Skip to content

CH12: macOS Forensics

12.1 Introduction: The Apple Ecosystem in Forensics

For decades, the world of digital forensics was dominated by Windows. However, as Apple’s market share in the corporate enterprise and creative industries has skyrocketed, the "Mac" has become a frequent flyer in forensic labs. Whether it is an executive's MacBook Pro involved in intellectual property theft or a graphic designer's iMac containing contraband, the modern forensic examiner must be bilingual: speaking both Windows and macOS.

Investigating macOS presents a unique challenge compared to Windows. While Windows is often criticized for being "noisy"—leaving artifacts everywhere—macOS is designed with privacy and efficiency as core tenets. Apple’s transition to its own silicon (M-series chips) and the implementation of the Apple File System (APFS) have fundamentally changed how data is stored and secured.

In this chapter, we will move away from the Master File Table (MFT) and Registry Hives of Windows and enter the world of Nodes, Property Lists (Plists), and SQLite databases. We will explore how to reconstruct user activity on an operating system that tries very hard to keep secrets.

Learning Objectives

By the end of this chapter, you will be able to:

  • Summarize the evolution of macOS and its impact on forensic acquisition.
  • Differentiate between the legacy HFS+ file system and the modern APFS architecture.
  • Analyze Property Lists (.plist) to determine system configuration and user preferences.
  • Reconstruct file system activity using FSEvents and Spotlight data.
  • Trace the origin of downloaded files using Quarantine Events.
  • Develop a "Pattern of Life" for a user using the KnowledgeC database and Unified Logs.

12.2 A Brief Forensic History of macOS

To understand why modern Mac forensics is difficult, we must look at how the architecture has shifted. Unlike Windows, which strives for backward compatibility, Apple aggressively deprecates old technologies. This means the tools and techniques that worked on a Mac five years ago may fail completely today.

12.2.1 The HFS+ Era (Classic Mac OS X)

For years, Macs ran on the HFS+ (Hierarchical File System Plus). This was a straightforward journaling file system.

  • Forensic State: Hard drives were removable. An investigator could unscrew the back of a laptop, remove the SATA drive, plug it into a write-blocker, and image it easily.
  • Encryption: FileVault 1 (home folder encryption) was common but optional.

12.2.2 The Intel Transition & The T2 Chip

When Apple moved to Intel processors, Macs became very similar to PCs hardware-wise. However, in 2018, Apple introduced the T2 Security Chip.

  • The T2 Chip: This co-processor handles encryption keys.
  • Forensic Impact: The storage drive became cryptographically tied to the logic board. You could no longer remove the SSD to image it; even if you did, the data would be encrypted gibberish without the T2 chip to unlock it. This killed "chip-off" forensics for Apple devices.

12.2.3 The Modern Era: Apple Silicon & APFS

Starting with macOS High Sierra (10.13), Apple replaced HFS+ with APFS (Apple File System), and later introduced their own M-Series Processors (M1, M2, M3).

  • System Integrity: Modern Macs lock the operating system in a "Signed System Volume" (SSV). It is cryptographically sealed. If malware tries to modify a system file, the Mac simply refuses to boot.
  • Acquisition Challenges: On Apple Silicon Macs, traditional "Target Disk Mode" was replaced by "Mac Sharing Mode." Accessing the data now almost strictly requires the user's password to authorize the pairing with a forensic workstation.

12.3 The Apple File System (APFS)

To understand where evidence lives, you must understand the house it lives in. Introduced in macOS High Sierra (10.13), the Apple File System (APFS) replaced the aging HFS+. APFS is optimized for Flash/SSD storage and features strong encryption at its core.

12.3.1 The Container Structure

Unlike the rigid partitioning of Windows (C: drive, D: drive), APFS uses a flexible container system.

  1. Physical Disk: The actual hardware (SSD).
  2. Container: A pool of storage space.
  3. Volumes: Logical drives inside the container (System, Data, Preboot, Recovery).

