Apple Computer Forensics
Apple computers are more widely used today than a few years ago. Special attention needs to be given to the interpretation of their artifacts.
Macs have more dates associated with files than PC’s. One example is that all files have sequential ID’s which are assigned as they come to exist on the computer. This is extremely useful in determining if dates have been altered. Plists and SpotLight files also contain a wealth of potential evidentiary information.
We selected a few artifacts of interest that seem to come up time and time again to establish what might have happened on a device.
** Disclaimer: all explanation below is for informational purposes only. Only careful and thorough examination of the evidence through correlation of all relevant artifacts by a skilled forensic examiner can establish what might have occurred on a device.
Often overlooked by examiners (and not presented by all forensic tools), Apple computers have additional dates that PC's don't have and they behave differently from their PC counterparts. Date created, modified and accessed are familiar terms to most. On Mac computers we also have “date added” and “attribute modification date”. “Date Last Opened” can also be viewed on a live machine. When copying files from one system to another the dates behave differently depending on the operating systems and care must be taken when interpreting the data. Additionally a TimeMachine restore will have its own pattern of dates and times.
If all those dates still didn’t shed light when a file of interest got on the computer, the Catalogue ID number is going to be helpful. Each file whether it is generated by the operating system or is a user-created file – no matter how small - is given a sequential number by the operating system as they arrive on the Mac. This allows us to determine if the dates and times have been changed.
Plist files (preference files) contain a wealth of information for the forensic examiner that can help in establishing computer and user configurations, applications, among others. They reside all over the computer and the examiner can drill down to the exact plist to answer a specific question.
Spotlight was designed with user experience in mind for quick searches whether the user is after an application, email, or a file. It is gold for the forensic examiner, as Spotlight will index everything in its path and leave artifacts behind even after files have been securely deleted. The user can override the default settings and exclude selected folders.