When analyzing applications on macOS, understanding where configuration files, databases, and caches are stored is crucial. These files can provide insights into user activity, preferences, and even location data.

Application Configuration Files

Application configuration files store essential settings, preferences, and permissions. These are typically found in .plist files, which use the reverse DNS format (e.g., net.whatsapp.WhatsApp.plist).

Location for Configuration Files: (~ Means user directory)

macOS:

• ~/Library/Preferences/

  

• ~/Library/Containers/.../<bundle_id>/.../Preferences/

------------------------------------------------------------------------------------------------------------

App Databases and Other Files

Many applications store user-generated data, logs, and proprietary files in SQLite databases or other structured file formats.

Locations for App Databases:

macOS:

• ~/Library/

• ~/Library/Application Support/

• ~/Library/Containers/...

------------------------------------------------------------------------------------------------------------

Application Cache Files

Caches store temporary data to improve app performance. Although they are less persistent, they can sometimes hold valuable forensic evidence.

Locations for Cache Files:

macOS:

• ~/Library/Caches/

• ~/Library/Containers/.../<bundle_id>/.../Cache/

------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

Application Transparency, Consent, and Control (TCC)

Applications on macOS require user permission to access system resources like the camera, microphone, and location. These permissions are stored in the TCC.db SQLite database.

TCC Database Locations:

macOS:

• User-Level: ~/Library/Application Support/com.apple.TCC/TCC.db

• System-Level: /Library/Application Support/com.apple.TCC/TCC.db

MacOS Privacy Settings: TCC.db Analysis

For macOS versions 11 and later, the auth_value column replaces the older allowed column:

• 0 = Unallowed

• 2 = Allowed

You can find records of applications that have been granted access to system files.

Location Services Authorization (clients.plist)

Location permissions for applications are stored in clients.plist. On macOS, this file is found at:

• /private/var/db/locationd/clients.plist

This file tracks which apps have requested location access, making it useful in forensic investigations involving location data.

-------------------------------------------------------------------------------------------------------------

Most Recently Used (MRU) Files

When investigating macOS forensics, understanding the Most Recently Used (MRU) files and Shared File Lists (SFL) is essential. These artifacts provide valuable insights into user activity, such as recently opened documents, accessed folders, and used applications.

1. Microsoft Office 365 MRU Storage

Microsoft Office 365 applications maintain their own MRU lists in a specific location:

• Location: 

~/Library/Containers/com.microsoft.<app>/Data/Library/Preferences/com.microsoft.<app>.securebookmarks.plist

• Structure: Each Office application has a separate plist file containing MRUs.

• Data Stored:

  • Document paths

  • Bookmark data (BLOBs)

  • Unique identifiers (UUIDs)

  • Last accessed timestamps

2. macOS Finder Recent Folders

Finder keeps track of recently accessed folders within a specific plist file:

• Location: ~/Library/Preferences/com.apple.finder.plist

  
  

• Key: FXRecentFolders

• Structure:

  • The plist contains folder names and bookmark BLOBs.

  • The first entry (Item 0) is the most recent, while Item 9 is the oldest.

  • The GUI order may differ from the plist contents, making direct plist analysis more accurate.

3. Application-Specific Recent Documents

macOS applications store recent document lists using the Shared File List (SFL) format.

~/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/

• File Format: <bundle_id>.sfl2

• Data Stored: Recently accessed documents per application

• com.apple.LSSharedFileList.RecentApplications.sfl2

• com.apple.LSSharedFileList.RecentDocuments.sfl2

• com.apple.LSSharedFileList.RecentHosts.sfl2

• com.apple.LSSharedFileList.RecentServers.sfl2

*.sfl2

5. Understanding NSKeyedArchiver Binary Plist Files

Shared File List (SFL) files use the NSKeyedArchiver format, which is a binary plist structure. These files store serialized data, making them slightly more complex to parse.

Key Characteristics:

• File Extension: .sfl or .sfl2 (since macOS High Sierra 10.13)

• Stored Data:

  • $version

  • $objects

  • $archiver (value: NSKeyedArchiver)

  • $top (root of the plist structure)

    
    

Parsing Binary Plists:

Forensic analysts can use the plutil command:

plutil -p <file>

This converts the binary plist into a more readable JSON-style output.

6. Extracting Bookmark Data

Bookmarks in macOS serve as references to files or directories, similar to Windows LNK files.

• File path information

• Volume name (e.g., Macintosh HD)

• Volume GUID (Globally Unique Identifier)

-------------------------------------------------------------------------------------------------------

Account Artifacts

Where macOS Store Account Information

macOS account configurations in SQLite databases and plist (property list) files. These files store details about email, calendar, and other connected services.

Account Databases

• macOS 10.11: ~/Library/Accounts/Accounts3.sqlite

• macOS 10.12+: ~/Library/Accounts/Accounts4.sqlite

  

Quick Triage with Plist Files

For a quick analysis, investigators can check the com.apple.accounts.exists.plist file located at:

• /preferences/SystemConfiguration/ (accessible via backups, file system extractions, or physical images).

• Exists: Indicates whether an account type (e.g., Google, Exchange, iCloud) is present.

• Count: Shows the number of accounts for a particular type.

-------------------------------------------------------------------------------------------------------------

Exploring Accounts3.sqlite & Accounts4.sqlite Databases

These SQLite databases track user-configured accounts and store credentials, descriptions, and identifiers. Investigators can extract useful information from the following tables:

1. ZACCOUNTTYPE Table

This table contains the types of accounts configured on the device. Important fields include:

• Z_PK: Primary key (identification number for each account type)

• ZACCOUNTTYPEDESCRIPTION: Description of the account type (e.g., Google, Exchange, iCloud)

2. ZACCOUNT Table

This table stores details for individual user accounts. Key fields include:

• Z_PK: Primary Key

• ZUSERNAME: Account username

• ZACCOUNTDESCRIPTION: More specific account description

• ZPARENTACCOUNT: Parent account type (if applicable)

• ZDATE: Timestamp of account creation (Mac Epoch format)

• ZIDENTIFIER: Globally unique identifier (GUID) for the account

• ZKEY & ZVALUE: Configuration key-value pairs (e.g., email servers, ports, authentication settings)

-------------------------------------------------------------------------------------------------------------

Forensic Tools for Analyzing macOS

On a macOS Analysis Host

For analyzing extracted artifacts, forensic examiners can use:

• sqlite3 / SQLite Viewer – Database inspection

• Xcode – Viewing plist files

• Virtual Machines – Controlled analysis environments

-------------------------------------------------------------------------------------------------------------

Conclusion

Understanding how macOS data is crucial for digital forensic investigations. By analyzing SQLite databases and plist files, investigators can uncover valuable details about user accounts, authentication methods, and linked services.

----------------------------------------------Dean--------------------------------------------------