MAC OS Forensic
Useful command for MAC OS analysis
MAC OS Artifacts
Here is a useful spreadsheet with many MAC OS X Forensic artifacts to inspect according to MAC OS version.
Dump file system
Decrypt Keychain
1. Extract the login keychain file
The keychain file has the following location : Users//Library/Keychains/login.keychain
2. Dump the keychain key from memory
3. Decrypt keychain
Mount encrypted partition
1. Find start sector and size
2. Find the mac key partition
3. Mount the encrypted partition with key
A file named fvde1, corresponding to the HFS+ partition, appears under the mount point. Access to the data of this partition will be possible after mounting the file fvde1 on a new mount point.
4. Mount the HFS+ partition
Inspect database file (.db)
Inspect pslist file
plist
file contains critical information about the configuration of an iOS mobile app such as iOS versions that are supported and device compatibility which the operating system uses to interact with the app. This file is automatically created when the mobile app is compiled.
Last updated