This resources page contains a list of more technical Mac OS related sites. If you are interested in Macs related technical information, tips and insights, you may want to start with the following list.
Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.
SecureMac was historically one of the best sites for information on mac security topics. Definitely a recommended read.
Quoted from the SecureMac.com site:
Mac security is a more serious problem than most people think. It’s true that Macintosh computers have lower security risks than the average PC, but running security software for Macs is every bit as essential. SecureMac has operated at the cutting edge of Apple security for over a decade. We produce some of the best security software for Mac computers on the market. And we’ve won the awards to prove it. If you’re reading this right now, you’ve probably realized that securing your Mac against malware and privacy threats is important. If you want to keep your Mac secure, you’ve come to the right place.
MacUpdate is an app/software download website that simplifies finding, buying and installing apps for your Macintosh computer.
MacUpdate.com is updated daily and currently carries more than 40,000 Macintosh applications for download.
This product is owned and produced by the owners of this website and the page you will be linking to is inside this website.
www.MacSurfer.com is a news aggregator site for Mac OS X news sites. A handy site to find links to all things happening in the mac world.
In earlier days – the Mac OS stored compressed files using a program called ‘Stuffit’, you may have seen these files around with a suffix of .sit or .sitx. Since OS X version 10.3, zip compression has been built in but occasionally you will still see legacy files around using this format.
The decompression tool is available for free download and runs mac and other platforms. You can download the expander by clicking here.
An official source for security updates on Mac OS X. Users of Mac OS X can also get all their updates by selecting ‘Software update…’ from the Apple menu on the top left corner of the screen, or simply by waiting for the process to be performed automatically.
Quoted from the Apple site:
This document outlines security updates for Apple products. For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
MacFixIt, now part of CNET provides latest news, reviews of software and hardware products, and the latest workarounds and solutions to technical roadblocks and frustrating barriers.
MacInTouch is an independent journal providing timely, reliable news, information and analysis about Apple Macintosh and iPhone/iOS platforms.
I should first say that OS X public beta was my first real exposure to UNIX, and that’s probably one of the bigger reasons for this site — a good friend of mine is a UNIX wizard, and I’m sure he was getting tired of my calls! While trying to learn the system, I was getting somewhat frustrated at having to jump all over the web to find answers to OS X questions. There are some excellent sites out there (make sure you check out the links pages here), but none that seemed to focus specifically on providing how-to’s in a quick, easy-to-use format.
So in November of 2000, I launched macosxhints.com … and in the last five-plus, it has grown into a collection of thousands of hints regarding OS X and related applications, with multiple thousands of comments from experienced users providing even more information. It’s truly a one-stop-shop for OS X hints and how-to’s, and I’m amazed at just how intelligent and friendly the macosxhints community is!
Update — Mac OS X Hints is now a read-only site. There’s still a wealth of great information there the many will find useful.
Find the Last Server a User was Connected to in Mac OS X
Mac OS X makes connecting to remote servers very easy. Retrieving information about servers a suspect has connected to will help an investigator find other resources they should be investigating or to prove intent. Mac OS X logs these connections along with other information that may be of interest to an investigator.
You can use the MacForensicsLab’s Analyze function explore the following file: ~/Library/Preferences/com.apple.finder.plist Within that file you will find “FXConnectToLastURL”. This entry shows the last file servers your suspect connected to. The entry “CFURLAliasData” will have the names of file servers accessed, disk images mounted, and sometimes names of DVDs (although they seem to be Apple authored only) that have been mounted on within the Finder. The entry “recent-folders” will show the last batch of folders that were accessed.
An easy way to reset passwords is to boot from the original OS install CD/DVD and select Password Reset from the Utilities menu after booting from the installer CD/DVD.
On Macs without CD/DVD drives, you can reboot the Mac into OS X Utilities mode by restarting the machine and holding down the “command-r” keys. Once OS X Utilities appears on-screen, select Terminal from the Utilities menu. At the prompt enter resetpassword and then hit enter.
A Reset Password window will appear. You can select the volume you would like to have the Admin password reset, and then enter a new password for the selected volume.
Doing this will destroy the forensic integrity of the suspect drive so make sure you do this on a copy of the suspect drive.
