Home Articles The Hitchhiker’s Guide to macOS USB Forensics

The Hitchhiker’s Guide to macOS USB Forensics


We are not sure about your labs, but our receives more and more Macs for forensic examination every month. And, of course, some of the cases require us to find forensic artefacts of external USB drives connections and files copying. We know that you guys liked our last article regarding USB forensics on Windows systems, so we decided to write another hitchhiker’s guide, this time about macOS USB forensics.

Let’s start. In our case ex-employee brought an external USB drive and stole company’s property. As that employee was involved in design, it was a bunch of AI and PSD files.

If you dealt with Macs before, you should know that you can get a lot of information from plist files, so to do macOS USB forensics, you will need a forensic tool with plists viewer. We are going to use Magnet AXIOM, but you can use a tool of your choice.

A good place to start is the Preferences folder located in /<username>/Library. It’s full of plist files, but let’s start from the following:

  • com.apple.finder.plist

Open it with a plist viewer of you choice and look at “RecentMoveAndCopyestinations” value.

Figure 1. com.apple.finder.plist

Yes, we got the mount point of the external USB drive. Now we are going to use the Keyword Search feature to search for more artefacts using the mount point. In our case, we have found a few records showing the user downloaded some JPGs to the external USB drive from the Internet.

Figure 2. Evidence of files downloaded from the Internet to an external USB drive with Google Chrome

During forensic examination of the user’s profile folder we have found a very interesting subfolder – .wdc. Inside of it there are lots of files with extremely valuable pieces of information from a forensic point of view, especially inside the db subfolder.

For example, devices.tingo – you can see the contents of this file on figure 3.

Figure 3. devices.tingo contents

As you can see, it contains lots of extremely valuable pieces of information: drive model and serial number, its capacity, mount point, name, etc.

Looks amazing, isn’t it?!

Ok, now it would be great to collect information about files copied to this external USB drive. Let’s go back to the Preferences folder. In our case the most valuable plist was the following:

  • com.adobe.mediabrowser.plist

This plist file contains most recently used (MRU) Illustrator and Photoshop files. And the number is not 10 or 20 as you usually see, but 500 (!). So it was a real gold mine!

Of course, you don’t always need to find AI and PSD files, you may want to find DOC, XLS, etc. The Preferences folder may help you with this too. There are even some tools that can help you to automate MRU finding, for example, macMRU Parser by Sarah Edwards.

Also a good technique to find not common USB artefacts is to index the whole image and search for mount point or drive name – you can find a lot.

We would be happy if you share your macOS USB forensic artefacts in the comments to this post.

Happy forensicating!

About the authors

Oleg Skulkin, MCFE, ACE, is a DFIR enthusional (enthusiast + professional) and Windows Forensics Cookbook co-author.

Igor Mikhaylov, MCFE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
Load More In Articles


  1. 1systematically

    December 30, 2021 at 11:02 pm


  2. gay crossdresser dating

    January 2, 2022 at 12:28 pm

    gay dating madison wi https://gaypridee.com

  3. gay free dating 4 older uk

    January 2, 2022 at 1:29 pm

    gay nsa dating ratings https://gay-buddies.com

  4. gay roulette chat

    January 14, 2022 at 7:16 pm

    first gay chat https://gaytgpost.com/

  5. gay bi texy chat

    January 14, 2022 at 7:42 pm

    free gay bi male text chat https://gay-buddies.com/