Posted on

macOS related sites

This resources page contains a list of more technical Mac OS related sites. If you are interested in Macs related technical information, tips and insights, you may want to start with the following list.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.


SecureMac.com

SecureMac was historically one of the best sites for information on mac security topics. Definitely a recommended read.

Quoted from the SecureMac.com site:

Mac security is a more serious problem than most people think. It’s true that Macintosh computers have lower security risks than the average PC, but running security software for Macs is every bit as essential.
SecureMac has operated at the cutting edge of Apple security for over a decade. We produce some of the best security software for Mac computers on the market. And we’ve won the awards to prove it.
If you’re reading this right now, you’ve probably realized that securing your Mac against malware and privacy threats is important. If you want to keep your Mac secure, you’ve come to the right place.

 


MacUpdate

MacUpdate is an app/software download website that simplifies finding, buying and installing apps for your Macintosh computer.

MacUpdate.com is updated daily and currently carries more than 40,000 Macintosh applications for download.

 


MacForensicsLab for Mac OS X

Click here to visit a page on this site about MacForensicsLab for Mac OS X. The software is a complete forensics suite that is fully cross platform and available on Mac OS X, Microsoft Windows, as well as Linux.

This product is owned and produced by the owners of this website and the page you will be linking to is inside this website.
 


MacSurfer.com

www.MacSurfer.com is a news aggregator site for Mac OS X news sites. A handy site to find links to all things happening in the mac world.

 


Stuffit Expander

In earlier days – the Mac OS stored compressed files using a program called ‘Stuffit’, you may have seen these files around with a suffix of .sit or .sitx. Since OS X version 10.3, zip compression has been built in but occasionally you will still see legacy files around using this format.

The decompression tool is available for free download and runs mac and other platforms. You can download the expander by clicking here.

 


 

GraphicConverter

Perhaps the most powerful tool for working with graphic formats. This program can open almost every graphic format ever made, and is well known for it’s ability to handle “less than perfect” files. Try it for free and see the great features. We recommend this product to all mac users.

 


Apple Product Specifications

An official and comprehensive list of specifciations for all Apple products. Use this list to get details on past and present features for iPods, Mac computers, iPhones, and much more.

 


Apple Computer

An official source for security updates on Mac OS X. Users of Mac OS X can also get all their updates by selecting ‘Software update…’ from the Apple menu on the top left corner of the screen, or simply by waiting for the process to be performed automatically.

Quoted from the Apple site:

This document outlines security updates for Apple products. For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

 


MacFixIt of Cnet

MacFixIt, now part of CNET provides latest news, reviews of software and hardware products, and the latest workarounds and solutions to technical roadblocks and frustrating barriers.

 


MacInTouch

MacInTouch is an independent journal providing timely, reliable news, information and analysis about Apple Macintosh and iPhone/iOS platforms.

 


Mac OS X Hints

The Mac OS X Hints site gives handy tips and tricks for all things Apple.

Quoted from the Mac OS X Hints website:

I should first say that OS X public beta was my first real exposure to UNIX, and that’s probably one of the bigger reasons for this site — a good friend of mine is a UNIX wizard, and I’m sure he was getting tired of my calls! While trying to learn the system, I was getting somewhat frustrated at having to jump all over the web to find answers to OS X questions. There are some excellent sites out there (make sure you check out the links pages here), but none that seemed to focus specifically on providing how-to’s in a quick, easy-to-use format.

So in November of 2000, I launched macosxhints.com … and in the last five-plus, it has grown into a collection of thousands of hints regarding OS X and related applications, with multiple thousands of comments from experienced users providing even more information. It’s truly a one-stop-shop for OS X hints and how-to’s, and I’m amazed at just how intelligent and friendly the macosxhints community is!

Update — Mac OS X Hints is now a read-only site. There’s still a wealth of great information there the many will find useful.

Posted on

General Forensics Tips for Mac Platform

On this Page:

Find the Last Server a User was Connected to in Mac OS X

MacForensics.com Tips - Find the Last Server a User was Connected to in Mac OS XMac OS X makes connecting to remote servers very easy. Retrieving information about servers a suspect has connected to will help an investigator find other resources they should be investigating or to prove intent. Mac OS X logs these connections along with other information that may be of interest to an investigator.

