Chapter 6 - Mac OS X Systems and Artifacts

Abstract

This chapter introduces the file system used by OS X, explains the layout of files and directories on the file system, and analyzes artifacts related to user and system activity. The file system used by OS X is called HFS Plus or Mac OS Extended. It details the extraction of binary property list files, which are used to store the bulk of OS X's configuration details and subsequently contain many artifacts of interest. The bulk of the structures that an HFS+ relies on for proper function are stored in the volume as hidden files. Each user on the system will have a list stored under/private/var/db/dslocal/nodes/Default/users/ that corresponds to their short username. This contains basic user information similar to /etc/passwd entries on Linux systems, including the path to the user's default shell, the user's long displayed name, and the user's UID. As Mac OS X systems continue to gain popularity, the ability to process these systems will become increasingly important. Additionally, many of the artifacts generated by OS X on desktops and laptops are also found on the iOS used in Apple's line of mobile products—the iPod Touch, the iPhone, and the iPad.