Evidence Profiling : Key Device Information, User Accounts, and Network Settings on macOS
- Oct 8, 2024
- 6 min read
Updated: Feb 24
Updated 24 Feb,2024
When investigating a macOS system, understanding its device information, user accounts, and network settings is critical.
-------------------------------------------------------------------------------------------------------------
Finding macOS Version and Build Information
Your macOS version and build number are crucial details, often needed for software compatibility, troubleshooting, and security updates.
You can find this information in the SystemVersion.plist file, which is located in:
📂 /System/Library/CoreServices/SystemVersion.plistFor example, if you’re running BigSur (11.2.3), the file will show something like this:
System Name: macOS
Version: 11.2.3
Build Number: 20D91
Command: Use cat on a live system to view the .plist file contents.
This tells you exactly what version of macOS you're using, which can be helpful when checking for updates or debugging issues.
-------------------------------------------------------------------------------------------------------------
Retrieving Your Mac’s Serial Number
Your Mac’s serial number is unique to your device and can be retrieved in several ways. The easiest method is through the system_profiler command:
system_profiler SPHardwareDataType | grep "Serial Number"
However, on newer versions of macOS, Apple stores the serial number in encrypted databases. One such place is the cache_encryptedA.db file, where the serial number is often stored in a table named TableInfo.
I have used UAC script to collect artifact. I searched Serial Number and found
For forensic analysts or tech-savvy users, extracting this information might require additional database query techniques.
-------------------------------------------------------------------------------------------------------------
Finding macOS Installation and Setup Dates
Want to know when your Mac was first set up? Here are some ways to find out:
1️⃣ Original System Setup Date
The file
.AppleSetupDone (located in /private/var/db/) is created when you first complete your Mac’s setup process. The access or modification date of this file can give you an idea of when the system was first registered or set up.
2️⃣ macOS Installation Dates
Each time macOS is installed or updated, a record is logged in install.log files located in:
📂 /private/var/log/install.logIf these log files haven’t been overwritten, you can check them to see when different macOS versions were installed.
3️⃣ Software Update History
For more detailed timestamps of software installations and updates, check this file:
📂 /private/var/db/softwareupdate/journal.plistThis file provides detailed logs of when system updates were applied, making it useful for tracking system changes.
-------------------------------------------------------------------------------------------------------------
Checking the System Time Zone Configuration
Your Mac stores its current time zone settings in multiple places. The /etc/localtime file contains the active time zone value.
Command: ls -la /etc/localtime
For example, if the system is set to Eastern Time (New York), it will reflect in this file.
You can also check the time zone settings in the .GlobalPreferences.plist file, located at:
📂 /Library/Preferences/
Command: plutil -p /Library/Preferences/.GlobalPreferences.plistHowever, if you've switched from using location-based time zone settings to a manually set time zone, this plist might not update automatically.
Is Location Services Being Used for Time Zone Updates?
If you’re curious whether your Mac is automatically adjusting the time zone using Wi-Fi or GPS, check this file:
📂 /Library/Preferences/com.apple.timezone.auto.plist
Command : cat /Library/Preferences/com.apple.timezone.auto.plist
or
plutil -p /Library/Preferences/com.apple.timezone.auto.plist
If location services are enabled, macOS will determine your time zone based on nearby Wi-Fi networks, which might explain why your time zone occasionally changes when you travel.
-----------------------------------------------------------------------------------------------------------------------------
When managing a macOS system, knowing the different types of user accounts and their permissions is crucial.
Types of User Accounts in macOS
Every user account in macOS falls into one of these categories:
Administrator: Has full control over the system.
Standard: A regular user account with permission to install apps and change personal settings but without full system control.
Managed with Parental Controls: Allows restrictions on app usage, content access, and screen time.
Sharing Only: Used for network access without a full user account.
Group: Used to organize users for access control in enterprise environments.
Guest: Temporary access without a password. Data is deleted upon logout unless configured otherwise.
If FileVault is enabled, Guest users can only access Safari, and on macOS 10.7 or later, they cannot log in at all.
Where User Data is Stored
User and group account information is stored in the directory:
/private/var/db/dslocal/nodes/Default/users/ (for users)
/private/var/db/dslocal/nodes/Default/groups/ (for groups)
The account details are stored in property list (.plist) files, which can be either:
XML format (macOS 10.6 and earlier)
Binary format (macOS 10.7 and later)
Accessing these files requires root privileges. Note that users managed via Open Directory (similar to Active Directory) do not have a local .plist file in this directory
Tracking Deleted User Accounts
When a user account is deleted, macOS provides three options:
Save the home folder in a disk image (DMG) – The most common option, saving the user’s files in /Users/Deleted Users/.
Keep the home folder in place – The user is deleted, but their files remain.
Delete the home folder – Removes all associated data permanently.
