Post

MacOS Forensics - Quick Intro & Artifact Gathering

MacOS Forensics - Quick Intro & Artifact Gathering

This is a quick blog I wrote to show macOs type investigations. Not in any means a expert at this but this is a good start if you want to learn some stuff. Follow at your own risk.

File Structure

Heres a quick human readable view of your top level folders in / via Finder app sample_TopLevel

Note: If you want to take a view of everything in root folder, use a terminal and run ls /

  • /Applications: all the applications on the system, all users able to access them
  • /Library: subdirectories and files related to preferences and logs can be found here. this also exists in each /Users directory too
  • /System: system related files, MacOS only
  • /Users: all the users live in this directory.

When I do my investigations, Im looking specifically for either user artifacts or system artifacts. Well, there is application type artifacts that ill take a look at too (done by either a user or a system)

When we look at evidence collection, we typically will be looking for Plists file types, SQLite database files, bash_history or logs like /var/logs. There probably a lot more areas we can dissect but Im going to focus on Plists and SQLite database files.


Property Lists

Plists, aka Property lists, are MacOS’s “Windows Registry” files. It contains preferences information and also persistence like in /Users/iamr00t/Library/LaunchAgents/.

Plists exists for system and user based locations, but for the most part these are files that are located throughout your file system. Good luck.

WHY is this good -> youll be able to see configuration settings applied, user activties like last opened, recenty items, persistences from LaunchAgents, and environment details

User scope

  • ~/Library/Preferences/
  • ~/Library/LaunchAgents/

System scope

  • /Library/Preferences/
  • /Library/LaunchAgents/
  • /Library/LaunchDaemons/

How to open plist files:

1
plutil -p ~/Library/Preferences/com.apple.dock.plist

SQLite Databases

SQLite dbs are great for artifacts. You can find browser history/cookies, messages and saved/ctrl+C type information.

WHY is this good -> you’ll be able to see events with timestamps, historical answers, and

User scope

  • ~/Library/Application Support/<App>/…
  • ~/Library/Containers/<ID>/Data/Library/…
  • ~/Library/Group Containers/…

System scope

  • /Library/Application Support/…

How to open sqlite db files:

  • install DB Browser for SQLite

Important DB Structure NeedToKnow

To get the full set of data, you want to make sure all three file structures below are present. If not, yuo may miss some key data.

  • artifact.db (main database)
  • artifact.db-wal (write-ahead log)
  • artifact.db-shm (shared memory file)

Script collect-artifacts.sh

Without getting too into the weeds, this is a good script you can use to gather quick artifacts. It runs preliminary commands, grab plists and database files. Once its done, itll zip it and you can then start analyzing.

Note: It fetches logs, this may take a long time. If you don’t want them then comment it off in the script

The focus

  • System Information: Hostname, OS version, uptime, hardware details, disk usage
  • Process & Network Data: Running processes, network connections, etc
  • User & Authentication: User accounts, groups, login history, sudo users
  • SSH Data: SSH configs, known_hosts, authorized_keys, SSH key listings
  • Browser Data: History, downloads, bookmarks for Safari, Chrome, and Firefox
  • File System Artifacts: Downloads, Desktop, Documents listings, recent files (last 7 days), temp files, trash contents
  • Installed Applications: Applications list, Homebrew packages, pip/npm/gem packages
  • Logs: System logs, install logs, user logs, console errors, authentication logs
  • Malicious Behavior Indicators: Shell history (bash/zsh), profile scripts, cron jobs, Launch Agents/Daemons, etc

Grab the script here

Before you begin, to run this scipt, you need sudo access to get system files and logs type artifacts. But not necessary, it just wont give you everything you need

1
2
chmod +x /Users/CHANGE/collect-artifacts.sh
sudo ./collect-artifacts.sh 

Output automatically creates and compresses everything into your $HOME as artifacts_YYYY-MM-DD_HH-MM-SS.tar.gz

Sample Look

sampleview

enjoy, happy hunting
This post is licensed under CC BY 4.0 by the author.