You can use the MacForensicsLab’s Analyze function explore the following file: ~/Library/Preferences/com.apple.finder.plist Within that file you will find “FXConnectToLastURL”. This entry shows the last file servers your suspect connected to. The entry “CFURLAliasData” will have the names of file servers accessed, disk images mounted, and sometimes names of DVDs (although they seem to be Apple authored only) that have been mounted on within the Finder. The entry “recent-folders” will show the last batch of folders that were accessed.
 


Resetting the Admin Password in Mac OS X

MacForensics.com Tips - Resetting the Admin Password in Mac OS XThe easiest way to bypass the administrator password is to remove the drive and attach it to another machine or a forensic station, then use MacForensicsLab to image the drive. That being said if you need to for some reason keep the drive inside the machine, you can reset the system administrator password using the Mac OS X installation CD/DVD.

An easy way to reset passwords is to boot from the original OS install CD/DVD and select Password Reset from the Utilities menu after booting from the installer CD/DVD.

On Macs without CD/DVD drives, you can reboot the Mac into OS X Utilities mode by restarting the machine and holding down the “command-r” keys. Once OS X Utilities appears on-screen, select Terminal from the Utilities menu. At the prompt enter resetpassword and then hit enter.

A Reset Password window will appear. You can select the volume you would like to have the Admin password reset, and then enter a new password for the selected volume.

Doing this will destroy the forensic integrity of the suspect drive so make sure you do this on a copy of the suspect drive.
 


Finding Recent Google Searches

MacForensics.com Tips - Finding Recent Google SearchesGoogle is the most popular search engine on the planet. Safari, the default web browser in Mac OS X, has a built in Google search bar in the upper right corner of it’s window. This makes it very easy to conduct a search and also means it’s very likely that search information can be found if a suspect uses Safari. Knowing what a suspect recently searched for can be helpful to an investigator or help prove intent.

You can use the MacForensicsLab Analyze function to explore the following file: ~/Library/Preferences/com.apple.Safari.plist This is the main plist that needs to be trashed if Safari crashes upon opening or pages refuse to load. This file contains a section titled "RecentSearchStrings". These are the last 10 items that have been searched for in the Google toolbar of Safari. Clearing the browser history in Safari does not clear this information. The same file also shows the most recent files downloaded from Apple and the last search made on the Apple website.
 


Finding Disk Images that Have Been Burnt to CD/DVD

MacForensics.com Tips - Finding Disk Images that Have Been Burnt to CD-DVDDisk Images (.dmg) are very common on Mac OS X. Disk Images allow both compression and password protection so they are very common for the distribution of software over the internet. When opened Disk Images mount as a drive in the Finder.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.DiskUtility.plist Inside this file is a section called “DUSavedDiskImageList” that shows the most recent disk images that have been used and burned by Disk Utility, including pathname locations. It also gives the device name that burned them and serial number of that device.
 


Finding the Last iPod Connected to Mac OS X

MacForensics.com Tips - Finding the Last iPod Connected to Mac OS XiPods are popular devices for suspects to store information other then just MP3s on thanks to their ability to be used as a mass storage device. Every time an iPod is attached to a Mac, the serial number of the iPod is recorded by the system. Being able to prove a specific iPod was connected to a suspect machine can be beneficial to an investigation.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.iPod.plist This file shows the serial number, firmware, and model of the last Apple iPod connected to the suspect drive. This will allow the investigator to track down the iPod used and see if there may be further evidence contained on it
 


Finding Recently Viewed Pictures in Mac OS X

MacForensics.com Tips - Finding Recently Viewed Pictures in Mac OS XThe default image browsing application in Mac OS X is Preview. It is a popular program for viewing images as it supports a large number of file formats and provides a simple user interface. Finding recently browsed images can help direct an investigator to files of interest or help prove intent.

Use MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.Preview.bookmarks.plist This file shows files recently viewed using Preview (files opened in the program Preview.app with newest on top) including path to file on local drives and network file servers.
 


Recently Accessed Items in Mac OS X

MacForensics.com Tips - Recently Accessed Items in Mac OS XShowing applications, documents, and severs a user most recently accessed can help direct an investigator to files of interest or help show intent. By default, Mac OS X keeps track of the last 10 applications, documents, and servers used. The user can increase of decrease this number but most leave it set to the default state.

You can use the MacForensicsLab Analyze function to explore the following file: ~/Library/Preferences/com.apple.recentitems.plist Inside this file you will find recent applications, documents, and servers accessed on the suspect computer. The lists includes applications and documents on local and network drives and include the user that accessed the file (sometimes the user is different if it was accessed on remote server). It also shows PC shared files accessed through a Workgroup and the access path used to open the files. Some of the file pathnames could be the most forensically useful as well as applications used and documents opened.
 