Forensic Implication: In APFS, volumes share free space. If you have a 1TB drive with a "System" volume and a "Data" volume, they both report having the total available free space of the container. This dynamic resizing complicates data carving because the physical location of data is fluid.

Starting with macOS Catalina (10.15), Apple split the operating system into two distinct volumes to prevent malware from modifying core system files:

  • System Volume: Read-only. Contains the OS binaries.
  • Data Volume: Read-write. Contains user data (Home folders, Applications, Logs).

To the user, this looks like a single volume (e.g., "Macintosh HD"). Apple achieves this illusion using Firmlinks. A firmlink is a "bi-directional wormhole" between the two volumes. When a user navigates to /Users, they are transparently redirected to the Data Volume. When they look at /System, they are looking at the System Volume.

Key Takeaway: When analyzing a forensic image of a modern Mac, you will often see two distinct volumes. Your investigation will almost exclusively focus on the Data Volume, as the System Volume is immutable (unchangeable) during normal operation.

12.3.3 Clones and Copy-on-Write

APFS utilizes a feature called "Copy-on-Write." When a file is duplicated, APFS does not actually write new data to the disk. Instead, it creates a new pointer to the existing data. New data is only written when one of the copies is modified.

Forensic Implication: This makes file carving (recovering deleted files based on raw headers) significantly more difficult than in NTFS, as file fragmentation is intentional and metadata dependent.

12.4 System Configuration: The Property List (.plist)

If the Registry is the nervous system of Windows, Property Lists (Plists) are the nervous system of macOS. Almost every configuration setting, from the time zone to the last time an application was opened, is stored in a .plist file.

12.4.1 Structure and Format

Plists come in two flavors:

  1. XML Plist: Human-readable text files (older, but still used).
  2. Binary Plist (bplist): Compiled, not human-readable. Requires tools to parse.

Tool Tip: On a live Mac, you can view these with Xcode or the terminal command plutil -p filename.plist. In a forensic lab, tools like dedicated Plist Editors or forensic suites (Magnet AXIOM, Cellebrite Inspector) will decode them automatically.

12.4.2 Key System Plists

While there are thousands of plists, a few are critical for establishing the baseline of the system:

  • /Library/Preferences/SystemConfiguration/preferences.plist: Contains network interface configurations (IP addresses, last connected networks).
  • /private/var/db/SystemKeyChain/System.keychain: Stores Wi-Fi passwords and system secrets (requires cracking).
  • /Users/<username>/Library/Preferences/com.apple.finder.plist: Shows Finder settings and potentially recently viewed folders.
  • /Users/<username>/Library/Preferences/com.apple.dock.plist: Lists what applications are pinned to the user's Dock (a good indicator of frequently used software).

12.4.3 Safari-Specific Property Lists

While modern web browsers (including Safari) store their massive history logs in SQLite databases (e.g., History.db), Safari uniquely utilizes .plist files for critical "state" and "intent" data. These are often easier to parse than full databases and provide a snapshot of what the user deemed important.

  • ~/Library/Safari/Bookmarks.plist

    • What it is: The master list of the user's saved sites.
    • Forensic Value: This file proves User Intent. Unlike a history entry, which could be accidental or automated (pop-ups), a bookmark requires active user interaction to save.
    • Key Data:
      • URIDictionary: The URL of the bookmark.
      • ReadingList: This plist also contains the "Reading List" items. This is often where users save articles or pages they want to read offline later—a common hiding spot for illicit material that they don't want in their main bookmarks bar.

  • ~/Library/Safari/LastSession.plist

    • What it is: A snapshot of the browser exactly as it was when it was last closed.
    • Forensic Value: This is the digital equivalent of freezing the crime scene. If a suspect slams their laptop shut when law enforcement arrives, this plist records exactly which tabs were open at that moment.
    • Key Data:
      • TabStates: A dictionary containing the Title, URL, and even the "Scroll Position" (how far down the page they were reading) for every open tab.

