Basics of the Macintosh OS for Digital Forensics

Instructor: Alexis Kypridemos

Alexis is a technical writer for an IT company and has worked in publishing as a writer, editor and web designer. He has a BA in Communication.

Digital Forensics typically involves gathering digital evidence from a computer. This lesson covers the basics of digital forensics on the Macintosh operating system. We will discuss the types of logs, where they are stored, and how to get information from them, and also discuss some other techniques of digital forensics.

Digital Forensics

Digital Forensics typically involves gathering digital evidence from a computer. Evidence can be anything including data, files, logs, images, network history etc. Let us first look into the log information. We will then look at the other techniques of getting information on the Macintosh OS.

Log Types & Their Directories

Among other techniques, digital forensics relies on logs, as these contain useful information about a user's activity on a computer.

Different types of logs are stored in different directories as listed below.

System Logs:

/private/var/log/asl (on versions 10.6 and later)

/var/log/asl.log (on versions of 10.4 Tiger)

/var/log/asl.db (on versions of 10.5 Leopard)

Audit Logs:

/private/var/audit

User Logs:

~/Library/Logs

Application Specific Logs:

/Library/Application Support/<app>

/Applications/

Bear in mind that by default var is a hidden folder. To show hidden files and folders in Mac OS there are two methods as discussed below.

Keystroke (Mac OS 10.12.4 or later)

Press Shift + Cmd + . (the . key). Pressing the same key combination again re-hides files and folders.

Terminal Commands

Mac OS 10.9 and later:

Enter these two commands into the Terminal to show hidden files:

defaults write com.apple.finder AppleShowAllFiles -boolean false

killall Finder

To hide the files again, enter these commands:

defaults write com.apple.finder AppleShowAllFiles -boolean false

killall Finder

Mac OS 10.8 and earlier:

To show files:

defaults write com.apple.finder AppleShowAllFiles TRUE

killall Finder

To hide files:

defaults write com.apple.finder AppleShowAllFiles FALSE

killall Finder

To view the user logs, or anything else in the user library, with a Finder window as the active window press on Go and hold down the Alt/Option key on the keyboard. While the Alt/Option key is pressed, the drop-down menu displays the otherwise hidden option 'Library'. Click on that and the current user's library contents will be displayed in the Finder window.

Viewing Logs

Mac logs tend to use standard Unix Log Format and mostly are in plain text.

The Console app can be used to view the logs. There are other, third party, applications that can also be used to view logs, like FTK Image, BlackBag Blacklight and X-Ways. Search for specific logs in the Console by either entering words to search for in the search bar, or by selecting a specific category of logs from the Console window's left hand column.

Other Techniques

Getting Information from .plist Files

In addition to logs, a lot of useful information, in particular user-specific activity, can be gleamed from .plist files found in the user's Library folder. One can find out about the malicious processes executed or internet history as well. The .plist file extension stands for 'property list'. The contents of a .plist file can be viewed using a text editor application, however there are specialized applications for this task, like Xcode and Property List Editor.

Finder .plist

Location:

~/Library/Preferences/com.apple.finder.plist

This file can contain records of activities such as whether the user has recently copied or deleted files or folders.

Disk Utility .plist

Location:

~/Library/Preferences/com.apple.DiskUtility.plist

This file can contain records of the user's activities in relation to internal and external drives, for example whether an external drive was recently erased.

Getting Network Information

Information about the network can be found in more than one location in Mac OS. Information about network changes can be found in the system.log file, by searching for 'airportd'.

Network information can also be found in /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist as well as /Library/Preferences/SystemConfiguration/com.apple.network.identification.plist.

Identifying the Home Network

When searching for 'airportd' in the system.log, the entry that returns the most results is more than likely the home network.

In the com.apple.airport.preferences.plist, the network that has a 'SecurityType' other than 'Open' is more than likely the home network. Most WiFi networks tend to use the WPA2 Personal security type.

Determining if the computer is encrypted with FileVault 2 encryption

FileVault 2 is an optional security settings on Mac computers, enabled or disabled through System Preferences > Security & Privacy. If enabled, it encrypts the entire disk using XTS-AES-128 encryption with a 256-bit key.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account
Support