macOS System Artifacts: macOS Finder, GUI Configurations, Time Changes, Bluetooth, Printing, and Sharing
- 4 days ago
- 5 min read
macOS Finder Preferences
Location: ~/Library/Preferences/com.apple.finder.plistFinder is the macOS equivalent of Windows Explorer, providing access to files, directories, applications, and networks. The Finder sidebar is customizable and includes:
Favorites: Displays user directories like Documents, Downloads, Pictures, and Music.
Locations: Shows mounted drives such as Macintosh HD, USBs, and disk images (DMGs).
The com.apple.finder.plist file stores various user preferences, such as:
✅ Showing mounted servers and hard drives
✅ Column view preferences
✅ Secure empty trash settings
✅ X and Y coordinates of GUI elements
These settings provide insights into a user’s workflow, such as frequently accessed directories and how organized they are.
-------------------------------------------------------------------------------------------------------------
Saved Application State – Reopen Apps After Restart
Locations:
📌 Legacy macOS: ~/Library/Saved Application State/📌 Sandboxed Apps: ~/Library/Containers/<Bundle ID>/Data/Library/Application Support/<App Name>/Saved Application State/
Since macOS 10.7, the "resume" feature allows applications to reopen exactly as they were before a system reboot or app exit.
Each app’s saved state is stored in a dedicated folder named <Bundle ID>.savedState, containing:
windows.plist (holds window names and positions)
data.data (encrypted session data, including opened files, URLs, and commands)
****Forensic analysts often examine windows.plist files to uncover recently accessed files, websites visited in Safari, or commands executed in Terminal (e.g., sudo, ssh). Even Microsoft Office keeps a history of opened documents here!
-------------------------------------------------------------------------------------------------------------
Understanding macOS Time & Date Settings
macOS stores time zone and system time preferences in multiple files:
🕒 /etc/localtime – System-wide time settings🕒 .GlobalPreferences.plist – Stores user-specific time settings🕒 com.apple.timezone.auto.plist – Automatically detects and sets the time zone
These files help macOS maintain accurate timestamps for file modifications, notifications, and system events.
-------------------------------------------------------------------------------------------------------------
Time Changes & Location-Based Adjustments
Ever wondered how macOS adjusts time zones when you travel?
The system relies on location services and network lookups to update time settings automatically.
How it Works:
macOS uses location services (if enabled) and network-based lookups to detect where the system is and adjust the time zone accordingly.
The first network connection after traveling triggers a time zone update.
Time zone settings are stored in com.apple.timezone.auto.plist at
/Library/Preferences/
If location services are disabled, macOS relies on timestamps from system logs
(/var/log/*) and the symlink at /etc/localtime
How to Investigate:
Look for logs containing "location" (location services daemon) or "timezoned" (time zone daemon).
Analyze system log timestamps for sudden jumps.
Check /etc/localtime symlink updates, which indicate manual time zone changes
-------------------------------------------------------------------------------------------------------------
Tracking Bluetooth Devices on macOS
Bluetooth activity can be a goldmine for forensic investigations, revealing which devices were connected and when.
Where macOS Stores Bluetooth Data:
User-specific devices: ~/Library/Preferences/ByHost/com.apple.Bluetooth.<HWUUID>.plist
System-wide devices: /Library/Preferences/com.apple.Bluetooth.plist
Organized by Bluetooth MAC address
Understanding Timestamps:
Last Used Time: Found under RecentDevices (user) or LastQueryUpdate & LastServicesUpdate (system).
First Used Time: LastNameUpdate (system). However, renaming a device (e.g., AirPods) can reset this timestamp.
Logs to Check: bluetoothd logs provide additional details.
Forensic Considerations:
Devices can be removed from the cache, making real-time analysis crucial.
Apple ecosystem devices (AirPods, iPads, etc.) may connect automatically through Continuity, even if not manually paired.
-------------------------------------------------------------------------------------------------------------
macOS Printing Artifacts: What’s Left Behind?
Every print job leaves digital footprints in multiple locations on a macOS system.
Key Files to Examine:
Printer settings: /Library/Preferences/org.cups.printers.plist
Printer configurations: /etc/cups/printers.conf and /etc/cups/ppd/ (PPD files store printer capabilities)Print Job Metadata:
Stored in /private/var/spool/cups/
Print control files (c#####) contain:
Printer name
User account that printed the job
Job name (file/document title)
Application used (e.g., Safari, Word)
Print data files (d#####-001) store the actual content (usually as PDFs)
-------------------------------------------------------------------------------------------------------------
macOS Sharing Preferences: What’s Accessible?
