore-Local.sqlite
Location Location Interpretation
macOS:
• Mailboxes: ~/Library/Mail/V#/<GUID>/*.mbox macOS: macOS: • E
 ach file within this directory includes lease information, router
iOS 13+:
• /private/var/mobile/Library/Application Support/com.apple.
AirDrop Activity – Unified Logs
• ~/Library/Calendars/<GUID>.calendar • ~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite MAC address, IP address, and SSID, for a specified interface.
• Mailbox organization: ~/Library/Mail/V#/<GUID>/.mboxCache.plist remotemanagementd/RMAdminStore-Cloud.sqlite Description
• ~/Library/Containers/com.apple.mail/ • ~/Library/Calendars/<GUID>.caldav • Attachments: ~/Library/Group Containers/group.com.apple.notes/* • /private/var/mobile/Library/Application Support/com.apple. Files sent and received via AirDrop are tracked in Unified Logs. This
• Envelope Index: ~/Library/Mail/V#/MailData/Envelope Index • ~/Library/Calendars/Calendar Cache • legacy: ~/Library/Containers/com.apple.Notes/notes.sqlite Wireless Network Connections remotemanagementd/RMAdminStore-Local.sqlite includes a unique identifier for the transaction (AirDrop ID), the
type of file being sent, whether the connection was accepted, and
Downloaded email attachments may be stored in: iOS: iOS Full Filesystem:
Description Interpretation potentially where the received file ended up.
• ~/Library/Mail Downloads/ • [/private/var]/mobile/Library/Calendar/Calendar.sqlite • /
 private/var/mobile/Containers/Shared/AppGroup/<GUID>/ • Data is organized by hour and category.
NoteStore.sqlite This lists connections to access points, including wireless settings. It
• ~/Library/Containers/com.apple.mail/Data/Library/Mail Interpretation includes access points added using the WiFi menu and those synced • Data retention is ~three weeks on iOS, and ~five weeks on macOS. Location
Downloads/  ttachments: /private/var/mobile/Containers/Shared/
• A from another device. macOS 10.12+, iOS 10+:
• Each calendar directory contains an Events folder, which contains ICS AppGroup/<GUID>/*
• ~/Downloads/
• Extended Attributes (find using ls -l@)
calendar files and an Info.plist file.
• CalDAV Info.plist and ICS files may contain more information than
• legacy: /private/var/mobile/Library/Notes/notes.sqlite Location Recent Application Activity • Unified Logs

iOS: iOS Backup: macOS 11+/iOS 14+: Interpretation

those within the calendar directory. • /Library/Preferences/com.apple.wifi.known-networks.plist Description • If you can analyze both the sending and receiving devices, you can
• /private/var/mobile/Containers/Data/Application/<GUID>/ • /mobile/Applications/com.apple.notes/NoteStore.sqlite
• Calendar Cache (macOS) and Calendar.sqlite (iOS) are sqlite Older macOS: This tracks recent interactions across various applications on the device. tie the activity together using the AirDrop ID (ReceiverID). If only
• [/private/var]/mobile/Library/Mail/ databases that contain calendar information. • Attachments: /mobile/Applications/com.apple.notes/*
• / Library/Preferences/SystemConfiguration/com.apple.airport. one device is available, attribution is much more difficult.
• Envelope Index: [/private/var]/mobile/Library/Mail/Envelope Index • legacy: /mobile/Applications/Notes/notes.sqlite Location
- Table names have changed over time. preferences.plist • Be aware that device hostnames can easily be changed.
macOS:
Interpretation - It includes locations, shared events, notes, contacts, and more. Interpretation Older iOS:
• ~/Library/Containers/com.apple.corerecents.recentsd/Data/
• Log shows whether the connection was “Accepted” or “Declined.”
• Database timestamps are in Unix Epoch format in local time. • E ven with syncing enabled, the user can choose to create local notes • [/private/var]/preferences/SystemConfiguration/com.apple.wifi. Library/Recents/Recents
• O n macOS, the version number differs depending on the OS version:
- V
 5 = macOS 10.13
that are not synced. plist
Older iCloud Synced WiFi:
iOS: [iOS] AirDrop Activity –
- V
 6 = macOS 10.14 [macOS 10.15+, iOS 13+] • Note attachments are stored in the Media folder.
• Note thumbnails are stored in the Preview folder. • ~ /Library/SyncedPreferences/com.apple.wifi.WiFiAgent.plist
• [/private/var]/mobile/Library/Recents/Recents
Aggregate Dictionary
Interpretation
- V
 7 = macOS 10.15
- V
 8 = macOS 11 Reminders – com.apple.reminders • In the sqlite database: Interpretation • The value field may contain a BLOB that is an embedded plist file Description
- ZFILENAME provides the attachment filename, as stored in the com.apple.wifi.known-networks.plist: containing different information depending on key type.
- V
 9 = macOS 12 Description Media folder. The Aggregate Dictionary database tracks activity over the last seven
• A ddReason key shows whether the data has been synced. • Database timestamps are in Unix Epoch format.
- V
 10 = macOS 13 Reminders were moved to their own database on macOS 10.15 and days and includes AirDrop activity.
- PROTECTED = 0 means the note is not encrypted, 1 means it is • A ddedAt timestamp shows when the access point was added.
• The GUID folders can be correlated with the iOS 13. Previously, they were stored in the Calendar database. encrypted. • JoinedByUserAt provides the timestamp when the user specifically Location
Account3.sqlite/Account4.sqlite databases.
• Mailboxes can contain nested mailboxes, messages and attachments. Location - ZDATA stores the note body as a BLOB, which is a protobuf in a joined the access point. Application Usage – KnowledgeC iOS physical:
GZIP archive. • JoinedBySystemAt provides the timestamp when the system auto-
- M
 essages folder contains raw EMLX email messages with an macOS:
- C ryptographic material to decrypt encrypted notes is stored in connected to the access point. Description • /private/var/mobile/Library/AggregateDictionary/ADDataStore.
• ~/Library/Reminders/../../Data-<GUID>.sqlite sqlitedb
appended plist containing message metadata. this database, not the keychain – use Apple Cloud Notes Parser† to Synced preferences: Amongst other things, the KnowledgeC database tracks application
- A
 ttachments folder contains message file attachments. • ~/Library/Reminders/../../Data-local.sqlite decrypt. • a dded_by shows the device name that added this access point. usage, including start and end times, and how the application was Interpretation
iOS: launched and used.
• E nvelope Index sqlite database contains indexed mail data. It includes †
https://github.com/threeplanetssoftware/apple_cloud_notes_parser • a dded_at provides the time this access point was added into the • Timestamps are stored in Unix Epoch format.
flags to show whether the email has been read, flagged, or deleted. • [/private/var]/mobile/Library/Reminders/../../Data-<GUID>.sqlite plist file. Location • Use APOLLO† aggregate_dictionary_scalars module to extract
• Database timestamps are in Unix Epoch format. • [/private/var]/mobile/Library/Reminders/../../Data-local.sqlite
Photos – com.apple.Photos macOS: information from database.

Known Networks https://github.com/mac4n6/APOLLO

†
• ~/Library/Application Support/Knowledge/knowledgeC.db
Interpretation
Messages – SMS and iMessage • Each sqlite database contains reminders from a certain source Description iOS physical:

Description
(e.g., local, iCloud). Photos is the native photo gallery application, including photos and
videos taken using the camera, screenshots, and synced media files.
Description
Known networks are those that the system has previously established
• /private/var/mobile/Library/CoreDuet/knowedgeC.db [macOS] Shared Folders
This is a native instant messaging application, which can be used with
• Every object in the database has a different Z_ENT value, which a connection with and have been remembered. Each network is stored Interpretation Description
changes for different versions of the database. Location in its own key, which includes the SSID and last connection time. • It stores approximately four weeks of data.
various different protocols. Information and metadata for shared folders on the system
- OBJECT_TYPE shows which type each Z_ENT refers to. macOS: • Use APOLLO† knowledge_app_inFocus module to extract
Location
Location • ~/Pictures/Photos Library.photosLibrary/* macOS 10.15-:
application usage times. Location
macOS:
• ~/Library/Messages/chat.db
Contacts – com.apple.AddressBook • ~/Pictures/Photos Library.photosLibrary/database/photos.db • / Library/Preferences/SystemConfiguration/com.apple.airport.
• Use APOLLO† knowledge_app_intents module to extract
application usage context.
• /private/var/db/com.apple.xpc.launchd/disabled.plist
• /private/var/db/launchd.db/com.apple.launchd/overrides.plist
• Original photos: ~/Pictures/Photos Library.photosLibrary/originals/* preferences.plist
• Use APOLLO† knowledge_audio_media_nowplaying module to
iOS: Description iOS: iOS 13-: • /private/var/db/dslocal/nodes/Default/sharepoints/*.plist
extract details of media playback.
