Introduction to Mac OS X Forensics


On September 30th, 2015, Apple is set to release their latest version of Mac OS X: El Capitan. While its predecessor Yosemite brought many major updates to commonly used applications, El Capitan promises more subtle changes. With El Capitan, Apple is integrating Metal, IOS’s graphics API, into Mac OS X, along with various performance enhancements and additional features to existing applications.

This blog will document the LCDI’s investigation into the differences between El Capitan and its predecessor, Yosemite, which are significant from a forensic standpoint. A number of El Capitan’s changes are based around user experience and it is important to look into whether or not there is new information available from these changes, and if any previously available information has been moved. We will be asking questions such as: what are the default locations for user data and artifacts in both OS X Yosemite and OS X El Capitan? What information can be found on a Mac running OS X El Capitan (Apple ID information, etc.)? What artifacts have changed within OS X El Capitan compared to older versions of OS X such as OS X Yosemite, and how does the new Two Factor authentication in OS X El Capitan affect forensics data collection on OS X El Capitan devices?


The LCDI plans to look in depth at El Capitan and Yosemite to determine the location of various artifacts that were found in earlier versions of OS X and compare locations of artifacts between the two versions. We plan on continuing research into additional artifacts that were unable to be located before in Yosemite due to the restrictions of using a virtual machine. When looking at artifact locations in Yosemite, compared to Mavericks (the version prior to Yosemite), we found that a few of the known artifacts had changed locations. We plan on looking at El Capitan to see if similar events have happened again.

We will be utilizing iMacs to conduct data generation on both El Capitan and Yosemite. Using iMacs rather than a Virtual Machine will hopefully allow us to continue past research that was limited by the Virtual Machines’ capabilities and functions. We will be looking at Mac specific services, both older and newly updated ones, as well as general user actions such as web browsing to determine default locations for items of potential value to a forensic investigator. Some of the services of interest include: Spotlight, Photos, Maps, Notes, Safari, and Mail.


We will be sharing our progress and findings in future blog posts throughout the coming months. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team