Digital Forensics

MAC Device Forensics

MAC device forensics involves analyzing Mac systems to recover evidence, including system logs, user activity, and deleted files. It focuses on understanding macOS-specific artifacts such as plist files, keychains, and Time Machine backups. Investigators use specialized tools to extract and interpret data unique to Apple's operating system.

4 min read
How to Forensics a MAC Device

Analysis

  1. MacOS logs.
  2. Browser history.
  3. OS update history.
  4. Downloaded files.
  5. Installed applications.
  6. .plist files.
  7. Browser extensions.

enter image description here

TCC DB Analysis

  1. /Library/Application Support/com.apple.TCC/TCC.db
  2. ~/Library/Application Support/com.apple.TCC/TCC.db

Plist files Analysis

  • ~/Library/Preferences/com.apple.universalaccessAuthWarning.plist

Installed Applications

  • ~/Applications
  • /Applications

Persistence through cron:

  • /etc/crontab
  • /usr/lib/cron/tabs
  • /private/etc/crontab

Persistence through launchd:

  • $HOME/Library/LaunchAgents
  • /Library/LaunchDaemons
  • /Library/LaunchAgents
  • /System/Library/LaunchDaemons
  • /System/Library/LaunchAgents
  • /Library/StartupItems
  • /Library/Preferences/com.apple.loginwindow.plist
  • /Library/Preferences/loginwindow.plist
  • /Library/Preferences/ByHost
  • /Library/PrivilegedHelperTools

Persistence through Unix startup stuff:

  • /etc/rc.*
  • /etc/profile
  • .bashrc
  • .profile
  • .login
  • /etc/lauchd.conf

Kernel extensions:

  • /System/Library/Extensions
  • /Library/Extensions

Browser artifacts

Chrome

The data you are interested in is located under the following folder:

  • ~/Library/Application\ Support/Google/Chrome/Default
  • ~/Library/Application\ Support/Google/Chrome/Profile N , where N is a number

Most of the interesting and valuable files are saved as SQLite 3 databases. There are dozens of tools that can help you read these. I personally used Liya, which offers a nice UI and is available in AppStore.

It is true that a user can install malware trough Chrome extensions, so it is absolutely worth it to look into them. All extensions are located in the Extensions folder of the Chrome base directory mentioned above. When you cd into this folder, you will see something like this:

enter image description here

Safari

Relevant Safari files can be found in the directory below:

  • /Users//Library/Safari

Email artifacts

If a user was using Apple Mail, you can find all emails and attachments under these folders:

  • /Library/Mail
  • ~/Library/Mail

VirusTotal

https://www.virustotal.com/gui/home

all encrypted archives:

#!/bin/bash

root_dir=“/path/to/folder”

find $root_dir -name “*.zip” | while read x

do

echo $x

7z l -slt “$x” | grep “Encrypted”

Find files with macros

#!/bin/bash

root_dir=“/path/to/folder”

i=0

find $root_dir -name ”.xls” | while read x

do

echo $x

unzip “$x” -d “out_dir/dir_$i”

((i++))

  1. Then run find out_dir -name “vbaProject.bin”

  2. You can then extract the macro with sigtool —vba vbaProject.bin, which comes with clamAV (brew install clamav).

Miscellaneous artifacts

Mac OS logs:

  • /Users/username/Library/Logs/
  • /private/var/log/

Users with Activity Monitor in Mac OS

  • Launch “Activity Monitor” in Mac OS X, found within /Applications/Utilities/
  • Click on “Users” to sort and group the list by users logged in

enter image description here

List Connected Users & Log Ins to the Mac with “last”

Launch Terminal app, found with in /Applications/Utilities/ and enter the following command string to see a full list of user logins

last

To search for a specific user login, send the output of last through grep like so:

last |grep USERNAME

For example, to search last output for the user “OSXDaily” you would use the following command:

last |grep OSXDaily

This is case sensitive, so the user ‘osxdaily’ would be unidentified while “OSXDaily” will return positive results, thus be sure to use proper casing.

This will produce output looking something like the following, including all login dates, and when possible, the IP source of the connecting machine if the user was logged in through a network connection (in this screenshot example, the origin IP was identified as 192.168.1.4):

enter image description here

If no IP or network origin is shown, this indicates the user is logged in directly on the Mac, either through the standard Mac OS X login process, Fast User Switching, su / sudo, or something similar.

To see who is currently logged in you can also use the following last command syntax:

last |grep "logged in"

See Logged In SSH / Telnet Users with ‘who’

Finally, you can see who is currently connected to a Mac through an active SSH connection or the antiquated Telnet protocol by using the classic ‘who’ command from the terminal:

who

users

currently logged in user in the OS X

GUI:

  • Open the Accounts preference pane in System Preferences. The pre-selected user account will be the active user account.
  • If fast user switching is active its menu extra (the menu on the right side of the menu bar) can be configured to show the name of the active user.

Command Line:

  • Check the owner of /dev/console

    stat -f '%u %Su' /dev/console

Malware Blocking DNS

Change your router DNS to:

  • 1.1.1.2
  • 1.0.0.2

Malware and Adult Content Blocking Together

Change your router DNS to:

  • 1.1.1.3
  • 1.0.0.3

Forensics Tools

enter image description here

Remove Unsintall by Forensics

Unsintall Visual Studio

sudo rm -rf "/Applications/Visual Studio.app"
rm -rf ~/Library/Caches/VisualStudio
rm -rf ~/Library/Preferences/VisualStudio
rm -rf "~/Library/Preferences/Visual Studio"
rm -rf ~/Library/Logs/VisualStudio
rm -rf ~/Library/VisualLodStudio
sudo rm -rf "/Applications/Visual Studio.app"
rm -rf ~/Library/Caches/VisualStudio
rm -rf ~/Library/Preferences/VisualStudio
rm -rf "~/Library/Preferences/Visual Studio"
rm -rf ~/Library/Logs/VisualStudio
rm -rf ~/Library/VisualLodStudio

Uninstall Xamarin.Android

sudo rm -rf /Developer/MonoDroid
rm -rf ~/Library/MonoAndroid
sudo pkgutil --forget com.xamarin.android.pkg
sudo rm -rf /Library/Frameworks/Xamarin.Android.framework

Uninstall Xamarin.iOS

rm -rf ~/Library/MonoTouch
sudo rm -rf /Library/Frameworks/Xamarin.iOS.framework
sudo rm -rf /Developer/MonoTouch
sudo pkgutil --forget com.xamarin.monotouch.pkg
sudo pkgutil --forget com.xamarin.xamarin-ios-build-host.pkg

Uninstall Xamarin.Mac

sudo rm -rf /Library/Frameworks/Xamarin.Mac.framework
rm -rf ~/Library/Xamarin.Mac

Uninstall Workbooks and Inspector

sudo /Library/Frameworks/Xamarin.Interactive.framework/Versions/Current/uninstall

Uninstall the Visual Studio Installer

rm -rf ~/Library/Caches/XamarinInstaller/
rm -rf ~/Library/Caches/VisualStudioInstaller/
rm -rf ~/Library/Logs/XamarinInstaller/
rm -rf ~/Library/Logs/VisualStudioInstaller/
rm -rf ~/Library/Preferences/Xamarin/
rm -rf "~/Library/Preferences/Visual Studio/"

Force Kill VSCode

  1. kill all node processes
  2. Delete the VSCode and all related files
  3. Using an app like app cleaner

Solutions

Solutions

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.