Evidence Profiling : Key Device Information, User Accounts, and Network Settings on macOS

When investigating a macOS system, understanding its device information, user accounts, and network settings is critical.

----------------------------------------------------------------------------------------------

1. Device Information

(i) OS Version and Build

The macOS version and build details can be found in the SystemVersion.plist file:

Location: /System/Library/CoreServices/SystemVersion.plist

Command: Use cat on a live system to view the .plist file contents.

(ii) Device Serial Number

The device's serial number is stored in three database files, but access may be restricted while the system is live:

• Files:

  • consolidated.db

  • cache_encryptedA.db

  • lockCache_encryptedA.db

Location: /root/private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/

Use DB Browser for SQLite to open these databases and find the serial number in the TableInfo table.

(iii) Device Time Zone – Option 1

Run ls -l on the /etc/localtime file to reveal the time zone set on the device. This works on both live systems and disk images. Be cautious when working on an image, as this path could return the time zone of the investigation machine instead.

(iv) Device Time Zone – Option 2

The time zone is also stored in a .plist file that may be more accurate as it can include latitude and longitude from location services:

Location: /Library/Preferences/.GlobalPreferences.plist

Command:(On live system or on MAC)

plutil -p /Library/Preferences/.GlobalPreferences.plist

Note:- If location services are enabled, the automatic time zone update will regularly update this plist. However, when devices switch to static time zones, this plist may not be updated and it will point to the last automatic update location.

To check If location service is enabled or not:

Location: /Library/Preferences/com.apple.timezone.auto.plist

If location services are enabled, the entry “active” will be set to 1 or true.

----------------------------------------------------------------------------------------------

2. User Accounts

Each user account on a macOS system has its own configuration .plist file:

Location: /private/var/db/dslocal/nodes/Default/users/
Location: /private/var/db/dslocal/nodes/Default/groups/

These files contain key details about the user accounts. If investigating malicious activity, check this directory to confirm whether any suspicious accounts have been created or account have added to privileged group.

Key Points:

• Accounts managed by Open Directory won’t have a .plist file here.

• System service accounts (like _ftp) have names beginning with an underscore.

• Default system accounts include root, daemon, nobody, and Guest.

----------------------------------------------------------------------------------------------

3. Network Settings

Network Interfaces

Each network interface has its own configuration stored in a .plist file:

Location: /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist

• Key Information:

  • Interface number (e.g., en0 for Wi-Fi, en1 for Ethernet).

  • Network Type (e.g., IEEE802.11 for Wi-Fi, Ethernet for wired connections).

  • MAC address: This may be displayed in Base64-encoded format on Linux but can be decoded using

  
  

  echo "(encoded MAC)" | base64 –d | xxd

  
  

  • Model: Useful for identifying the device's network hardware.

Network Configuration – Interfaces

Another important .plist file, preferences.plist, contains detailed configuration for each interface:

Location: /Library/Preferences/SystemConfiguration/preferences.plist

• Key Elements:

  • Network Services: Details on IPv4/IPv6 settings, proxies, DNS, and more.

  • Local HostName: The machine's local network name.

  • Computer Name: May differ from the hostname.

    

----------------------------------------------------------------------------------------------

4. DHCP Lease Information

The DHCP lease information provides details about past network connections:

Location: /private/var/db/dhcpclient/leases/

• Files are named based on the network interface (e.g., en0.plist, interface.plist, en0-MAC.plist or en0-1,12:12:12:12:12:12.plist).

• Where there have been multiple connections on an interface, the files in this folder will contain data relating to the most recent connection

• Key Information:

  • Device IP address

  • Lease start date

  • Router MAC and IP address

  • SSID (if connected to Wi-Fi)

  

----------------------------------------------------------------------------------------------

Final Thoughts

Investigating a macOS system, especially with an APFS file system, involves diving deep into system files and .plist configurations. From device profiling to uncovering user activity and network settings, understanding where to find critical data can streamline investigations and ensure thorough evidence collection. Always ensure you have the necessary tools to access and decode these files.

Akash Patel