A Few Mac Artifacts You Should Be Paying Attention To
Since we announced our support of MacOS with AXIOM 3.0 in March 2019, we’ve continued to strengthen our support for Mac investigations with every release since then.
With the release of AXIOM 3.11 around the corner—which will have support for even more Mac artifacts—we thought it would be a good opportunity to catch up with one of our Magnet AXIOM macOS Examinations (AX350) instructors (and one of the lead developers of the course content), Christopher Vance to get his thoughts on his favorite macOS artifacts and why they’re important for examiners doing Mac investigations.
File System Events
Using file system events allows examiners to get an idea of files that may no longer be on the system. Tracking values such as “Renamed” allows a user to show a path a file lived on a system before it was potentially moved to the Trash and permanently deleted. This can also show other Volumes that may have been attached to the computer.
Quarantined Files
The Quarantined Files artifact allows users to see what files have recently been checked by macOS’ Gatekeeper. This can include things that no longer appear in the Safari downloads as well as other file transfers from things like AirDrop or iMessage.
Recently Used Items
Recently Used Items collects data from several plist files are represents the data in a very easy to understand view. This can mimic Jump Lists from Windows and allows examiners to see what documents and applications have recently been accessed, but potentially what files have been accessed by specific applications like video players or document editors.
KnowledgeC: Application Focus, Activities & Intents
Using these three KnowledgeC artifacts allows an examiner to timeline device activities and pattern of life usage to see what applications were being used, when, and potentially what the user was doing with those applications.
Dive Deeper in Our Magnet AXIOM macOS Examinations (AX350) Class
If you’re looking to deepen your knowledge about Mac investigations, the AX350 course covers all of these artifacts and more. More importantly, the class will teach you how to use one artifact to make more sense of another and chain the data together to tell the whole story in an easy to understand way.
Whether you’re a seasoned macOS expert, or just doing your first Mac investigation, AX350 will be beneficial for your investigations. Once you understand AXIOM, the way the data is presented is going to make the you feel just as comfortable as if you were examining a Windows, iOS, or Android system.
About Christopher Vance
Before becoming a trainer full-time and Magnet Forensics’ Manager of Curriculum Development, Christopher was a forensic specialist with Marshall University’s Forensic Science Center and the West Virginia State Police’s Digital Forensics Unit. In a joint position between the university and the police agency, he worked active forensic cases for approximately 8 years.
Most of Christopher’s training has been around mobile forensics. Christopher’s current interests in forensics include research into mobile operating systems, macOS, and cloud investigations.
To keep up with Christopher, follow him on Twitter @cScottVance