Recently Opened QuickTime Files

MacForensics.com Tips - Recently Opened QuickTime FilesQuickTime is the default movie player in Mac OS X. Because of it’s ability to play a wide range of video and audio media, QuickTime Player is a convenient tool for most users. Being able to show the last file played using QuickTime Player can help an investigator show intent.

You can use the MacForensicsLab analyze function to explore the following file: ~/Library/Preferences/com.apple.quicktimeplayer.plist This file shows recently viewed movies and audio clips (any files opened in the program QuickTime Player.app). This file also shows “NSNavLastRootDirectory” the default directory (last accessed) that was used for opening each movie. The pathnames and document name inside this file could be useful for your forensic investigation.
 


Finding Remote Desktop Connections

MacForensics.com Tips - Finding Remote Desktop ConnectionsApple Remote Desktop (sometime abbreviated ARD) allows users to control or monitor another computer over a network or internet connection.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.RemoteDesktop.plist This file shows all the machines this Mac has had control of or viewed with Apple Remote Desktop. This file also includes information about the connection such as, the machine’s MAC address, IP, name, and the time and date. This file also stores information that could have other forensic interest. It can also store saved tasks for Apple Remote Desktop. You can find more information on stored task data here.
 


View Web Cache Data on Mac OS X

MacForensics.com Tips - View Web Cache Data on Mac OS XWeb caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent.

You can use MacForensicsLab’s Salvage function to salvage the contents of these folders and show the cached information. This will show you websites that have been browsed who’s files have not been over-written as well as present cache files that have not been flushed

  • The default web browser in Mac OS X is Safari. The Safari web cache is located: ~/Library/Caches/Safari
  • The default storage location for Firefox’s web cache is: ~/Users/“USERNAME”/Library/Caches/Firefox/
    Profiles/”COMPUTERCODE.default”/Cache

There are a large number of other folders contained within the ~/Users/“USERNAME”/Library/Cache folder that may be of interest for investigators also. They can be viewed using the same process as the web caches.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.
 


Unfreezing A FireWire Bus That Has Hung

MacForensics.com Tips - Unfreezing A FireWire Bus That Has HungOn occasion FireWire buses can hang and stop responding. Should you run into this issue, here’s are the suggested steps to resolve it.

If you have a hard drive freeze your FireWire bus and hang your machine, you can cause the system to reset the bus by plugging in a second device in the chain. The Mac will immediately rescan the bus and this will sometimes unfreeze the bus. If these steps fail to unfreeze the FireWire bus you will need to shut the machine down and restart the computer. You can resume your drive acquisition in MacForensicsLab after unfreezing the bus by checking the “Resume a previous recover.” box under the Acquire function and selecting the previous image when prompted.
 


Sleepimage in Mac OS X

MacForensics.com Tips - Sleepimage in Mac OS XThe sleepimage is a file that Mac OS X uses to store the contents of the active RAM when a machine is put to sleep. This information is stored to allow the OS to restore the pre-sleep state of the computer should the batter or power be interupted while the computer is sleeping.

For an investigator, the sleepimage may contain information that could be valuble to an investigation. This information may show what a suspect was doing before they put their computer to sleep and may include incriminating evidence that could lead to a conviction.
The sleepimage file can be found in the following location in the Mac OS X system:
/private/var/vm/sleepimage

Please note that this is an hidden file that isn’t normally visible from the Finder. Computer forensics programs such as MacForensicsLab can be used to view the sleepimage location and the contents of the sleepimage file.
 


Finding the system time and date on a Mac


MacForensics.com Tips - Finding the system time and date on a MacAcquiring the computer time from a Mac is a common task for many investigators. Having the computer time allows and investigator to correlate computer events to actual time frames and may help secure a conviction.

Macs sold after March of 2001 will most likely have Mac OS X loaded on them and all Intel Macs run Mac OS X only. PowerPC Macs run Open Firmware from Sun. Intel Macs use EFI (Extensible Firmware Interface).

Determining if a firmware password is set

Before you can boot info Single User Mode, you must first determine if the user has set an firmware password on the system. A firmware password would prevent the investigator from booting into Single User Mode to determine the system’s time and date. The firmware password can be reset but doing do also resets the system time also. To determine if there is a firmware password set, do the following:

  • Power on the Mac while holding down the Option key.
    • If you are presented with a screen showing the bootable partitions on the system then there is no firmware password set.
    • If you are presented with a password screen then there is an firmware password and you will not be able to boot into Single User Mode.
  • Once you have determined if there is an firmware password, power the Mac down by holding power button until the system powers off.