• [/private/var]/mobile/Library/SMS/sms.db Otherwise known as the Address Book, the Contacts application hold • [/private/var]/preferences/SystemConfiguration/com.apple.wifi.plist - List of shared folders and their metadata
• [/private/var]/mobile/Media/PhotoData/* †
https://github.com/mac4n6/APOLLO
• [/private/var]/mobile/Library/SMS/Attachments/* user contact information. It can be populated by the user or by other
applications. • [/private/var]/mobile/Media/PhotoData/Photos.sqlite Interpretation Interpretation
Interpretation
• SMS can only be used on iOS. Location
• [/private/var]/mobile/Media/DCIM/*
• [/private/var]/mobile/Media/PhotoStreamsData/*
• D
 ata only appears to be purged for this plist via user action.
• C
 aptiveNetwork set to “YES” refers to the pop-up screens you get
Application Usage – disabled.plist/overrides.plist:
• By default, none of these settings are enabled.
• Databases are sqlite and include messages and metadata. macOS:
• ~
 /Library/Application Support/AddressBook/AddressBook-v22.
• [/private/var]/mobile/Media/PhotoCloudSharingData/* in hotels and restaurants. CurrentPowerlog • Look for com.apple.smbd and/or com.apple.AppleFileServer as
the bundle IDs for shared folders.
- T imestamps are in Unix Epoch format in local time. Interpretation
abcddb Description
Network Usage – Unified Logs
sharepoints/*.plist:
- A pple Pay transactions are recorded in the attributedBody (BLOB) • Photos Library.photosLibrary on macOS is a package format directory.
and payload_data fields (embedded binary plist). • ~
 /Library/Application Support/AddressBook/Sources/<GUID>/ This tracks application usage, as the status of the camera (front or • Each shared folder has its own plist file.
AddressBook-v22.abcddb • E
 xtended attributes show a file was synced from iCloud, if back), and logging calls.
- filename field shows the path to an attachment. com.apple.quarantine contains cloudphotosd.
Description
- m ime_type shows the type of attachment.
• ~
 /Library/Application Support/AddressBook/Sources/<GUID>/
Metadata/* • Photos application adds the com.apple.assetsd.* extended attribute.
Unified logs include entries for network connections made on the
system.
Location
macOS:
iCloud Documents
iOS: - T his includes the original filename, location, timezone, flags for Description
• /private/var/db/powerlog/Library/BatteryLife/CurrentPowerlog.
Call History – Phone and FaceTime • [/private/var]/mobile/Library/AddressBook/AddressBook.sqlite
• P
“hidden” and “favorite,” and quarantine information.
 hotos taken with iOS 11+ use High Efficiency Image Container (HEIC)
Location
macOS 10.12+, iOS 10+:
PLSQL iCloud stores local copies of documents shared using various
• [/private/var]/mobile/Library/AddressBook/Sources/* • /private/var/db/powerlog/Library/BatteryLife/Archives/* applications.
Description format. • U
 nified Logs
iOS physical:
Phone and FaceTime are the native calling applications on macOS and iOS. Interpretation • Database includes metadata for each media file. macOS 10.8+:
• /private/var/Containers/Shared/SystemGroup/<GUID>/Library/
Location
• Each source under the Sources folder could have its own associated - It includes extracted EXIF embedded metadata, annotations, • S
 ystem log BatteryLife/CurrentPowerlog.PLSQL macOS:
Location database file and Metadata folder. location information, and detected faces and objects. • ~/Library/Mobile Documents/
macOS: Interpretation • /private/var/Containers/Shared/SystemGroup/<GUID>/Library/
iOS Full Filesystem:
- Metadata directories contain a binary plist file for each person • E
 ach subfolder of DCIM can contain up to 999 files, which are BatteryLife/Archives/*
• S
 earch for sender “IPConfiguration” and where the log message
• ~/Library/Application Support/CallHistoryDB/CallHistory.storedata (ending with p), subscription (s), or group (g). sequentially named from IMG_0001. contains “Lease” or “network changed”. • /private/var/mobile/Library/Mobile Documents/
iOS: - Rename Metadata files to .plist in order to open with XCode.  ther photos may be stored by third-party applications – use TCC.db
• O Interpretation
• [/private/var]/mobile/Library/CallHistoryDB/CallHistory.storedata • When searching for a person of interest, search for their UID, not just to find those with Camera permissions.
- U
 se log show –info –predicate 'senderImagePath contains[cd] • It stores approximately three days of data. Interpretation
"IPConfiguration" and (eventMessage contains[cd] "SSID"
their name. • B
 e wary of timestamps in this log – some, but not all, have an offset. • Each subdirectory corresponds to an application and is named in
or eventMessage contains[cd] "Lease" or eventMessage
Interpretation • Use APOLLO† powerlog_app_usage module to extract application reverse DNS format but using tildes (~).
• Phone reverse DNS name is com.apple.mobilephone.
• Database timestamps are in Unix Epoch format in local time.
Maps – com.apple.Maps • S
contains[cd] "network changed")'
 earch logs for “configd”, “SSID”, or “en0” for a more detailed view usage times. • Extended attributes for these documents include the iCloud
Person ID in com.apple.ubd.prsid.
• FaceTime reverse DNS name is com.apple.facetime. of wireless activity. • Use APOLLO† powerlog_incallservice module to extract call logs.
• Database is in sqlite format and includes calls made/received and Wallet and Apple Pay Description
This is a native mapping application. Map data can be synced between
• S
 earch logs for “country code” to show the country codes • Use APOLLO† powerlog_camera_state module to extract camera
state information.
• Hidden *.icloud files correspond to files that have not been
downloaded to this device.
metadata. associated with wireless access point connections.
Description devices. - D
 efault code is “X0” when one is not available.
†
https://github.com/mac4n6/APOLLO - These are binary plist files that contain the file’s name and size.
- Z
 DATE timestamps are in Mac Epoch format in local time.
The Wallet application keeps track of tickets, cards, and passes. The user
- Z
 ADDRESS is the phone number or email address. can add a credit card to the Apple Pay portion of the application to use Location
- Z
 ANSWERED = 0 means No, 1 means Yes. for purchases. macOS:
- Z
 CALLTYPE = 1 means normal telephony call, 8 means FaceTime, • ~/Library/Containers/com.apple.Maps/MapsSync.0.0.1
Location
Application Data
16 means FaceTime Voice call. iOS Full Filesystem:
- Z
 ORIGINATED = 0 means incoming, 1 means outgoing with this user. macOS: • /
 private/var/mobile/Containers/Data/Application/<GUID>/Library/
- Z
 DURATION is the time in seconds for this call. • ~/Library/Passes/passes23.sqlite Maps/MapsSync.0.0.1
- Z
 SERVICE_PROVIDER is the application used for the call. • ~/Library/Passes/Cards/*.pkpass iOS Backup:
• macOS database may store contact information in an encrypted BLOB. • iCloud synced data: ~/Library/Mobile Documents/ • /mobile/Applications/com.apple.Maps/MapsSync.0.0.1
• Some data may be synced across devices. com~apple~shoebox/UbiquitousCards/*.pkpass
Interpretation
Application Data Autorun Applications Third-Party Software Installation
iOS:
• Database timestamps are in Unix Epoch format in local time.
• /private/var/mobile/Library/Passes/passes23.sqlite • iOS backup folder for Maps may be empty. Description
This determines application information, including name and version.
Description
Autorun applications are those that automatically run when a user logs in.
and Updates
• /private/var/mobile/Library/Passes/Cards/*.pkpass • P
 rior to macOS 11 and iOS 14, Maps data was scattered throughout
[iOS] Visual Voicemail • iCloud synced data: /private/var/mobile/Library/Mobile the filesystem as .mapsdata plist files that stored location data as
embedded protobufs.
Location Location
Description
This determines installed applications and updates, including timestamps,
Documents/com~apple~shoebox/UbiquitousCards/*.pkpass macOS: macOS 10.13+: package names, and software used to install an application.
Description - T
 hese files are not included in iTunes backups.
• /Applications/<Bundle ID>/Info.plist • ~
 /Library/Application Support/com.apple.
Some, but not all, cellular carriers provide visual voicemail functionality Interpretation MapsSync.0.0.1: backgroundtaskmanagementagent/backgrounditems.btm Location
on iOS devices, where voicemail audio files are downloaded to the device. • ~/Library/Containers/…/<bundle_id>/…/Preferences/*.plist
passes23.sqlite: • ZMAPITEMSTORAGE stores location data as an embedded protobuf. - NSKeyedArchiver plist file • macOS 10.14: ~/Library/Caches/com.apple.appstoreagent/updates.plist
• ~/Library/Containers/…/<bundle_id>/…/Cache/*
Location • Database timestamps are in Unix Epoch format. • ~/Library/Preferences/*.plist • /Applications/<Application>.app/Contents/Library/LoginItems/ • m
 acOS 10.15+: ~/Library/Caches/com.apple.appstoreagent/storeSystem.db
• [/private/var]/mobile/Library/Voicemail/voicemail.db • UNIQUE_ID in the database will match the .pkpass filename.
• GROUP_ORDER shows the order of passes in the application, as
[iOS] Health • ~/Library/Caches/* macOS 10.4+:
• /System/Library/LaunchAgents/*.plist
•
•
/Library/Receipts/InstallHistory.plist
/var/log/install.log
• [/private/var]/mobile/Library/Voicemail/*.amr iOS physical:
shown to the user (0 will be at the top). Description • /Library/LaunchAgents/*.plist - Search the file for “Installed” to find app names and versions.
