We are not sure about your labs, but our receives more and more Macs for forensic examination every month. And, of course, some of the cases require us to find forensic artefacts of external USB drives connections and files copying. We know that you guys liked our last article regarding USB forensics on Windows systems, so we decided to write another hitchhiker’s guide, this time about macOS USB forensics.
Let’s start. In our case ex-employee brought an external USB drive and stole company’s property. As that employee was involved in design, it was a bunch of AI and PSD files.
If you dealt with Macs before, you should know that you can get a lot of information from plist files, so to do macOS USB forensics, you will need a forensic tool with plists viewer. We are going to use Magnet AXIOM, but you can use a tool of your choice.
A good place to start is the Preferences folder located in /<username>/Library. It’s full of plist files, but let’s start from the following:
Open it with a plist viewer of you choice and look at “RecentMoveAndCopyestinations” value.
Figure 1. com.apple.finder.plist
Yes, we got the mount point of the external USB drive. Now we are going to use the Keyword Search feature to search for more artefacts using the mount point. In our case, we have found a few records showing the user downloaded some JPGs to the external USB drive from the Internet.
Figure 2. Evidence of files downloaded from the Internet to an external USB drive with Google Chrome
During forensic examination of the user’s profile folder we have found a very interesting subfolder – .wdc. Inside of it there are lots of files with extremely valuable pieces of information from a forensic point of view, especially inside the db subfolder.
For example, devices.tingo – you can see the contents of this file on figure 3.
Figure 3. devices.tingo contents
As you can see, it contains lots of extremely valuable pieces of information: drive model and serial number, its capacity, mount point, name, etc.
Looks amazing, isn’t it?!
Ok, now it would be great to collect information about files copied to this external USB drive. Let’s go back to the Preferences folder. In our case the most valuable plist was the following:
This plist file contains most recently used (MRU) Illustrator and Photoshop files. And the number is not 10 or 20 as you usually see, but 500 (!). So it was a real gold mine!
Of course, you don’t always need to find AI and PSD files, you may want to find DOC, XLS, etc. The Preferences folder may help you with this too. There are even some tools that can help you to automate MRU finding, for example, macMRU Parser by Sarah Edwards.
Also a good technique to find not common USB artefacts is to index the whole image and search for mount point or drive name – you can find a lot.
We would be happy if you share your macOS USB forensic artefacts in the comments to this post.