Deleted user records are stored in the com.apple.preferences.accounts.plist file under the deletedUsers key,
located at: /Library/Preferences/ This file contains:
The deleted user’s real name
User ID (UID)
Username
Deletion date
Tracking User Login Activity
Login-related information is stored in the com.apple.loginwindow.plist file
located at: /Library/Preferences/
or
Command : plutil -p com.apple.loginwindow.plist
Key details include:
lastUser – The currently logged-in user (if the system was imaged live).
autoLoginUser – If automatic login is enabled, this field stores the username.
lastUserName – The last user who logged in.
RetriesUntilHint – Number of failed attempts before a password hint appears.
GuestEnabled – Indicates whether the Guest account is active.
Automatic Login and Password Storage
If a user enables automatic login, macOS stores the password in an encoded format in the
file: /etc/kcpassword The password is XOR-encoded with a multi-byte key.
A Ruby script can decode it if necessary:
sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31];
IO.read("/etc/kcpassword").bytes.each_with_index { |b, i| break if key.include?(b); print [b ^ key[i % key.size]].pack("U*") }'However, automatic login is disabled if FileVault is enabled or if the user logs in via iCloud credentials.
Managing macOS and iOS Devices
For macOS and iOS devices managed by enterprises, configurations and restrictions are controlled through Mobile Device Management (MDM).
These devices contain configuration profiles stored in:
/private/var/mobile/Library/ConfigurationProfiles/
/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofilesTo check installed profiles: Settings → General → Profiles (or Device Management)
Hidden profiles, do not appear in the standard GUI. Restrictions on app installations, purchases, content access, and privacy settings are stored in files like:
UserSettings.plist
EffectiveUserSettings.plist
PublicEffectiveUserSettings.plist
These files track device policies, user permissions, and other restrictions.
----------------------------------------------------------------------------------------------
Network Interfaces Information
macOS:
📂 /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
Command : cat /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
or
plutil -p /Library/Preferences/SystemConfiguration/NetworkInterfaces.plistThis file stores details about network interfaces available on the system. Each interface has an associated Item key:
Item 0: Typically represents the Wi-Fi interface (e.g., en0, IEEE802.11).
Item 7: Could represent a USB-C hub with an Ethernet port.
Each interface entry includes:
Description (e.g., "IEEE802.11" for Wi-Fi, "Ethernet" for wired connections)
Unique MAC Address for the interface
Model Key showing the system’s model
💡 Tip: You can search for the system model on Apple’s support page to find exact hardware details.'
Network Services Configuration
Interface number (e.g., en0 for Wi-Fi, en1 for Ethernet).
Network Type (e.g., IEEE802.11 for Wi-Fi, Ethernet for wired connections).
MAC address: This may be displayed in Base64-encoded format on Linux but can be decoded using
echo "(encoded MAC)" | base64 –d | xxd
Model: Useful for identifying the device's network hardware.
macOS:
📂 /Library/Preferences/SystemConfiguration/preferences.plist
The NetworkServices key inside this file contains configurations for different network interfaces:
Wi-Fi Interface (en0):
Uses DHCP for automatic IP address assignment.
Has a NetBIOS name for system identification.
----------------------------------------------------------------------------------------------
DHCP Lease Records
This directory contains network configurations for DHCP-based connections.
📂 /private/var/db/dhcpclient/leases/Files are named based on the network interface (e.g., en0.plist, interface.plist, en0-MAC.plist or en0-1,12:12:12:12:12:12.plist).
Where there have been multiple connections on an interface, the files in this folder will contain data relating to the most recent connection and other information like
Lease Start Date
Router MAC Address
Assigned IP Address
SSID of the Access Point
DHCP Lease Duration
Router IP Address
Packet Data
If you are using UAC Script to collect artifact you can get all the information in system profiler text file
------------------------------------------------------------------------------------------------------------
Known Wi-Fi Networks
macOS:
📂 /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
These files store information about Wi-Fi networks previously connected to. Each known network is recorded with:
SSID Name
Captive Portal Status (e.g., login screens at hotels)
Last Connection Time (stored in local system time)
Auto-Connect Preferences
💡 Key Attributes:
AddReason: Determines whether the network was synced via iCloud or manually added.
JoinedByUserAt: The user manually connected to the AP.
JoinedBySystemAt: The system auto-connected to the AP.
Older macOS Versions
Older macOS versions store known networks differently, using a wifi.ssid. format within the KnownNetworks key.
💡 The PreferredOrder key defines the priority of saved networks—Item 0 being the highest priority.
------------------------------------------------------------------------------------------------------------
Wrapping Up
macOS stores a wealth of system information in various locations, and knowing where to look can help you troubleshoot, perform forensic analysis, or simply satisfy your curiosity.
🔍 Now you know how to peek under the hood of macOS! Let me know if you need more insights or step-by-step guides. 🚀
------------------------------------------------------Dean-----------------------------------------------
Comments