A Few Mac Artifacts You Should Be Paying Attention To

APFS-Mac Support

Since we announced our support of MacOS with AXIOM 3.0 in March 2019, we’ve continued to strengthen our support for Mac investigations with every release since then.

With the release of AXIOM 3.11 around the corner—which will have support for even more Mac artifacts—we thought it would be a good opportunity to catch up with one of our Magnet AXIOM macOS Examinations (AX350) instructors (and one of the lead developers of the course content), Christopher Vance to get his thoughts on his favorite macOS artifacts and why they’re important for examiners doing Mac investigations.

File System Events

Using file system events allows examiners to get an idea of files that may no longer be on the system. Tracking values such as “Renamed” allows a user to show a path a file lived on a system before it was potentially moved to the Trash and permanently deleted. This can also show other Volumes that may have been attached to the computer.

Quarantined Files

The Quarantined Files artifact allows users to see what files have recently been checked by macOS’ Gatekeeper. This can include things that no longer appear in the Safari downloads as well as other file transfers from things like AirDrop or iMessage.

Recently Used Items

Recently Used Items collects data from several plist files are represents the data in a very easy to understand view. This can mimic Jump Lists from Windows and allows examiners to see what documents and applications have recently been accessed, but potentially what files have been accessed by specific applications like video players or document editors.

KnowledgeC: Application Focus, Activities & Intents

Using these three KnowledgeC artifacts allows an examiner to timeline device activities and pattern of life usage to see what applications were being used, when, and potentially what the user was doing with those applications.

Dive Deeper in Our Magnet AXIOM macOS Examinations (AX350) Class

If you’re looking to deepen your knowledge about Mac investigations, the AX350 course covers all of these artifacts and more. More importantly, the class will teach you how to use one artifact to make more sense of another and chain the data together to tell the whole story in an easy to understand way.

Whether you’re a seasoned macOS expert, or just doing your first Mac investigation, AX350 will be beneficial for your investigations. Once you understand AXIOM, the way the data is presented is going to make the you feel just as comfortable as if you were examining a Windows, iOS, or Android system.

Digital Forensic Community