Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: bradshaw48
New Today: 1
New Yesterday: 1
Overall: 29280

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?
 Viewing real MAC times of a timestomped file
 software that can view files in Volume Slack

Computer Forensics World Forums


Pages Served
We received
49763425
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - OSX user accounts examination
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

OSX user accounts examination

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues
View previous topic :: View next topic  
Author Message
donten
Newbie
Newbie


Joined: Jul 10, 2016
Posts: 3

PostPosted: Sun Jul 10, 2016 11:25 pm    Post subject: OSX user accounts examination Reply with quote

Hi,

New to OSX forensics, can someone help me? I'm looking for the following artefacts:

1. Original OS installation date

2. Details of the accounts stored on a Mac running OSX 10. Creation dates, last logged in times etc.

Any help id be very grateful.

Don
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Jul 14, 2016 1:09 pm    Post subject: Reply with quote

Clearly your Google-fu is weak.

"http://www.forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location"

"https://docs.google.com/spreadsheets/d/1VobbmKTw8h_wKr0fpNXiyqOc1eCTuqiRkhIguVk_eXA/edit?hl=en_US&pref=2&pli=1#gid=0"
Back to top
View user's profile
donten
Newbie
Newbie


Joined: Jul 10, 2016
Posts: 3

PostPosted: Fri Jul 15, 2016 2:28 am    Post subject: Reply with quote

Thank your for your reply..

The locations you have mentioned are the first places I have looked along with many others.

The spreadsheet whilst good hasn't been updated in quite some time and locations of a lot of artifacts have changed for the more modern versions of OSX. The version i'm dealing with is OSX 10.11.2

The case i'm looking at is not straight forward and there are things missing...for example the install.log file should contain a good deal of information....but it doesn't, along with the others. AppleSetupDone.log is another file that should have some good info...but this details last OS update instead of Original installation date of OS...So do you know any others?

Do you know the location of the login times for different accounts as I can not find this anywhere. In fact I can't find a lot of forensic information of the OSX User accounts on the latest Operating Systems.

If you cant be of further help, id love to hear from you.

Thank you

D
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Fri Jul 15, 2016 11:16 am    Post subject: Reply with quote

10.11.2, well that does make a difference. Your original post was so generic and lacking specifics that a general answer was all it merited. I am traveling today, but if you can post some specifics about exactly what you are trying to find I will get you some answers when I get back to the lab.

There are so many students and people with little clue about what they are doing that post questions and never return to follow up that spending a lot of time on questions is just not worth it.
Back to top
View user's profile
donten
Newbie
Newbie


Joined: Jul 10, 2016
Posts: 3

PostPosted: Sat Jul 23, 2016 8:17 pm    Post subject: Reply with quote

Hi,

Sorry for my delay in reply, I have been away on a course.

Your quite right, looking back at my original post maybe it should have had more detail in it, problem was when i wrote it I was not at my forensic workstation, so needed to generalise a little.....anyway to business....

So what I'm actually trying to work out is pretty much the same data you would find on a windows system in the registry...account login times, last shutdown etc. I cannot find the original OS install time anywhere..the previous places I mentioned do not have reliable info.

On another note, I've just come across something interesting in Unallocated Clusters regarding what I think maybe file access of the HDD. 'File:/// <path>'. Do you think this may indicate local file access? I have seen similar in windows systems that indicates local file access, do you think this is the same here on OSX?

Don
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.