History of macOS and macOS File Structure

Early Apple Days

Apple was established on April 1, 1976, and quickly made its mark with the Lisa in the early 1980s, the first public computer featuring a graphical user interface (GUI). Fast forward to 1984, and Apple released the Macintosh, their first affordable personal computer with a GUI, revolutionizing personal computing.

Big Moves in the 1990s and Beyond

By the late 1990s, Apple was well-established. In 1998, they introduced the HFS+ file system, which helped users manage larger storage devices and improved overall file organization. But things really got interesting in 2001 with the launch of macOS X—a Unix-based operating system that gave the Mac the robustness and reliability it needed.

The Evolution of macOS

• 2012: With OS X 10.8 (Mountain Lion), Apple started to unify its desktop and mobile platforms, borrowing elements from iOS.

• 2016: Apple rebranded OS X to macOS, beginning with macOS 10.12 (Sierra).

• 2017: The APFS file system (Apple File System) was introduced to replace HFS+, designed to be faster and more efficient, especially for SSDs.

APFS: Apple's Modern File System

When Apple introduced APFS in 2017, it addressed many limitations of its predecessor, HFS+. Here’s what makes APFS special and why it matters for modern Macs:

• Optimized for SSDs: APFS is designed to work seamlessly with solid-state drives (SSDs) and flash storage, making your Mac much faster when it comes to file operations.

• Atomic Safe Save: Ever worried about losing data if your Mac crashes while saving a file? APFS uses a technique called Atomic Safe Save. Instead of overwriting files (which can corrupt data during a crash), it creates a new file and updates pointers—meaning your data is much safer.

• Full Disk Encryption: APFS builds encryption right into the file system, giving you multiple ways to secure your data using different recovery keys, including your password or even iCloud.

• Snapshots: One of the coolest features is snapshots, which create a read-only copy of your system at a specific point in time. If something goes wrong, you can roll back to a previous state—perfect for troubleshooting!

• Large File Capacity: APFS supports filenames with up to 255 characters and file sizes up to a theoretical limit of 8 exabytes (that’s 8 billion gigabytes!). So, you probably won’t run out of space anytime soon.

• Accurate Timestamps: With nanosecond accuracy, APFS records changes precisely—useful for backups, file versioning, and tracking down when exactly something was altered.

macOS organizes files and folders into four main domains, each serving different purposes:

1. User Domain (/Users) or User Library

This is where all the files related to your user account live. It includes the home directory, which stores personal documents, downloads, music, and more. Each user on the system has their own isolated space here. There’s also a hidden Library folder within each user account, where your apps store personal preferences and data.

Key folders in the User Domain:

• Home Directory: Your personal space, with folders like Documents, Downloads, and Desktop.

• Public Directory: A space where you can share files with others who use the same Mac.

• User Library: Hidden by default, but this folder is a treasure trove for advanced users and app developers. It contains your preferences, app data, and cached files. If you ever need to dig in, you can reveal it using a simple Terminal command:

chflags nohidden /Users/<username>/Library

2. Local Domain (/Library) or Local Library

This domain contains files and apps that are shared across all users on the Mac.

Apps installed via the Mac App Store will be located in the /Applications folder. There’s also a /Developer folder here if you’ve installed Xcode or developer tools.

/Library – Library files shared across all users.

3. Network Domain (/Network)

The Network Domain is for shared resources like network drives or printers. In an office setting, this is where you’d find shared servers or Windows file shares. It’s managed by network administrators and isn’t something the average user interacts with often.

4. System Domain (/System) System Library

This is where Apple stores the critical components that make macOS run smoothly. It’s locked down so that regular users can’t accidentally delete something important. You’ll find OS-level libraries and apps here, safely tucked away from tampering.

/System/Library/

Every user account on macOS has its own Library directory (~/Library/), which contains various subdirectories packed with forensic gold.

The tilde (~) is a shortcut that represents the user’s home directory, so if you’re examining a user named Dean, her Library path would be /Users/Dean/Library/.

1. Containers Directory (Introduced in macOS 10.7)

Apple introduced sandboxing to enhance security, and the Containers directory plays a crucial role here.

Applications that are sandboxed store their data inside

 ~/Library/Containers/ 

rather than the traditional Application Support directory. This means that if you don’t find what you’re looking for in Application Support, you should check Containers as well.

Each container is named in reverse DNS format, such as com.apple.Safari. Inside, you’ll often find a metadata.plist file that provides information about the app’s sandbox environment.

2. Application Support Directory

Think of this as the macOS equivalent of AppData on Windows.

Located at

~/Library/Application Support/

this directory stores configuration files, databases, and other application-specific data. The way each application stores its data varies, so you might find SQLite databases, property list files (.plist), or even proprietary formats.

3. Caches Directory

Applications generate a lot of temporary files, and macOS keeps them organized inside

~/Library/Caches/

These cached files may be named using reverse DNS format (e.g., com.google.Chrome), or simply follow a company’s folder structure (e.g., Adobe/Photoshop/). Cached data can sometimes reveal user activities, recently accessed files, or browsing history.

4. Preferences Directory (.plist Files)

User preferences for applications are stored in property list files (.plist), usually found in

~/Library/Preferences/

These files follow the reverse DNS format, such as com.apple.TextEdit.plist. By examining these files, forensic analysts can uncover user settings, saved states, and even recent application interactions.

-------------------------------------------------------------------------------------------------------

Data Directory and Symbolic Links

In sandboxed applications, the Data directory within Containers mimics a user’s home directory but with strict access controls. Some directories inside it are symbolic links, meaning they redirect to actual files elsewhere on the system. The ones that are not links often contain the most valuable forensic data, such as app-specific databases and usage logs.

For example, Apple Maps stores its primary database here, which can be crucial for location-based investigations.

-------------------------------------------------------------------------------------------------------

Wrapping Up

Forensic analysis on macOS can be tricky due to Apple’s unique approach to data storage and security. However, once you know where to look, the Library directory and core system directories hold a wealth of useful artifacts. Whether you’re investigating user preferences, app data, cached files, or system logs, each directory has its own forensic story to tell.

-----------------------------------------Dean---------------------------------------------