• [/private/var]/mobile/Library/Voicemail/*.transcript • / private/var/containers/Bundle/Application/<GUID>/iTunesMetadata.plist
• Transactions using saved cards exist in the database. Only Apple Health information about the user is stored in a database, if enabled. • /private/var/mobile/Containers/…/<bundle_id>/*.plist • ~/Library/LaunchAgents/*.plist • /var/db/receipts/
Interpretation Card transactions are synced across devices. This can include steps, distance, and heart rate, which can be collected • /private/var/mobile/Containers/…/<bundle_id>/Library/Caches/* • /System/Library/LaunchDaemons/ •p  list file contains install timestamp, package name, and installer process.
• E ach voicemail audio file is stored as an AMR file and uses the • Transactions specific to Apple Cash are called “peer payments.” using the Apple Watch. • /private/var/mobile/Containers/Bundle/Application/<GUID>/* • /Library/LaunchDaemons/ • bom file contains list of files and metadata for application.
ROWID from the sqlite database as a filename. • Journeys using a stored transit card are recorded, including start and - C ontains application binary file iOS: • iOS 10+: /private/var/installd/Library/Logs/MobileInstallation/
• If a voicemail has an accompanying transcript, this will be stored as end stations. Location mobile_installation.log.#
• /private/var/mobile/Containers/Data/Application/<GUID>/* • /Library/LaunchAgents/*.plist
an NSKeyedArchiver plist. .pkpass files: • [/private/var]/mobile/Library/Health/healthdb_secure.sqlite - Search the file for “Installing” to find app names and versions, for
• /private/var/mobile/Containers/Shared/AppGroup/<GUID>/* • /System/Library/LaunchDaemons/
• Database timestamps are in Unix Epoch format in local time. • Each card is a .pkpass package format directory. approximately one month of app installs.
Interpretation - D ata shared amongst apps with the same developer • /System/Library/NanoLaunchDaemons/
• Search for “Make container live” for app installs.
- pass.json stores the actual pass or card data. • D
 atabase is encrypted in iOS backups, but not in a Full Filesystem dump. • /private/var/mobile/Library/Cache/<bundle_id>/* • /Library/LaunchDaemons/
- Search for “Destroying container” for app uninstalls
• Use APOLLO† health_* modules to extract a user’s health data. • /private/var/mobile/Preferences/*.plist - Requires jailbroken device to acquire
- Search app bundle IDs for specific app activity.
†
https://github.com/mac4n6/APOLLO iOS backup: Interpretation • iOS: /private/var/mobile/Library/FrontBoard/applicationState.db
• /mobile/Applications/<bundle_id>/*.plist • Login items can be hidden from view of the user. - It contains an embedded plist.
• /mobile/Library/Preferences/*.plist • Launch Daemons are background system processes.
Sandboxed applications: Interpretation
• Launch Agents are background user processes.
• ~
 /Library/[Group] Containers/<Bundle ID>/Data/Library/Application • InstallHistory.plist processName:
• plist files are named in reverse DNS format.

Paired Devices and Backups

Support/<App Name>/ - macOS Installer = System OS installer/updater
• ~/Library/[Group] Containers/<Bundle ID>/Data/Library/Preferences - softwareupdated or “Software Update” = System/security updates
- < TLD>.<Company>.<Application>.plist file contains the user’s
preferences
Saved Application State - storedownloadd = App Store install
- Installer = External installer
• ~/Library/Caches Description • bom file can be viewed using lsbom <bom file> command.
[macOS, Windows] Lockdown Files [macOS, Windows] iOS Backups Bluetooth Devices Non-sandboxed applications (legacy):
• ~/Library/Application Support
State information about an application is stored, to allow it to be returned
to its previous state after a reboot, if the user selects “reopen windows
• install.log file will not include software installed via a drag and drop
method.
when logging back in” on shutdown.
Description Description Description • ~/Library/Preferences
Location
Connecting an iOS device to another system generates a lockdown file
when the user selects “Trust This Computer”.
iOS devices can be backed up to iCloud or to a local macOS or Windows
system, either automatically or manually. Backups can be encrypted if the
This is a list of bluetooth devices that have connected to this device. - < TLD>.<Company>.<Application>.plist file contains the user’s preferences
• ~/Library/Caches Mac OS 10.7+:
Application Permissions – TCC
user chooses to enable this feature and set a backup password. Location
Location macOS 12+: Interpretation
• m
 acOS legacy apps: ~/Library/Saved Application State/<bundle_id>. Description
Location savedState/ This is when applications ask users which permissions they can have for
macOS: • /Library/Preferences/com.apple.MobileBluetooth.devices.plist • E
 ach container is named in reverse DNS format.
macOS: • m
 acOS sandboxed apps: ~/Library/Containers/<Bundle ID>/Data/ different capabilities on the system.
• /private/var/db/lockdown/ - T his keeps track of connected Bluetooth devices. • E
 ach sandbox directory contains a .com.apple.containermanagerd. Library/Application Support/<App Name>/Saved Application
Windows XP: • ~/Library/Application Support/MobileSync/Backup/ - T imestamps are stored in localtime. metadata.plist file with application information. State/<bundle_id>.savedState/ Location
• C:\Documents and Settings\<user>\Application Data\Apple Windows XP: • /Library/Databases/com.apple.MobileBluetooth.ledevices.other.plist • E
 ach directory contains a Data directory. The most interesting iOS: macOS:
Computer\Lockdown\ • C:\Documents and Settings\<user>\Application Data\Apple - This
 keeps track of ‘seen’ Bluetooth low energy devices, that have subdirectories are likely those that are not links. • <
 Application directory>/Library/Saved Application State/<bundle_id>. • ~/Library/Application Support/com.apple.TCC/TCC.db
Windows Vista: Computer\MobileSync\Backup\ not necessarily connected to the system. • Info.plist file contains app name, bundle ID, and version information. savedState/ • /Library/Application Support/com.apple.TCC/TCC.db
• C:\Users\<user>\AppData\Roaming\Apple Computer\Lockdown\ Windows Vista+: - S ome device MAC addresses may be randomized. iOS:
• C:\Users\<user>\AppData\Roaming\Apple Computer\MobileSync\ Interpretation
Windows 7+:
• C:\ProgramData\Apple\Lockdown\ Backup\
• /Library/Preferences/com.apple.MobileBluetooth.ledevices.paired.plist
- T his keeps track of paired Bluetooth low energy devices.
Keyboard Dictionary • T
 he existence of these directories indicates the user has used these
• [/private/var]/mobile/Library/TCC/TCC.db
Microsoft Store version of iTunes on Windows: applications. Interpretation
Interpretation • C:\Users\<user>\Apple\MobileSync\Backup\
iOS: Description • E
 ach *.savedState directory contains at least two files: windows.plist
• /
 private/var/containers/Shared/SystemGroup/<GUID>/com.apple. When a user types words into the device’s keyboard, certain words are • Sqlite database gets its name from Transparency, Consent, and Control.
• <iDevice UDID>.plist files are created for each iDevice paired with the and data.data
Interpretation MobileBluetooth.devices.plist recorded to help with autocorrection and predictive text features. These • Apps may have access to permissions such as: Location, Contacts,
system. Contains certificates, keybags, and other info used to access a Calendars, Photos, Bluetooth, Microphone, and Camera.
locked device. • E ach subfolder is named for the device’s UDID. A11-: 40-character UDID, - T his keeps track of connected Bluetooth devices. words are stored in user dictionary files, which can provide insight into
iOS 11+: A12+: [8 digits]-[16 digits] UDID. - T imestamps are stored in localtime. what the user has typed. These files may or may not be included in iOS
backups. They should not contain anything typed into sensitive fields, such
Application Notifications • It includes last_modified timestamp for each permission for each
application.
• Device PIN/passcode is required for pairing record creation. • Folders named <UDID>-<timestamp> may also exist, which are created • /
 private/var/containers/Shared/SystemGroup/<GUID/com.apple.
during a restore/update of the iDevice. MobileBluetooth.ledevices.other.plist
as passwords, although may include sensitive data the user may have Description • auth_value = 0 means not allowed, 2 means allowed.
• Lockdown records expire after 30 days of no use. typed into non-secure areas such as notes. Notifications for various applications are stored by the Graphical User • kTCCServiceUbiquity permission is associated with iCloud.
iOS 9/10: • Status.plist includes timestamps of the backup, type, and whether a - This
 keeps track of ‘seen’ Bluetooth low energy devices, that have
full backup was performed. not necessarily connected to the system. Location Interface for the operating system. For macOS, this is called Finder; for iOS,
• Lockdown records expire after 6 months of no use. it is SpringBoard.
• Info.plist contains device name, serial number, ICCID, MEID, IMEI, UDID,
phone number, make, model, iOS and build information, the last • /
- S ome device MAC addresses may be randomized.
 private/var/containers/Shared/SystemGroup/<GUID/com.apple.
macOS:
• ~/Library/Spelling/*dynamic-*.dat Location
Third-Party Kernel Extensions
[macOS] Time Machine Backups backup date, and installed applications.