Finding Recent Google Searches
Google is the most popular search engine on the planet. Safari, the default web browser in Mac OS X, has a built in Google search bar in the upper right corner of it’s window. This makes it very easy to conduct a search and also means it’s very likely that search information can be found if a suspect uses Safari. Knowing what a suspect recently searched for can be helpful to an investigator or help prove intent.
You can use the MacForensicsLab Analyze function to explore the following file: ~/Library/Preferences/com.apple.Safari.plist This is the main plist that needs to be trashed if Safari crashes upon opening or pages refuse to load. This file contains a section titled "RecentSearchStrings". These are the last 10 items that have been searched for in the Google toolbar of Safari. Clearing the browser history in Safari does not clear this information. The same file also shows the most recent files downloaded from Apple and the last search made on the Apple website.
Finding Disk Images that Have Been Burnt to CD/DVD
Disk Images (.dmg) are very common on Mac OS X. Disk Images allow both compression and password protection so they are very common for the distribution of software over the internet. When opened Disk Images mount as a drive in the Finder.
You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.DiskUtility.plist Inside this file is a section called “DUSavedDiskImageList” that shows the most recent disk images that have been used and burned by Disk Utility, including pathname locations. It also gives the device name that burned them and serial number of that device.
Finding the Last iPod Connected to Mac OS X
iPods are popular devices for suspects to store information other then just MP3s on thanks to their ability to be used as a mass storage device. Every time an iPod is attached to a Mac, the serial number of the iPod is recorded by the system. Being able to prove a specific iPod was connected to a suspect machine can be beneficial to an investigation.
You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.iPod.plist This file shows the serial number, firmware, and model of the last Apple iPod connected to the suspect drive. This will allow the investigator to track down the iPod used and see if there may be further evidence contained on it
Finding Recently Viewed Pictures in Mac OS X
The default image browsing application in Mac OS X is Preview. It is a popular program for viewing images as it supports a large number of file formats and provides a simple user interface. Finding recently browsed images can help direct an investigator to files of interest or help prove intent.
Use MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.Preview.bookmarks.plist This file shows files recently viewed using Preview (files opened in the program Preview.app with newest on top) including path to file on local drives and network file servers.
Recently Accessed Items in Mac OS X
Showing applications, documents, and severs a user most recently accessed can help direct an investigator to files of interest or help show intent. By default, Mac OS X keeps track of the last 10 applications, documents, and servers used. The user can increase of decrease this number but most leave it set to the default state.
You can use the MacForensicsLab Analyze function to explore the following file:~/Library/Preferences/com.apple.recentitems.plist Inside this file you will find recent applications, documents, and servers accessed on the suspect computer. The lists includes applications and documents on local and network drives and include the user that accessed the file (sometimes the user is different if it was accessed on remote server). It also shows PC shared files accessed through a Workgroup and the access path used to open the files. Some of the file pathnames could be the most forensically useful as well as applications used and documents opened.
Recently Opened QuickTime Files
QuickTime is the default movie player in Mac OS X. Because of it’s ability to play a wide range of video and audio media, QuickTime Player is a convenient tool for most users. Being able to show the last file played using QuickTime Player can help an investigator show intent.
You can use the MacForensicsLab analyze function to explore the following file:~/Library/Preferences/com.apple.quicktimeplayer.plist This file shows recently viewed movies and audio clips (any files opened in the program QuickTime Player.app). This file also shows “NSNavLastRootDirectory” the default directory (last accessed) that was used for opening each movie. The pathnames and document name inside this file could be useful for your forensic investigation.
Finding Remote Desktop Connections
Apple Remote Desktop (sometime abbreviated ARD) allows users to control or monitor another computer over a network or internet connection.
Web caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent.
The default web browser in Mac OS X is Safari. The Safari web cache is located: ~/Library/Caches/Safari
The default storage location for Firefox’s web cache is: ~/Users/“USERNAME”/Library/Caches/Firefox/ Profiles/”COMPUTERCODE.default”/Cache
There are a large number of other folders contained within the ~/Users/“USERNAME”/Library/Cache folder that may be of interest for investigators also. They can be viewed using the same process as the web caches.
SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.