  • ~/Library/Preferences/com.apple.Safari.plist

    • What it is: The configuration file for the browser.
    • Forensic Value:
      • HomePage: Shows the default page set by the user (or hijacked by malware).
      • DownloadsPath: Tells you exactly where the user saves their files. If this is changed from ~/Downloads to a hidden folder like ~/Library/Hidden, it indicates an attempt to conceal downloaded evidence.

12.5 Core Artifacts: Tracking User Activity

When investigating data theft or malware execution, we rely on three primary artifacts: FSEvents, Spotlight, and Quarantine Data.

12.5.1 FSEvents (File System Events)

In Windows, we use the $LogFile or $UsnJrnl to track file creation and deletion. In macOS, we use FSEvents.

The FSEvents daemon records changes to the file system to help Time Machine (backup software) know what files need to be backed up. Fortunately for forensics, these logs persist for a long time.

  • Location: /.fseventsd/ (on the root of the volume).
  • Content: The files are GZIP compressed archives containing "pages" of log data.
  • What it proves: It shows if a file was Created, Modified, Renamed, or Delete.
  • The Artifact ID: Each event is assigned a sequential ID. By analyzing the gap in IDs, an examiner can determine if logs have been purged (anti-forensics).

Real-World Scenario: A suspect plugs in a USB drive named "STEAL_DATA". FSEvents will record the mounting of the volume /Volumes/STEAL_DATA and subsequent file copy operations to that path, even if the USB drive is currently unplugged.

12.5.2 Spotlight Indexing

Spotlight is the internal search engine of macOS. To make searching fast, macOS constantly indexes the metadata of every file on the system.

  • Location: /.Spotlight-V100/Store-V2/
  • Forensic Value: The Spotlight database allows you to search for metadata of files that may no longer exist. If a user downloads a manual on "How to Build a Bomb" and then deletes it, the file system entry might be gone, but the Spotlight index might still contain the text content or the file name of that PDF.

12.5.3 Quarantine Events (The "Mark of the Web")

When a user downloads a file from the internet using a browser (Safari, Chrome, etc.) or receives it via AirDrop, macOS tags it with a "Quarantine" attribute. This is to warn the user: "You downloaded this application from the internet. Are you sure you want to open it?"

  • Location: ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 (This is a SQLite database).
  • Data Stored:
    • LSQuarantineDataURL: The exact URL the file was downloaded from.
    • LSQuarantineOriginURL: The referring website.
    • LSQuarantineAgentName: The app used to download it (e.g., "Google Chrome").
    • LSQuarantineTimeStamp: When the download occurred.

Why this matters: In a malware investigation, this artifact connects the malicious binary on the disk directly to the malicious URL on the web. In a CSAM (Child Sexual Abuse Material) investigation, it proves the user actively downloaded the content rather than it being placed there by a system process.

12.6 Pattern of Life: KnowledgeC and Unified Logs

"Pattern of Life" analysis aims to reconstruct the user's day-to-day habits. When were they active? What apps were they focused on? Did they lock their screen?

12.6.1 KnowledgeC.db

Perhaps the most powerful database in modern macOS forensics is KnowledgeC.db. It is part of the CoreDuet framework, which manages system resources based on user behavior.

  • Location: /private/var/db/CoreDuet/Knowledge/knowledgeC.db
  • Format: SQLite Database.

This database tracks "Streams" of data. Some of the most valuable streams include:

Stream Name Forensic Description
/app/inFocus Logs which application window was in the foreground (active) and for how long. Used to prove the user was actively looking at a specific program.
/app/usage Tracks how many times an app has been launched and the total usage time.
/device/isPluggedIn Logs when the MacBook was connected to AC power.
/display/isBacklit Logs when the screen was on or off.
/safari/history Can contain web history even if the user cleared their browser cache, as this is a system-level log.

Example: If a suspect claims, "I wasn't at my computer at 2:00 PM," but the /app/inFocus stream shows they were actively switching between Microsoft Outlook and Excel at 2:03 PM, their alibi is disproven.

12.6.2 Unified Logging (.tracev3)

Prior to macOS Sierra, logs were simple text files (system.log). Now, Apple uses Unified Logging. These logs are stored in a binary, compressed format (.tracev3) and are kept in memory until they are persisted to disk.

