Mac OS X Forensics Final Update

ewrtfreter

Intro

Mac OS X Yosemite and El Capitan have both been available to Mac users for a while now. As such, many users have updated their systems to at least one of the two versions of the OS X operating system. El Capitan has brought several new updates to OS X especially in terms of the default Apple apps. However, in terms of forensic artifacts it was fairly similar to OS X Yosemite with a few changes noted, but most of the artifacts remained the same.

It has been a while since the last time we reported on our progress. During that time period we finished examining the two operating systems and compiled spreadsheets containing the artifact locations. Then we generated a final report that will be available at “Mac Forensics Report” (Link to the final report). Overall the two versions of OS X were very similar and only had a few minor differences.

Analysis

The last time we update our progress we had just completed data gen and imaging of both the OS X Yosemite and El Capitan machines. We are happy to report that we finished our examination of the two images and were able to compile a list of artifact locations for both Yosemite and El Capitan. The lists contained many different artifacts ranging from application specific artifacts to system configuration files. Most of the artifacts that we located were user specific while a few were machine specific.

Once we had created the spreadsheets of the artifact locations we then compared them to determine what artifacts were different between Yosemite and El Capitan. We determined that the two versions were very similar and only a few artifacts had moved to new locations in El Capitan. However, through our analysis and comparison we were unable to locate some artifacts. We broke theses artifacts into two groups, obsolete and missing. Obsolete artifacts were determined if neither versions of the operating system had that artifact. Missing artifacts were determined if the artifact should have been generated during data gen but was still missing. In the end we created a comprehensive list of artifacts and their locations. This list can be found in our final report.

We created our final report using google docs so that we could all edit it at the same time. This led to a few problems, seeing as Microsoft Word and Google Docs do not keep the same formatting. This led us to have a few headaches further down the line. As a result, we had to type everything in Google Docs and then import it manually into Word in order to obtain the proper formatting that we were seeking. Once that was completed we then had to import all of our spreadsheets containing the artifact locations and format them to fit the theme of the final report as well. In the end we had created a nice report that looks great and has detailed information about the artifact locations for both OS X Yosemite and El Capitan.

With our final report completed we are now officially done with this project, at least for now. Our final report details specifically our methods and outcomes of our research. It goes into depth about what artifacts were determined to be new, obsolete, and what artifacts we expected to find but were unable to. Research into operating systems is never complete and further work can always be completed to enhance the available knowledge base and resources available.

Conclusion

Overall we determined a lot about the artifacts in both OS X Yosemite and El Capitan. We were able to overcome some of the difficulties of using virtual machines by using two separate iMacs to conduct our data gen. In general, Yosemite was very similar to the last project that we conducted at the LCDI. Almost all of the artifacts from last year’s research into Yosemite were exactly the same. The artifact locations in El Capitan were very similar to those in Yosemite. We only found a handful of artifacts in new locations and a few artifacts were unable to be located in El Capitan that we found in Yosemite. The largest change from Yosemite to El Capitan was with the mail application, and many of the artifact paths had changed. The two versions of OS X are very similar, but there is always more research to be done.

Our team made great progress in determining the default locations for artifacts in both OS X Yosemite and El Capitan. We were able to overcome several struggles associated with using a VM that earlier research encountered, but we still missed a few key pieces of software such as Microsoft Office. Further research could be conducted into applications that we missed in our data gen. We were unable to locate a few of the artifacts that should have been generated, and as such, further research could be conducted to determine if those artifacts are obsolete or where they are located in the current versions of the OS. It is also important to stay up to date with the current versions of operating systems. They are always being updated and this research needs to be conducted every time an OS is updated.

We look forward to updating you on our future projects here at the LCDI. Please take a look at our “final report”(Link to final report) on this project to get a more in depth look at the default artifacts in OS X Yosemite and El Capitan. If you have questions or comments about the project, you can leave a comment, or contact the LCDI via Twitter @ChampForensics, or via email at lcdi@champlain.edu.