Unfreezing A FireWire Bus That Has Hung
On occasion FireWire buses can hang and stop responding. Should you run into this issue, here’s are the suggested steps to resolve it.
If you have a hard drive freeze your FireWire bus and hang your machine, you can cause the system to reset the bus by plugging in a second device in the chain. The Mac will immediately rescan the bus and this will sometimes unfreeze the bus. If these steps fail to unfreeze the FireWire bus you will need to shut the machine down and restart the computer. You can resume your drive acquisition in MacForensicsLab after unfreezing the bus by checking the “Resume a previous recover.” box under the Acquire function and selecting the previous image when prompted.
Sleepimage in Mac OS X
The sleepimage is a file that Mac OS X uses to store the contents of the active RAM when a machine is put to sleep. This information is stored to allow the OS to restore the pre-sleep state of the computer should the batter or power be interupted while the computer is sleeping.
For an investigator, the sleepimage may contain information that could be valuble to an investigation. This information may show what a suspect was doing before they put their computer to sleep and may include incriminating evidence that could lead to a conviction. The sleepimage file can be found in the following location in the Mac OS X system: /private/var/vm/sleepimage
Acquiring the computer time from a Mac is a common task for many investigators. Having the computer time allows and investigator to correlate computer events to actual time frames and may help secure a conviction.
Macs sold after March of 2001 will most likely have Mac OS X loaded on them and all Intel Macs run Mac OS X only. PowerPC Macs run Open Firmware from Sun. Intel Macs use EFI (Extensible Firmware Interface).
Determining if a firmware password is set
Before you can boot info Single User Mode, you must first determine if the user has set an firmware password on the system. A firmware password would prevent the investigator from booting into Single User Mode to determine the system’s time and date. The firmware password can be reset but doing do also resets the system time also. To determine if there is a firmware password set, do the following:
Power on the Mac while holding down the Option key.
If you are presented with a screen showing the bootable partitions on the system then there is no firmware password set.
If you are presented with a password screen then there is an firmware password and you will not be able to boot into Single User Mode.
Once you have determined if there is an firmware password, power the Mac down by holding power button until the system powers off.
Finding the system date and time via Single User Mode
Press the Power button and immediately hold down the Command (Apple) and S key. Doing so will make the Mac boot up in Single User Mode.
Once booted into Single User Mode, you will see text across the top of the screen along with a command prompt. Type date and press the Enter key. The Mac will return the computer’s current date and time along with the user configured time zone.
You can then power down the computer safely.
Another option for finding the Mac’s system time is to boot from the Mac OS X install CD/DVD. Once booted from the CD/DVD, select Terminal from the Utilities menu. In the Terminal type date and then press Enter. The system time and date will be shown. You may also boot from a Linux Live CD and get the system time using the terminal within Linux.
Finding the Original Registrant of Mac OS X
When Mac OS X is run for the first time after installation, the user is prompted to enter their registration information such as name, address, email, and phone number. This information is then sent to Apple (if an internet connection is present) and also used to populate the administrators information within the Address Book and used for auto-fill forms within Safari.
When attempting to locate original registered owner of a Mac OS X installation with MacForensicsLab, look for the file titled “Sendregistration.setup” in ~Users/“USERNAME”/Library/Assistants/ In certain situations (eg: when there is no internet connection present at the time of registration) the file “Sendregistration.setup” is still within this directory and can contain the original registered content.
Firefox stores the user data in the following places: Mac OS X: ~/Library/Application Support/Firefox/Profiles// Windows XP & 2000: C:Documents and SettingsApplication DataMozillaFirefoxProfiles Windows 98 & ME: C:WindowsApplication DataMozillaFirefoxProfiles or C:WindowsProfilesApplication DataMozillaFirefoxProfiles Windows NT 4.x: C:WinntProfilesApplication DataMozillaFirefoxProfiles Unix: ~/.mozilla/firefox//
Since the release of Mac OS X, Mail.app has been the default email application. Mail stored emails in .mbox files up until the release of Mac OS X Tiger 10.4, at which point Apple changed the default file type to .emlx. The instructions below outline the process used to recover and investigate the contents of these formats.
When looking for email on suspect Mac OS X drive, the standard location for the stored email is ~/Users/“USERNAME”/Library/Mail