• Manifest.plist contains the backup date, whether the backup is
MobileBluetooth.ledevices.paired.plist
- T his keeps track of paired Bluetooth low energy devices.
iOS: macOS: Description
• [/private/var]/mobile/Library/Keyboard/*dynamic-*.dat • / private/var/folders/<DARWIN_USER_DIR>/com.apple. Kernel modules are often used as device drivers, network filters, or support
Description encrypted, whether a device passcode was set, and the lockdown key, macOS 11-: notificationcenter/db2/db for filesystems, and can be used maliciously.
Time Machine is the native backup utility on macOS, which may or may not including device info, serial number, and UDID.
• ~/Library/Preferences/ByHost/com.apple.Bluetooth.<HWUUID>.plist Interpretation iOS 12+:
be enabled. • iOS 10+: Manifest.db contains metadata about backup files. Previous • E
 nglish dictionaries are dynamic-*.dat Location
- It lists devices the user specifically connected to. • [/private/var]/mobile/Library/UserNotifications/<app GUID>/*.plist
versions of iOS stored this same data in Manifest.mbdb. • O
 ther languages have their own files and will be preceded by their • /private/var/db/loadedkextmt.plist
Location • A backup needs to be normalized by mapping files back to their
• /Library/Preferences/com.apple.Bluetooth.plist
language abbreviation (e.g., ar for Arabic) Interpretation • /Library/Apple/System/Library/Extensions/
Time Machine settings: original names. This may be shown differently by various tools. - D eviceCache key contains history of Bluetooth devices connected to
the system. macOS: • /System/Library/Extensions/
• /Library/Preferences/com.apple.TimeMachine.plist
- BackupAlias contains details about any backup disks.
[macOS] List of iDevices Interpretation [iOS] Application Snapshots • T
 he user’s DARWIN_USER_DIR path will be different for each user on
the system.
•
•
/Library/Extensions/
/Library/StagedExtensions/
- SnapshotDates provide timestamps associated with backups. • U se timestamps carefully – certain user interactions can change how • A
 ttachments to notifications will be found in the /attachments directory. •
Description /Library/SystemExtensions/
- It also includes other info such as filesystem type, encryption status,
and backup frequency. Attached to the System these timestamps may be interpreted. For example, changing the name
of a device might update the first connected timestamp. This is when an application is minimized to the background, a screenshot • D
 atabase tracks notification delivery date, app bundle IDs,
presentation, and style.
• /Library/<Filesystems/macfuse.fs/Contents>/Extensions/
of the current screen is saved to the filesystem, to be used as a preview
Logs: macOS 10.12+, iOS 10+: Description • U nlockEnabled = yes – an Apple Watch can be used to unlock this for the running app and allow for faster app switching. App developers - N OTIFICATION DATA is a BLOB that contains a binary plist. Interpretation
• Unified logs All iDevices that have been attached to the system while logged in as that macOS device. can choose to prevent this functionality, and replace the screenshot with iOS: • On a live system, use systemextensionsctl list command to list loaded
- Use log show –info –predicate 'process = "backupd"' to show user are recorded in a plist file. • c om.apple.MobileBluetooth.ledevices.paired.plist file can find devices another image. This is commonly done for security reasons, such as in system extensions and kmutil showloaded command to list loaded
• plist files are in NSKeyedArchiver format.
backup info that were nearby. banking applications. kernel extensions.
Location • Notifications cleared by the user are removed from plist files.
- N
 ote that this file will not include all nearby Bluetooth-enabled • Each extension is a bundle containing an Info.plist file.
Interpretation • ~/Library/Preferences/com.apple.iPod.plist devices. Location • O
 ther files in the same folder contain interface-specific items such as
Unified logs show when the backup started and finished, network or local • <Application directory>/Library/Caches/Snapshots/<bundle_id>/* background pictures, icon layouts, and widgets.
location of backup, volume name backed up, amount of data backed up, Interpretation • P
 air app GUIDs with their associated bundle IDs by looking in [/private/
and deletion of old backups. Devices’ key contains one subkey per device, which includes the device Interpretation var]/mobile/Library/UserNotificationsServer/Library.plist. This file is
type, IMEI, MEID, number of connections, time of last connection, and iOS Snapshots are KTX files, which can be viewed using the macOS Preview not included in iOS backups.
version when last connected. application.
 Deleted File or File Knowledge File/Folder Opening Account Usage System and User Information
[macOS 10.4, iOS 3] Search – Spotlight File System Events Store Database [macOS] Extended Attributes – [macOS] com.apple.loginwindow.plist Operating System Version [macOS] System Boot, Reboot,
Description Description DMG File Opened Description and Serial Number and Shutdown
Spotlight indexes the system to allow the user to search for files quickly. This database stores file system changes. It includes events such as Last logged-in user, current logged-in user (on live system), auto-login
Indexing includes file metadata, extended attributes, and content of some file/folder creation, renaming actions, unzipping of files, item deletion, Description Description Description
user (if configured), and other settings are recorded in a plist file.
file types. Trash being emptied, and volumes being mounted and unmounted. Double-clicking a DMG file produces two additional extended attributes This determines the operating system version, build version, and serial The system log and Unified Logs record when the system boots up and
for that file that are specific to this action and this file type. These Location number. is shut down, depending on the version of macOS.
Location Location extended attributes show that the DMG was opened at least once. • /Library/Preferences/com.apple.loginwindow.plist
User shortcuts (searches): • /.fseventsd/ Location Location
• ~/Library/Application Support/com.apple.spotlight.Shortcuts Location Interpretation macOS: maCOS 10.13.1+:
Interpretation • The user’s (Xor’d) password is stored in /etc/kcpassword.
• macOS 10.15+: ~/Library/Application Support/com.apple.spotlight/ Everywhere! See extended attribute names for files: • /System/Library/CoreServices/SystemVersion.plist • System log
com.apple.spotlight.Shortcuts.v3 • Directory contains gzipped files that require root privileges to unzip • A
 utomatic login is not available for user FileVault or iCloud
and view. • ls -l@ - OS version, build version - S
 earch for “BOOT_TIME” and “SHUTDOWN_TIME” for associated
Main Spotlight indexing databases: - c om.apple.diskimages.fsck provides file system check information. credential logins. • /private/var/root/Library/Caches/locations/cache_encryptedA.db Unix Epoch timestamp.
• It can be wiped during a system crash or a hard power off.
• /.Spotlight-V100/Store-V2/<GUID> - c om.apple.diskimages.recentcksum provides checksum info - Serial number • Unified logs
- V olumeConfiguration.plist contains indexing exclusions and other
configuration data.
• It only tracks changes on HFS and APFS volumes, although you may
see a directory on FAT volumes. and download date (Unix Epoch). [macOS] User Logins iOS physical: - M
 essages associated with SessionAgentNotificationCenter show
• Events do not have associated timestamps. Approximate times can View extended attributes for a file: • /mobile/Library/Logs/AppleSupport/general.log user-initiated actions relating to system shutdown events.
- C ache directory contains subdirectories of text-based versions of • xattr -xl <file> Description
sometimes be estimated using filenames and paths. • /logs/AppleSupport/general.log
original documents, each named for the file’s inode. These are successful and failed user account login and logout events. Interpretation
- s tore.db is the index database. Interpretation - Device model, OS version, serial number • N ote that shutdown messages are not recorded in either log in
Location
macOS 10.13+ User database: Document Versions The first open timestamp from this process is recorded in
• System log
• /
 private/var/containers/Data/System/<GUID>/Library/activation_ macOS 10.12.0 to 10.12.2.
• ~/Library/Metadata/CoreSpotlight/index.spotlightV3 ~/Library/Logs/fsck_hfs.log records/activation_record.plist • Search for “halt” for shutdown events and “reboot” for reboot events.
Description macOS 10.12+, iOS 10+: • /
 private/var/containers/Data/System/<GUID>/Library/activation_
Interpretation • Unified Logs • The system records the reason for the sleep/shutdown as “Sleep
• A volume can explicitly be marked to disable indexing by placing
Document versions were introduced in macOS 10.7 to automatically
backup certain types of documents or to restore documents after a [macOS] Extended Attributes – macOS 10.5.6+:
records/wildcard_record.plist
- Device UDID, IMEI, model, serial number
Cause” or “Shutdown Cause”.
- < 0 = error
a hidden, empty file named .metadata_never_index in the root of
the volume.
system crash. Versions are created when a document is saved, opened,
every hour a document is open, and when it is frequently being edited. File Last Used • ASL iOS file system/backup: - 0 = hibernation (sleep) or battery removal/power plug (shutdown)
• Some locations are not indexed by default, including DMG files, CDs, This feature is only supported by certain applications.
