Apple Computer Forensics

 
freddie-marriage-264214.jpg

Apple computers are more widely used today than a few years ago. Special attention needs to be given to the interpretation of their artifacts.
Macs have more dates associated with files than PC’s. One example is that all files have sequential ID’s which are assigned as they come to exist on the computer. This is extremely useful in determining if dates have been altered. Plists and SpotLight files also contain a wealth of potential evidentiary information.

We selected a few artifacts of interest that seem to come up time and time again to establish what might have happened on a device.

** Disclaimer: all explanation below is for informational purposes only. Only careful and thorough examination of the evidence through correlation of all relevant artifacts by a skilled forensic examiner can establish what might have occurred on a device.

DAtes 

Often overlooked by examiners, Apple computers have additional dates that PC's don't have and they behave differently from their PC counterparts. Let’s start with the very helpful “Date Added”. When a file is placed on an Apple computer, or when a file is placed into a different folder, the date added for that file will be the date of placement. When transferring files from one Mac computer to another, the “Date Created” will remain the original creation date. “Date Accessed” is changeable by many things (such as quick view or coverflow), so care must be taken when examining this date. “Date Last Opened” is only available on a live machine. There is also an “Attribute Modification Date” available to the examiner.

**As a side note: a TimeMachine restore to a new computer will have its own pattern of dates and times.

Catalogue ID

If all those dates still didn’t shed light when a file of interest got on the computer, the Catalogue ID number is going to be helpful. Each file whether it is generated by the operating system or is a user-created file – no matter how small - is given a sequential number by the operating system as they arrive on the Mac.

 

seth-schwiet-40984.jpg

Plists

Plist files (preference files) contain a wealth of information for the forensic examiner that can help in establishing computer and user configurations, applications, among others. They reside all over the computer and the examiner can drill down to the exact plist to answer a specific question.

william-iven-8515.jpg

Spotlight

Spotlight was designed with user experience in mind for quick searches whether the user is after an application, email, or a file. It is gold for the forensic examiner, as Spotlight will index everything in its path and leave artifacts behind even after files have been securely deleted. The user can override the default settings and exclude selected folders.

iNode hard links

Without going into a very technical discussion about soft links vs. hard links, the presence of these iNodes on a Mac most likely will be indication of a TimeMachine Backup.

System log files

As the name suggests, these files keep track of system changes. They can be helpful in determining system changes, therefore establish system-wide information, such as installations, time changes, statistics, error messages, and crash reports.

rawpixel-com-267079.jpg

FSEvents

FSEvents are valuable to a forensic examination as it contains historic information about changes on the computer. They are archived from time to time by the operating system, therefore the archived logs will stay unchanged indefinitely.