Finding the system date and time via Single User Mode

  1. Press the Power button and immediately hold down the Command (Apple) and S key. Doing so will make the Mac boot up in Single User Mode.
  2. Once booted into Single User Mode, you will see text across the top of the screen along with a command prompt. Type date and press the Enter key. The Mac will return the computer’s current date and time along with the user configured time zone.
  3. You can then power down the computer safely.
Another option for finding the Mac’s system time is to boot from the Mac OS X install CD/DVD. Once booted from the CD/DVD, select Terminal from the Utilities menu. In the Terminal type date and then press Enter. The system time and date will be shown. You may also boot from a Linux Live CD and get the system time using the terminal within Linux.

 


Finding the Original Registrant of Mac OS X


MacForensics.com Tips - Finding the Original Registrant of Mac OS XWhen Mac OS X is run for the first time after installation, the user is prompted to enter their registration information such as name, address, email, and phone number. This information is then sent to Apple (if an internet connection is present) and also used to populate the administrators information within the Address Book and used for auto-fill forms within Safari.

When attempting to locate original registered owner of a Mac OS X installation with MacForensicsLab, look for the file titled “Sendregistration.setup” in ~Users/“USERNAME”/Library/Assistants/ In certain situations (eg: when there is no internet connection present at the time of registration) the file “Sendregistration.setup” is still within this directory and can contain the original registered content.

Secondary location for information of original registrant of a computer running Mac OS X is the file titled AddressBookMe.plist located in ~Users/“USERNAME”/Library/Preferences/ Using MacForensicsLabs’ Analyze function (ASCII view within that section) on that file will reveal the original owners registration.
 


Firefox Artifacts

MacForensics.com Tips - Firefox ArtifactsMozilla Firefox is fast becoming one of the most popular browsers on the internet today. Being free, cross-platform, and updated regularly is just some of the many reasons many users have made the switch to it. Firefox also allows the user to easily install add-ons to enhance the functionality of the browser. Here are some Firefox files that may be of interest during an investigation with MacForensicsLab.

Firefox stores the user data in the following places:
Mac OS X: ~/Library/Application Support/Firefox/Profiles//
Windows XP & 2000: C:Documents and SettingsApplication DataMozillaFirefoxProfiles
Windows 98 & ME: C:WindowsApplication DataMozillaFirefoxProfiles
or
C:WindowsProfilesApplication DataMozillaFirefoxProfiles
Windows NT 4.x: C:WinntProfilesApplication DataMozillaFirefoxProfiles
Unix: ~/.mozilla/firefox//

Website History
File name: history.dat
By default Firefox stores the browsing history for 9 days.
Side note: “history.dat” is written in a complex format called “Mork”.

Encrypted Saved Passwords
File name: signons.txt
This file also stores a list of sites to never save the passwords for. The encryption key is contained in the file called key3.db

More information about specific files in the user profile can be found at MozillaZine’s Knowledge Base article on the Profile Folder.

Update!

If you need a tool in extracting FireFox’s cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.

 


iPhone Artifacts

MacForensics.com Tips - iPhone ArtifactsiPhones and iPod Touch with firmware version 2.0 or later will call home periodicly to see if any applications have been blacklisted by Apple. This allows Apple to disable malicious applications from iPhone and iPod Touch users phones. The iPhone and iPod Touch will check the following URL for any blacklisted applications:

https://iphone-services.apple.com/clbl/unauthorizedApps

 


Recovering Email from Mac OS X Mail

MacForensics.com Tips - Recovering Email from Mac OS X MailSince the release of Mac OS X, Mail.app has been the default email application. Mail stored emails in .mbox files up until the release of Mac OS X Tiger 10.4, at which point Apple changed the default file type to .emlx. The instructions below outline the process used to recover and investigate the contents of these formats.

When looking for email on suspect Mac OS X drive, the standard location for the stored email is ~/Users/“USERNAME”/Library/Mail

You can use either the Analyze or Salvage functions of MacForensicsLab to examine Mail files.

  • To use the Analyze function, use search query of “.mbox” for systems from Mac OS X 10.0-10.3 and “.emlx” for Mac OS X 10.4 Tiger and higher.
  • When using the Salvage function, direct the search to ~/Users/“USERNAME”/Library/Mail and do a Salvage of that location. Both .mbox and .emlx files will automatically be found.