Description Interpretation • Info.plist - 3 = hard shutdown (power button held)
DVDs, hidden files and system directories. • Login events are marked with USER_PROCESS and the process ID. - Device hostname, model, UDID, iOS version, serial number
Location This extended attribute is updated when a file is used in the Finder
• Login type is identified by:
- 5 = normal sleep/shutdown
• User shortcut files provide words actually typed in by the user. macOS 10.15+: window or if the file is opened using the “open” command in the iOS:
Terminal. - loginwindow = login via the GUI • [/private/var]/mobile/Library/Preferences/com.apple.springboard.plist
[macOS 10.7+]
• /System/Volume/Data/.DocumentRevisions-V100
- login = login via the Terminal - D
 evice locale, OS version, as well as settings such as erase device Device Locked/Unlocked
• /System/Volume/Data/.DocumentRevisions-V100/db-V1/db.sqlite Location
Files Quarantined by XProtect AV
- Contains metadata for document versions Everywhere! See extended attribute names for files:
- sshd = login via SSH
• Logoff events are marked with DEAD_PROCESS and the process ID.
after 10 failed passcode attempts
and Plugged In – KnowledgeC
• /System/Volume/Data/.DocumentRevisions-V100/.cs/ChunkStorage/* • ls -l@
Description iOS physical: Operating System Installation Date Description
• /private/var/.DocumentRevisions-V100
- c om.apple.lastuseddate#PS stores Unix Epoch timestamp of
when file was last used, as it pertains to the file system [macOS] Audit Logs – su Logins Amongst other things, the KnowledgeC database tracks when the
Some applications implement file tagging, so XProtect can automatically
quarantine downloaded files that are deemed to be potentially malicious. • /private/var/.DocumentRevisions-V100/db-V1/db.sqlite View extended attributes for a file: Description
and Updates device is locked or unlocked and when it is plugged in or power is
disconnected.
Files that are quarantined are recorded in a database. - Contains metadata for document versions • xattr -xl <file> These are successful and failed su logins. Description
Location
• /private/var/.DocumentRevisions-V100/.cs/ChunkStorage/*
Interpretation This determines the operating system installation date and date of Location
Location macOS:
macOS 10.7+: Interpretation Not all file types have this attribute. updates.
• Audit logs • ~/Library/Application Support/Knowledge/knowledgeC.db
• ~ /Library/Preferences/com.apple.LaunchServices.QuarantineEvents.V2 • Microsoft Office does not implement Document Versions; this has its
Interpretation Location
macOS 10.11+:
• /Library/Containers/<bundle_id>/Data/Library/Preferences/com.
own autosave feature.
• Users can access document versions within an application via File → [macOS] .DS_Store – Folder Access • View su logins: praudit -xn /var/audit/* - su • /private/var/db/.AppleSetupDone
iOS physical:
• /private/var/mobile/Library/CoreDuet/knowedgeC.db
Revert To → Browse All Versions… - D ate of last OS update: stat -x /private/var/db/.AppleSetupDone
apple.LaunchServices.QuarantineEvents.V2 Description (Change date). Interpretation
XProtect signature file:
• /System/Library/CoreServices/[CoreTypes|XProtect].
• Historical versions of files are saved in Chunk Storage.
• Document Versions are only found on HFS+ and APFS-formatted
Hidden DS_Store files can exist all over macOS systems, and are
created when the Finder application is used to access a directory.
[macOS] Audit Logs – • /private/var/log/install.log • Stores approximately four weeks of data
bundle/Contents/Resources/Xprotect.plist volumes.
Location
Account Creation - O S installation date: grep "Installed\ \"macOS" install.log • Use APOLLO† knowledge_device_locked module to extract lock and
- Xprotect.meta.plist in the same folder contains the date the • Hidden .DocumentRevisions-V100 directory contains a folder named • /private/var/db/softwareupdate/journal.plist unlock events.
signature file was last updated. PerUID or AllUIDs. Everywhere! Description - InstallDate keys show OS installation timestamps. • Use APOLLO† knowledge_device_pluggedin module to extract power
- Subdirectories are named <UID>, which are unique across all UIDs • .DS_Store Entries in the audit log are added when a user account is created. • [/private/var]/mobile/Library/Preferences/com.apple.purplebuddy.plist connection and disconnection events.
Interpretation on system volumes. †
https://github.com/mac4n6/APOLLO
• If an application is implementing this feature, it will have the • <UID> subdirectories contain further subdirectories named in reverse Interpretation Location - D evice setup info, original locale, setup time, device model.
LSFileQuarantineEnabled key set to True in its Info.plist file. DNS format: • These files implement a B-tree format. • Audit logs • macOS 10.8+: /Library/Preferences/com.apple.SoftwareUpdate.plist
• Files copied off a USB or downloaded using an app that does not
implement this feature will not be checked by XProtect.
- com.apple.documentVersions contains versions for documents • F or trashed files, .DS_Store contains the original filename and
original file path.
Interpretation - W hen updates were last checked for, how many updates were Battery Levels – CurrentPowerlog
saved on the local volume. available, recommended updates.
• c reate user event includes the name of the new user and the UID Description
• Database timestamps are stored in Mac Absolute Time/WebKit time. - com.apple.ubiquity contains versions for documents saved on the of the user who created. Interpretation
• LSQuarantineTypeNumber = 0 means web browsers, 1 means XCode,
2 means Apple Mail, 3 means iChat, 6 means AirDrop, and 7 means
local volume and iCloud.
- com.apple.thumbnails contains versions for QuickLook thumbnails.
[macOS] Most Recently Used (MRU) There may be a difference in time zones – original time zone is
CurrentPowerlog keeps track of the device’s battery status and whether
it is charging.
another app. - c om.apple.genstore.info contains an embedded binary plist that Description [macOS] Screen Lock/Unlock Cupertino, before user sets their own.
• XProtect is only updated when Apple decides to update it and may include the hostname of the system on which the version was Location
Each user account stores a list of commands run in a bash or zsh shell Description
signatures are limited. created.
• Each file version or generation has extended attributes associated
terminal, within a hidden file in their home folder. Events are recorded when the screen is locked or unlocked. User Accounts macOS:
• / private/var/db/powerlog/Library/BatteryLife/CurrentPowerlog.PLSQL
Location
[macOS] Trash with “genstore.”
- com.apple.genstore.origdisplayname or • ~/Library/Preferences/com.apple.finder.plist
Location
• Unified Logs
Description • /private/var/db/powerlog/Library/BatteryLife/Archives/*
iOS physical:
Each user and group has their own plist file.
Description com.apple.genstore.posixname stores the filename for this • m
 acOS 10.12-: ~/Library/Application Support/com.apple.
Interpretation • /private/var/Containers/Shared/SystemGroup/<GUID>/Library/
Any files or folders deleted by the user are saved into a hidden Trash generation. sharedfilelist/com.apple.LSSharedFileList.ApplicationRecent Location BatteryLife/CurrentPowerlog.PLSQL
• Note that file versions will be shown as zero bytes in size, because Documents/<bundle_id>.sfl • S
 creen lock events contain com.apple.sessionagent.screenIsLocked
folder in the root of that user’s home directory. • /private/var/db/dslocal/nodes/Default/users/ • /private/var/Containers/Shared/SystemGroup/<GUID>/Library/
their content is stored in Chunk Storage. • m
 acOS 10.13+: ~/Library/Application Support/com.apple. • S
 creen unlock events contain com.apple.sessionagent.
Location sharedfilelist/com.apple.LSSharedFileList.ApplicationRecent screenIsUnlocked
• /private/var/db/dslocal/nodes/Default/groups/ BatteryLife/Archives/*
• ~/.Trash Documents/<bundle_id>.sfl2 • T
 his includes unlock actions using a regular password, TouchID, or Interpretation Interpretation
• ~
 /Library/Application Support/com.apple.sharedfilelist/com. Apple Watch.
Interpretation apple.LSSharedFileList.Recent*.sfl2 Files may be binary or XML plist files depending on the OS version. • It stores approximately three days of data.
• Access to these directories requires root privileges.
• Some trashed files can be restored using the “Put Back” option.
- If the file has this option, the data can be found in the .DS_Store file
Microsoft Office 365:
• ~
 /Library/Containers/com.microsoft.<app>/Data/Library/
[macOS] Known SSH Hosts • E ach plist file contains the account creation timestamp, last
• Be wary of timestamps in this log – some, but not all, have an offset.
• Use APOLLO† powerlog_battery_level module to extract battery
in Trash. Preferences/com.microsoft.<app>.securebookmarks.plist Description password reset time, username, and potentially the associated information.
• Safari “Safe” files are sent directly to Trash as they are auto-unzipped - E ach key includes the last-used timestamp in kLastUsedDateKey. These are Hostnames, IP addresses, and public keys for hosts that email address. †
https://github.com/mac4n6/APOLLO
on download. - kBookmarkDataKey contains a bookmark data BLOB that this system has connected to via SSH, for which the user decided to • T imestamps are stored in Unix Epoch format.
• m
 acOS 10.12+: Option available to remove files from Trash after 30 days. save the key.
includes the file path, volume name, and volume GUID. • f ailedLoginCount and failedLoginTimestamp values do not appear
to be updated. [macOS] Installed Printers
Interpretation Location
• SFL files are binary plists that use the NSKeyedArchiver format. • ~/.ssh/known_hosts and Print Jobs
User Account Passwords
Mounting Images
• M
 ost native MRU lists keep the last 10 items by default. Microsoft • ~/.ssh/authorized_hosts
Office keeps more.
Description
Interpretation Description This shows the printers and scanners that are installed on the system
• Parse using macMRU-parser†.
• By default, hostnames and IP addresses will be readable. User account password hashes are stored locally. The format and and their configurations.
†
https://github.com/mac4n6/macMRU-Parser
- T
 his data will be hashed if HashKnownHosts is set to yes in the location of these has changed with different versions of macOS.