  • Location: /private/var/db/uuidtext/ and /private/var/db/diagnostics/
  • The Challenge: You cannot simply open these files in a text editor. They require the log command-line tool on a Mac or specialized parsing tools to "rehydrate" the logs using localized strings.
  • The Value: These logs are incredibly verbose. They capture USB connection events (USBMSC), sudo commands, login attempts, and AirDrop transfers.

USB Investigation via Unified Logs: Unlike the Windows Registry (USBSTOR), macOS does not keep a neat list of every USB device ever connected in a single plist. Instead, examiners must query the Unified Logs for the IOUSBHostDevice process to see historical connections.

12.7 System Integrity and Backups

12.7.1 Time Machine

Time Machine is Apple’s built-in backup utility. If a suspect uses Time Machine, the external backup drive becomes a snapshot of the system at various points in the past.

  • Local Snapshots: Even without an external drive, macOS creates "Local Snapshots" on the main drive. These can allow a forensic examiner to recover deleted files that haven't been overwritten yet, effectively letting you browse the file system as it existed 24 hours ago.

12.7.2 SIP (System Integrity Protection)

While not a forensic artifact, SIP is a hurdle for forensic acquisition. SIP prevents the "root" user from modifying system files.

  • Impact on Live Forensics: If you are performing a live collection on a running Mac, SIP may prevent your forensic tools from accessing certain protected directories (like parts of the user's library or system logs). You may need to ask the user to grant "Full Disk Access" to your forensic agent, or boot into Recovery Mode to disable SIP (though this alters the system).

12.8 A Comparison: Windows vs. macOS Artifacts

For students transitioning from our Windows modules, here is a "rosetta stone" to map your knowledge:

Windows Artifact macOS Equivalent Purpose
Registry Property Lists (.plist) Configuration and settings.
$LogFile / $UsnJrnl FSEvents File system change tracking.
Prefetch / Shimcache KnowledgeC.db / Recent Items Proof of execution.
Zone.Identifier (ADS) Quarantine Events Source of downloaded files.
LNK Files / Jump Lists Dock Plist / Recent Items Plist Shortcut and recent file access.
Event Logs (.evtx) Unified Logs (.tracev3) System and security logging.
Pagefile.sys Swapfile(s) Virtual memory.

12.9 Real-World Case Study: The "Airdropped" Secrets

Scenario: You are investigating an insider threat at a design firm. An employee, "User A," is suspected of leaking confidential schematics to a competitor. User A uses a corporate MacBook Pro. They deny sending any emails or using USB drives.

Investigation Workflow:

  1. Acquisition: You perform a physical image of the Data Volume.
  2. File System Analysis (FSEvents): You analyze .fseventsd and see that a file named Secret_Project_X.pdf was accessed at 14:00 hours on Tuesday.
  3. Pattern of Life (KnowledgeC): Checking /app/inFocus in KnowledgeC.db, you see that the "Finder" window was active, followed immediately by the "AirDrop" interface.
  4. Unified Logs: You query the logs for "sharingd" (the Sharing Daemon). You find an entry at 14:02 hours: “Sending transfer to device: ‘Competitor’s iPhone’”.
  5. Conclusion: The user did not use email or USB. They used AirDrop (Bluetooth/Wi-Fi direct) to beam the file to a nearby device. The combination of FSEvents (file access) and Unified Logs (transfer mechanism) proves the theft.

12.10 Summary

macOS forensics requires a shift in mindset. We are moving away from centralized databases like the Registry and toward decentralized, file-based artifacts like Plists and SQLite databases.

The introduction of APFS, with its separation of System and Data volumes, dictates where we look for evidence. While Apple encrypts and protects data aggressively, they also log user behavior meticulously in KnowledgeC.db and Unified Logs to improve user experience. These "convenience" features are the forensic examiner's greatest asset.

In the next chapter, we will leave the desktop environment entirely and look at the computers we carry in our pockets: Mobile Forensics.