Sharing settings determine what resources are accessible on a Mac. Even if features are disabled, historical data can reveal past configurations.
Where to Look:
Main settings file:
/private/var/db/com.apple.xpc.launchd/disabled.plist
1 = Yes
0 = NoImportant bundle IDs: (If the bundle ID for the service does not appear in this list at all, it was likely not checked ever in the past and therefore never enabled.)
com.apple.screensharing → Screen Sharing
com.openssh.sshd → Remote Login (SSH)
File Sharing Data:
Located in /private/var/db/dslocal/nodes/Default/sharepoints/
As per screenshot, test folder is shared
Shows shared folders, permissions, and network access settings.
Look for services like com.apple.smbd (SMB file sharing) or com.apple.AppleFileServer (AFP file sharing).
Forensic Takeaways:
Even if a service is currently disabled, historical configurations may indicate past activity.
Files shared over the network might still be accessible through logs or cached settings.
-------------------------------------------------------------------------------------------------------------
Understanding macOS Screen Sharing
macOS comes with a built-in Screen Sharing application that allows users to remotely access another Mac using the VNC (Virtual Network Computing) protocol.
Unlike regular applications found in
/Applicationsthis utility is tucked away in
/System/Library/CoreServices/Applications
It can be incredibly useful for troubleshooting, remote assistance, or even managing multiple machines.
When a user enables Screen Sharing or Remote Management in the Sharing preferences pane, macOS generates a file called com.apple.RemoteManagement.plist in
/Library/Preferences/This file stores configuration settings that determine how remote connections are handled.
-------------------------------------------------------------------------------------------------------------
VNC Access and Credentials
If VNC access is enabled, another important file comes into play:
/Library/Preferences/com.apple.VNCSettings.txtThis file contains an XOR-encrypted password used for VNC authentication.
Script to recover password:
cat com.apple.VNCSettings.txt | perl -wne 'BEGIN { @k = unpack "C*", pack "H*", "1734516E8BA8C5E2FF1C39567390ADCA"}; chomp; @p = unpack "C*", pack "H*", $_; foreach (@k) { printf "%c", $_ ^ (shift @p || 0) }; print "\n"'-------------------------------------------------------------------------------------------------------------
Tracking SSH Connections: known_hosts File
For users who prefer command-line remote access, macOS also supports SSH (Secure Shell).
The system records SSH connections in ~/.ssh/known_hosts (or authorized_hosts).This file logs previously accessed remote machines using a combination of IP addresses, hostnames, and public keys.
However, if the HashKnownHosts setting is enabled in /etc/ssh/ssh_config, this data is stored in a hashed format, making it difficult to retrieve the original hostname or IP address.
-------------------------------------------------------------------------------------------------------------
Terminal Command History: The Hidden Treasure
macOS keeps track of commands executed in the Terminal through history files stored in each user’s home directory:
~/.bash_history (for older macOS versions and users still using bash)
~/.zsh_history (default shell starting from macOS Catalina 10.15)
These plaintext files log user-entered commands, which can provide valuable insights into:
Applications and scripts the user executed
Privilege escalation attempts (e.g., sudo usage)
Accessed files, directories, and mounted volumes
Remote systems or networks the user interacted with
Key Considerations
The history file is not updated in real-time—it only writes data upon user logout.
Commands lack timestamps.
Live response tip:
You can view an active session’s history using the command:
historyThis will display the command history for the currently logged-in user across open Terminal windows.
-------------------------------------------------------------------------------------------------------------
Session-Based History: ~/.zsh_sessions/<GUID>.history
With the introduction of zsh in macOS 10.15, Apple also brought back session-based history under
~/.zsh_sessions/. Each session gets a unique GUID-based history file, containing executed commands along with timestamps.
Unlike .zsh_history, these session logs include file system timestamps and are only deleted after a few weeks. However, similar to .zsh_history, they are only written when the Terminal session is closed.
-------------------------------------------------------------------------------------------------------------
Final Thoughts
macOS hides a wealth of forensic data in plain sight. Whether you're a security professional, a digital forensic analyst, or just a power user, understanding these artifacts can give you a deeper grasp of what’s happening under the hood. 🚀
--------------------------------------------------Dean------------------------------------------------------
Comments