/etc/ssh/ssh_config file. Location
[macOS 10.13+] Mounting APFS Mounting HFS+ Using ewfmount [macOS] Recent Folders Location • /Library/Preferences/org.cups.printers.plist
(With or Without FileVault) Note: sudo is required for all commands in macOS 10.12+ Description [macOS] su Privilege Escalation  acOS 10.7+: /private/var/db/dslocal/nodes/Default/users/*
• m
- S
 hadowHashData key in plist files contains the password hash.
- E
 ach Item key refers to an installed printer.
• /etc/cups/ppd/*.ppd
Note: macOS 10.13+ users may receive ‘Unknown Fuse’ error – use These are folders recently accessed by the user account.
xmount method
Description  acOS 10.6: /private/var/db/shadow/hash/<GUID>.state
• m - O
 ne file per printer; contains capabilities such as page size,
Create mount point directories: Users with su privileges are recorded, as well as a log of commands resolution, and color.
sudo mkdir /Volumes/apfs_image/
Location Interpretation
Create mount point directories: that have been run as root. • /private/var/spool/cups/c#####
• ~/Library/Preferences/com.apple.finder.plist
sudo mkdir /Volumes/apfs_mounted/ • macOS 10.6 systems use a salted SHA1 hash.
sudo mkdir /Volumes/hfs_image/ - FXRecentFolders contains a bookmark data BLOB in Location - P
 rint job control files containing metadata about a print job with
sudo mkdir /Volumes/hfs_mounted/ file-bookmark • macOS 10.7 systems use a salted SHA512 hash. ID corresponding to the filename.
Create DMG file from E01 image: Users with root-level privileges:
• macOS 10.8+ systems use a salted SHA512 PBKDF2 hash.
• /etc/sudoers - P
 ersistent files
sudo xmount --in ewf apfs.E01 --out dmg /Volumes/apfs_image/ Mount the E01 image: Interpretation • John The Ripper (JTR) and Hashcat include password cracking • /private/var/spool/cups/d#####
Unified logs
ewfmount hfs.E01 /Volumes/hfs_image/ • Item 0 is the most recent and item 9 is the least. support for all of these hashes.
Attach the image: - P
 rint job PDF data files are named in line with corresponding
hdiutil attach -nomount /Volumes/apfs_image/apfs.dmg
Interpretation control file.
Create a symbolic link for the ewf1 file:
List the disks to find the correct volume to mount: ln -s /Volumes/hfs_image/ewf1 ~/hfs.dmg [macOS 10.13+] Recent Items • Look for the sudo or su process.
Deleted User Accounts - N
 on-persistent files should be removed immediately after the
print job has completed unless job is cancelled or an error
(non-FileVault disk) diskutil ap list Attach the image: Description Description occurred.
(FileVault disk) diskutil ap unlockVolume <Disk GUID> -nomount These are items recently accessed by the user account, per application. If any user accounts have been deleted on the system, they will be
hdiutil attach -nomount ~/hfs.dmg Interpretation
Location listed in a plist file under the deletedUsers key. This file may not exist if

Physical Location
Mount volume: Mount volume: no accounts have been deleted. • C lues in device-uri such as dnssd or tcp.local indicate a network-
• ~/Library/Application Support/com.apple.sharedfilelist/*.sfl2 connected printer (as opposed to a cable).
sudo mount_apfs -o rdonly,noexec,noowners /dev/disk# /Volumes/ sudo mount_hfs -j -o rdonly,noexec,noowners /dev/disk# /Volumes/
apfs_mounted/ hfs_mounted/ Interpretation Location • Print job control files include which printer was used, the originating
• The list contains both native and third-party applications. • /
 Library/Preferences/com.apple.preferences.accounts.plist user account, job name, and application used.
Mounting HFS+ Using xmount Unmounting a Mounted Image • Files are named in reverse DNS format.
Interpretation
Note: sudo is required for all commands in macOS 10.12+
Applications Requesting • Lists user’s name, UID, username, and deletion date for each account. [macOS] Screen Sharing and
Note: sudo is required in macOS 10.12+
Note: images on systems that use a 4096-byte sector size may cause Location Permissions • T
 hree options for the user’s data are made available when an
account is deleted:
Remote Login Preferences
mounting issues. Use the “-blocksize 4096” option with hdiutil View mounted disks:
Description Description
Volumes and
diskutil list - S
 ave the home folder to a DMG file, which is saved to
Create mount point directories: The system records a list of applications that have requested location /Users/Deleted Users/ These are settings for items that can be shared, including screen
sudo mkdir /Volumes/hfs_image/ Eject mounted disk: services. - Leave the home folder in place. sharing and remote access to the system.
Diskutil eject /dev/disk# Location
External Device/
sudo mkdir /Volumes/hfs_mounted/ - Remove the user’s home directory.
Location
macOS:
Create DMG file from E01 image: Find disk to unmount: Preferences:
sudo xmount --in ewf hfs.E01 --out dmg /Volumes/hfs_image/ mount
• ~/Library/Application Support/com.apple.TCC/TCC.db Time Zone • /private/var/db/com.apple.xpc.launchd/disabled.plist

USB Usage
• /Library/Application Support/com.apple.TCC/TCC.db
Description • /private/var/db/launchd.db/com.apple.launchd/overrides.plist
Attach the image: Unmount disk: • /private/var/db/location/clients.plist
iOS: This determines the current time zone of the system. • /Library/Preferences/com.apple.RemoteManagement.plist
hdiutil attach -nomount /Volumes/hfs_image/hfs.dmg sudo umount /Volumes/disk_image/
• [/private/var]/mobile/Library/TCC/TCC.db - It is created when screen sharing or remote management options
Mount volume: • [/private/var]/root/Library/Caches/locationd/clients.plist Location are enabled.
sudo mount_hfs -j -o rdonly,noexec,noowners /dev/disk# /Volumes/ • /etc/localtime • /Library/Preferences/com.apple.VNCSettings.txt
hfs_mounted/ [macOS] Finder – Mounted Volumes Interpretation • /Library/Preferences/.GlobalPreferences.plist - It contains the XOR’ed password to access the system via VNC.
TCC.db: Screen sharing events:
Description • S qlite database that gets its name from Transparency, Consent, Interpretation
The Finder application on macOS stores a list of volumes that have been • Unified Logs
and Control. The GlobalPreferences.plist file contains the time zone configuration

Browser Usage and File Download

mounted on the Desktop within a plist file. It includes the volume name data. It may not be updated when switching between static location and - S earch for “screensharingd”
• It includes last_modified timestamp for each permission for each
with X and Y coordinates of volumes when mounted on the Desktop. application. location services. Interpretation
Location • auth_value = 0 means not allowed, 2 means allowed. • /
 Library/Preferences/com.apple.timezone.auto.plist shows if disabled.plist/overrides.plist:
• ~/Library/Preferences/com.apple.finder.plist • KTCCServiceLiverpool permission is generally assumed to be part location services are enabled.
- B y default, none of these settings are enabled.
of location services. • Timezone changes are recorded in system.log and Unified Logs.
Safari Browser Session Restore [macOS] Extended Attributes – - FXDesktopVolumesPositions key
clients.plist: - T imestamps stored in localtime in system log and UTC in Unified
- c om.apple.screensharing = NO (0) – Screen sharing is enabled.
Interpretation - c om.openssh.sshd = NO (0) – Remote Login is enabled.
Description Email Attachment Download • It does not include a date to show when the volume was mounted.
• L ist of all apps that have been granted location services permissions.
• Authorization = 1 means Never, 2 means While Using, 4 means - S
Logs.
 earch for “location” or “timezoned”.
- If the bundle ID for a service does not appear in the list, it was
Automatic Crash Recovery features are built into the browser. likely never enabled.
Description • T he key will not exist if the user does not have Finder preferences Always, no Authorization key means Ask. - T imestamp jumps may also be visible in /var/log/* as these logs
Location A few extended attributes are created when an email attachment is configured to show items on the Desktop. • iOS 14+: CorrectiveCompensationEnabled = 1 (or no key) means record events in local time.
macOS:
• ~/Library/Safari/LastSession.plist
downloaded. • It includes host volumes, USB drives, and mounted DMG files. Precise Location is enabled, 2 means disabled.
- L ast modified timestamp of /etc/localtime symlink is updated [macOS] Firewall Configuration
Location when the timezone is changed.
• ~/Library/Containers/com.apple.Safari/Data/Library/Caches/com.
apple.Safari/TabSnapshots/* Everywhere! See extended attribute names for files: [macOS 10.13+] Favorite Volumes [iOS 11+] Frequent and Description
The Application-Level Firewall (ALF) is turned off by default. It is one of
• ~/Library/Containers/com.apple.Safari/Data/Library/Caches/com. • ls -l@ Description Significant Locations [iOS] Evidence of Jailbreaking two default firewalls on macOS systems. The second is the IP/packet
apple.Safari/TabSnapshots/Metadata.db - com.apple.metadata:com_apple_mail_dateReceived includes when These are a list of favorite volumes, including the volume name and filtering firewall.
- Connects URL to the snapshot filename (UUID) in the TabSnapshots the email was received. properties. Description Description
folder. - com.apple.metadata:com_apple_mail_dateSent includes when the When enabled, the Significant Locations setting allows the device to Some indicators may exist that point to a device being jailbroken. Location
iOS physical: email was sent. Location store locations that the device has visited. Indicators will differ depending on the device and type of jailbreak used. ALF configuration:
- com.apple.metadata:com_apple_mail_isRemoteAttachment • ~
 /Library/Application Support/com.apple.sharedfilelist/com. • /Library/Preferences/com.apple.alf.plist
• /private/var/mobile/Library/Safari/BrowserState.db
provides a binary value to show a local (0) or remote (1) attachment apple.LSSharedFileList.FavoriteVolumes.sfl2 Location Location
• /private/var/mobile/Containers/Data/Application/<GUID>/Library/ • / private/var/mobile/Library/Caches/com.apple.routined/ • /private/etc/fstab - g lobalstate = 1 means the firewall is enabled, 0 means the firewall
- com.apple.quarantine provides the download time and application
Safari/Thumbnails/*.ktx
(e.g., Mail).
Interpretation Cloud[-V2].sqlite - L ook for System partition mounted as rw. is disabled.
iOS file system/backup: • NSKeyedArchiver plist file containing Bookmark BLOBs. • / private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite - a llowsignedenabled = 1 means allow signed software to receive
View extended attributes for a file: • /Applications
• /mobile/Library/Safari/BrowserState.db • / private/var/mobile/Library/Caches/com.apple.routined/Local.sqlite incoming connections.
• xattr -xl <file> - L ook for unofficial app stores associated with jailbreaks.
Interpretation [macOS 10.13.1+] Interpretation Common apps: Cydia, Bydia, Zydia, Installer, 25pp, Maiyadi. - a llowdownloadsignedenabled = 1 means allow downloaded
signed software to receive incoming connections.
LastSession.plist:
• Binary plist contains tab history from the last browsing session.
Safari Cookies Search Logs for Volumes • S
 etting can be enabled or disabled in Settings → Privacy →
Location Services → System Services → Significant Locations.
- L ook for apps associated with jailbreaks. Common apps: Meridian,
LiberiOS, mac_portal, Pangu, unc0v3r, rootlessJB, checkra1n. - s tealthenabled = 1 means stealth mode is enabled.
- a pplications key lists apps configured in the firewall.
• If SessionStateIsEncrypted is 0, SessionState will contain an Description Description • A
 lgorithm to establish how the device marks a location as - L ook for unauthorized apps associated with jailbreaks. Common
embedded binary plist of tab history. Cookies provide insight into what websites have been visited and what “frequent” is unknown. apps: iFile, SBSettings, or SSH, tethering, and configuration apps. • s tate = 0 means incoming connections are allowed, 2 means
Logs record what volumes were mounted on the system and can include they are blocked.
BrowserState.db: activities might have taken place there. the device file the volume is using, volume size, name, and mount point. • Cloud[-V2].sqlite database shows visits to certain locations. • F iles or directories associated with any of the above apps, or
• Visit timestamps are stored in Mac Epoch format. • C
 ache.sqlite database contains very granular location data for forensic utilities (e.g., dumpkeys6 is created by Elcomsoft). macOS 10.7+ packet filter firewall configuration:
• order_index shows the tab order.
Location Location about one week. • /etc/pf.conf
• ~/Library/Cookies/Cookies.binarycookies
• private_browsing shows regular (0) or private browsing (1) mode • /var/log/daily.out • Data is also found on macOS however it is encrypted. iCloud-Synced Accounts
being used.
• session_data contains a BLOB.
Interpretation • System log
• Unified logs
• U
 se APOLLO† routined_cloud_visit_entry module to extract
location visits from the Cloud[-V2] database. and Preferences Keychains
• Cookie files can be parsed using Safari Binary Cookie Parser†
Thumbnail KTX files: †
https://github.com/mdegrazia/Safari-Binary-Cookie-Parser Interpretation • U
 se APOLLO† routined_cache_zrtcllocationmo module to extract Description
• Each screenshot is a preview of a tab, including those in private location visits from the Cache database. Description The keychains on a system are used to store sensitive data such as
• S
 earch for “/Volumes/” to find any volumes mounted under the
browsing mode. †
https://github.com/mac4n6/APOLLO Each iCloud account synced to the system will be recorded as a file usernames, passwords, and encryption keys.
• It only shows those tabs open when Safari was last placed into the Safari Browser Cache default mount point.
• Y
 ou can also search system.log and unified logs for apfs, hfs,
named for the iCloud Person ID in the iCloud Accounts folder. This same
Location
background.
Description mounted, unmounted, or disk#s#. Cellular and WiFi Locations directory contains links named for each email address associated
with an iCloud account that points to the relevant iCloud Person ID macOS:
Files cached by the browser are listed in a database and also stored on • S
 earching on the volume name can find activity relating to that volume. for that account. Preferences are also synced across devices into the
Safari Browser History the device. • D
 aily logs record what volumes were mounted on the system Description • ~/Library/Keychains/login.keychain-db
SyncedPreferences folder.
when the daily maintenance script was run. Locations of various cellular and WiFi access are recorded in a few • iCloud: ~/Library/Keychains/<Hardware UUID>/keychain-2.db
Description Location - In older versions of OS X, daily.out may be named daily.log databases. Location • /Library/Keychains/System.keychain
This is the history of websites a user has visited. Some may be synced macOS:
from iCloud, if this setting has been enabled, with devices and synced • ~/Library/Containers/com.apple.Safari/Data/Library/Caches/com.
Location macOS: iOS physical:
URLs listed in the Cloud Tabs database. apple.Safari/Cache.db [macOS 10.12+] Search Logs for macOS: • ~/Library/Application Support/iCloud/Accounts/* • /private/var/Keychains/keychain-2.db
• /private/var/folders/*/<DARWIN_USER_DIR>/cache_encrypted*.db • ~/Library/SyncedPreferences/ iOS backup:
Location • ~/Library/Containers/com.apple.Safari/Data/Library/Caches/com.
apple.Safari/WebkitCache/Version ##/* Connected USB Devices • / private/var/folders/*/<DARWIN_USER_DIR>/lockCache_encrypted*.db • ~/Library/Containers/<bundle_id>/Data/Library/SyncedPreferences/ • Keychains: keychain-backup.plist
macOS: - Records/SubResources folder contains a list of cached items per iOS physical: iOS physical:
• ~/Library/Safari/History.db Description Interpretation
website visit and embedded SHA1 hashes for each file. • /private/var/root/Library/caches/locationd/cache_encrypted*.db • /private/var/mobile/Containers/…
• ~/Library/Safari/CloudTabs.db The USB Mass Storage Class (USBMSC) Identifier can be used to find • login.keychain-db may contain user passwords for access points,
- Records/Resources folder contains cached data and metadata, USBMSC device connections in the System log and in Unified logs, • / private/var/root/Library/caches/locationd/lockCache_encrypted*.db • /private/var/mobile/Library/SyncedPreferences/
iOS: including SHA1 of filename for related file in the Blobs folder. Time Machine, applications, and websites.
including the device serial number, vendor, and product information.
• [/private/var]/mobile/Library/Safari/History.db - Additional cached data may exist in the Blobs folder. Interpretation Interpretation • Default login.keychain-db password is the user’s account password.
• [/private/var]/mobile/Library/Safari/CloudTabs.db iOS: Location • Data is retained for ~one week, but this varies per table.
Each application syncing with iCloud has its own plist in the • System.keychain contains passwords for VPNs, access points, Time
• /private/var/mobile/Containers/Data/Application/<GUID>/Library/ • System log - D
 ata in the WifiLocation table is retained for ~four days. SyncedPreferences folder. Machine, and applications.
Interpretation Caches/Cache.db • Unified logs • Timestamps are stored in Mac Epoch and appear to be accurate. • iCloud keychain-2.db may contain information from other iDevices.
History.db: • Locations are accurate to within the general area.
• On iOS, this data is retained for ~one month, on macOS, it’s retained
• /private/var/mobile/Containers/Data/Application/<GUID>/Library/
Caches/WebKit/Version ##/* Interpretation • MAC addresses are stored in Base10. [iOS] Cellular Information • On iOS backups, the keychain may be stored in a Keychains or
KeychainDomain folder, depending on the acquisition tool used.
for ~one year by default (but can be re-configured). - Records/SubResources folder contains a list of cached items per • Search for USBMSC • < DARWIN_USER_DIR> will be different for each user and
Description • View a keychain file using the Keychain Access.app macOS
• Visit timestamps are stored in Mac Epoch format. website visit and embedded SHA1 hashes for each file - T
 ypical structure of these records: USBMSC Identifier is explained in more detail at: http://www.swiftforensics. application or using the strings or security commands if the keychain
• Origin = 0 means the visit occurred on this device, 1 means this entry - Records/Resources folder contains cached data and metadata, (non-unique): <serial number> <VID> <PID> <version> com/2017/04/the-mystery-of-varfolders-on-osx.html Cellular information is information associated with the device and SIM.
is not encrypted.
was synced from another system via iCloud. including SHA1 of filename for related file in the Blobs folder • Be aware that not all USBMSC entries are user-initiated. • U se APOLLO† locationd_cacheencryptedAB_ltecelllocation It includes the current and historical ICCID, phone numbers, IMSI, and
• Y
 ou can also find network share connections by filtering Unified module to extract location data. carrier information.
- Additional cached data may exist in the Blobs folder
[macOS] Extended Attributes – Logs: process = NetAuthSysAgent AND sender = loginsupport †
https://github.com/mac4n6/APOLLO Location Accounts Configured on the System
Interpretation
• [/private/var]/wireless/Library/Preferences/com.apple. Description
File Download • E
 ach cached file listed in the Cache.db sqlite database has a
corresponding location and download date. commcenter.data.plist A user can configure accounts on the system, such as email, calendar,
Description • C
 ached files can be matched with their metadata using the entry_ID value. • [/private/var]/wireless/Library/Databases/CellularUsage.db and iCloud.
Apple uses file quarantine to check files for malware, and to inform users
where the file was downloaded from. This information is stored in the
file’s extended attributes. Safari Downloads Log Files Interpretation
• Timestamps may not necessarily reflect expected SIM usage.
• CarrierBundleName can be used to map carrier ID to name.
Location
macOS:
• macOS 10.11-: ~/Library/Accounts/Accounts3.sqlite
Location Description
Modern browsers include built-in download manager applications • macOS 10.12+: ~/Library/Accounts/Accounts4.sqlite
Everywhere! See extended attribute names for files:
• ls -l@
capable of keeping a history of every file downloaded by the user. This [macOS 10.5.6+] Apple System Log (ASL) Unified Logs Managed Device Profiles • /Library/Preferences/SystemConfiguration/com.apple.accounts.
browser artifact can provide excellent information about websites visited exists.plist
- com.apple.quarantine provides quarantine data for downloaded and corresponding items downloaded. Location Location Description iOS:
files, including download time (Unix Epoch hex) and application • /private/var/log/asl/ macOS 10.13.1+:
used to download the file. Location Devices can be managed through enterprise Mobile Device • [/private/var]/mobile/Library/Accounts/Accounts3.sqlite
- Y YYY.MM.DD.[UID].[GID].asl • /
 private/var/db/diagnostics/*.tracev3
- com.apple.metadata:kMDItemDownloadedDate provides the • ~/Library/Safari/Downloads.plist
Management systems or settings pushed to the device by an • [/private/var]/Preferences/SystemConfiguration/com.apple.
- L ogin records (utmp, wtmp, lastlog): BB.YYYY.MM.DD.[UID].[GID].asl • /
 private/var/db/uuidtext/* organization or carrier. These devices have a configuration profile
download date in NSDate format (8-byte BE). accounts.exists.plist
Interpretation [macOS 10.8+] Additional syslog data directories: - M
 essages associated with SessionAgentNotificationCenter show installed, which outlines allowed actions and limitations. Provisioning
- com.apple.metadata:kMDItemWhereFroms provides the URL the user-initiated actions relating to system shutdown events.
item was downloaded from, and referring URL. • B y default, items are removed from this list after one day. • AUX.YYYY.MM.DD profiles allow apps to run without being downloaded from the App Interpretation
- This can be changed by the user to “When Safari Quits”, “Upon Interpretation Store (sideloading). • ZACCOUNT table in the sqlite databases contains account information.
View extended attributes for a file: Interpretation
Successful Download”, or “Manually”. • T
 imestamps are stored in UTC. - Z
 USERNAME is the account username.
• xattr -xl <file> • V
 iew using Console.app or syslog command. Location
• DownloadEntryURL (macOS) and sourceURL (iOS) show where the • C
 reate logarchive bundle for offline analysis: - Z
 ACCOUNTTYPEDESCRIPTION is the account type description.
Interpretation • M
 essages logged by syslog: TTL is seven days. macOS:
download originated. - C reate logarchive folder: sudo mkdir logs.logarchive - Z
 DATE is the account setup date in Mac Epoch format.
Not all browsers will create all of the above extended attributes; • DownloadEntryPath (macOS) is the file path to show where the item
• M
 essages logged by utmp, wtmp, and lastlog: TTL is 366 days. • /private/var/db/ConfigurationProfiles/
• T
 imestamps are stored in UTC. - C opy log files: - Z
 KEY is the configuration key name.
attributes produced depend on the app developer. was downloaded to. cp -R /private/var/db/uuidtext/ /private/var/db/diagnostics/ iOS:
• DownloadEntryDateAddedKey (macOS) and DateAdded (iOS) indicate • C
 ollate logs: syslog -F raw -T utc -d /private/var/log/asl/ > asl.log • Configuration profiles: - Z
 VALUE is the configuration value, as a BLOB that contains a
logs.logarchive
when the download started. - O pen in Console: open -a Console asl.log binary plist.
- M ake logarchive format: - / private/var/mobile/Library/ConfigurationProfiles/
• DownloadEntryDateFinishedKey (macOS) and DateFinished (iOS) /usr/libexec/PlistBuddy -c "Add :OSArchiveVersion integer 4" • com.apple.accounts.exists.plist file has two associated keys per
- / private/var/mobile/Library/UserConfigurationProfiles/ account:
indicate when the download finished.
[macOS] Audit logs • A
logs.logarchive/Info.plist
 nalysis:
- / private/var/containers/Shared/SystemGroup/systemgroup.com. - E
 xists shows if the account is in use.
apple.configurationprofiles
Location - G et USBMSC entries:
- ./containers/Shared/SystemGroup/systemgroup.com.apple.
- C
 ount shows how many of this account type there are.
• /
 private/var/audit/<start_time YYYYMMDDHHMMSS>.<end_time log show logs.logarchive/ --timezone UTC --info --predicate
'eventMessage contains "USBMSC"' configurationprofiles
macOS vs. Windows Artifacts* macOS Artifacts on Non-Mac Systems YYYYMMDDHHMMSS>
Audit log configuration files: - S earch for a device’s volume name: Provisioning profiles: [iOS] Apple Watch Data
log show logs.logarchive/ --timezone UTC --info --predicate • /private/var/MobileDevice/ProvisioningProfiles/
plist files Registry Copying data from a macOS system to a non-Mac system does • /
 etc/security/audit_* 'eventMessage contains "VOL_NAME"' Description
not always copy everything. Interpretation - E xport unified logs to text file: Interpretation If an Apple Watch is paired with an iPhone (it cannot be paired with any
fsevents USNJrnl log show logs.logarchive/ --timezone UTC --info > galaga_logs.txt • Use “profiles” command to extract detailed configuration. other iOS devices), some data will be synced with that iPhone.
• T imestamps are stored in UTC.
HFS+/APFS FAT/exFAT - L ist shutdowns/reboots: • M
 alware and jailbreaks can use provisioning profiles, as well as
DS_Store Shellbags • praudit command may output timestamps in local time. Location
log show logs.logarchive/ --timezone UTC --info --predicate legitimate MDM solutions. Look for app names, timestamps, and
Document Versions 4 8 - U
 se TZ=UTC command to temporarily change terminal timezone to UTC. • [/private/var]/mobile/Library/DeviceRegistry/<GUID>/
Trash Recycle Bin 'eventMessage contains "com.apple.system.loginwindow" and developer certificates.
Spotlight 4 4 • C ollate logs: praudit -xn /private/var/audit/*.* > audit.log eventMessage contains "SessionAgentNotificationCenter'" DeviceRegistry.state/historySecureProperties.plist
Spotlight Windows Search • P
 rovisioning profile plist:
- O
 pen collected log in Console: open -a Console audit.log - L ist shutdown cause: - It includes device serial number, IMEI, Bluetooth MAC address, and
Trash 4 4 log show logs.logarchive/ --timezone UTC --info --predicate - C
 reationDate key is when the app was sideloaded. WiFi MAC address.
Extended attributes ADS - E
 xpirationDate will show to expire after seven days for a free
LoginItems & Launch
File System Events 4 8 System.log 'eventMessage contains[c] "shutdown cause'"
- G et backup logs: developer account or 365 days for a paid account.
• [/private/var]/mobile/Library/DeviceRegistry/<GUID>/*
Autoruns (empty dir) log show logs.logarchive/ --timezone UTC --info --predicate - P
 rovisioningDevices key shows UDIDs for all devices that also have Interpretation
Agents/Daemons Location 'process = "backupd" and category = "general"' this application installed. • Data in this directory is mostly redundant.
Extended Attributes 4 4 macOS 10.13.1+:
MRU MRU (stored as separate file) • /private/var/log/system.log
- G et network logs:
log show logs.logarchive/ --timezone UTC --info --predicate
Spotlight Prefetch .DS_store files 'senderImagePath contains[cd] "IPConfiguration" and
4 4 Interpretation (eventMessage contains[cd] "SSID" or eventMessage contains[cd]
knowledgeC.db SRUM • Timestamps are stored in localtime. "Lease" or eventMessage contains[cd] "network changed")' Poster was created by Kathryn Hedley and Sarah Edwards based on many years of research and macOS and iOS knowledge by Sarah Edwards.
©2023 SANS Institute. All Rights Reserved DFPS_FOR518_0823
*NOTE: These are not exact like-for-like comparable artifacts, but do contain similar types of data.