Mac OS X 10.9 - 상용앱 및 자료들의 path
http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location
Autorun Locations
- Launch Agents files
/Library/LaunchAgents/* /System/Library/LaunchAgents/*
- Launch Daemons files
/Library/LaunchDaemons/* /System/Library/LaunchDaemons/*
- Startup Items file
/Library/StartupItems/* /System/Library/StartupItems/*
System Logs
- Apple System Log
/private/var/log/asl/YYYY.MM.DD.[UID].[GID].asl
- Apple System logs per User
/private/var/log/asl/YYYY.MM.DD.[UID].asl
- Audit Log
/private/var/audit/*
- Installation log
It contains install date of system, as well as date of system and software updates
/private/var/log/install.log
System Preferences
- System Preferences files
/Library/Preferences/*
- Global Preferences
It contains Global Preferences information such as the local time zone, geographical coordinates, etc.
/Library/Preferences/.GlobalPreferences.plist
- Software Update
Plist describing last attempt and last successful attempt at updating OS X software
/Library/Preferences/com.apple.SoftwareUpdate.plist
System Settings and Informations
- OS Installation time
Empty file. Its last modification time represent the date/time the OS was installed
/private/var/db/.AppleSetupDone
- OS name and version
Plist describing the installed Operating System
/System/Library/CoreServices/SystemVersion.plist
Sleep/Hibernate and Swap Image File
- Sleep Image File
Contents of RAM are written to this file when the computer is put to sleep
/private/var/vm/sleepimage
- Swap Files
Numerous swap files may be found in this directory with the naming convention of swapfile# (swapfile0, swapfile1, swapfile2, etc.)
/private/var/vm/swapfile#
Kernel Extension
- Kernel Extension
Kext files are essentially drivers for Mac OS X.
/System/Library/Extensions/*
Software Installation
- Software Installation History
It contains a history of installed applications and updates
/Library/Receipts/InstallHistory.plist
- Software Update
Plist describing last attempt and last successful attempt at updating OS X software
/Library/Preferences/com.apple.SoftwareUpdate.plist
- Applications
/Applications/*
System Info Misc.
- Current Time Zone
Simlink pointing to /usr/share/zoneinfo/XYZ
/etc/localtime
USER ARTIFACTS
Autorun Locations
- Login Items
Plists listing applications that automatically start when the user is logged in
/Users/$USERNAME/Library/Preferences/com.apple.loginitems.plist
Users
- Users directories in /Users
/Users/*
User Directories
- Downloads Directory
/Users/$USERNAME/Downloads/*
- Documents Directory
/Users/$USERNAME/Documents/*
- Music Directory
/Users/$USERNAME/Music/*
- Desktop Directory
/Users/$USERNAME/Desktop/*
- Library Directory
Hidden directory in Lion
/Users/$USERNAME/Library/*
- Movies Directory
/Users/$USERNAME/Movies/*
- Pictures Directory
/Users/$USERNAME/Pictures/*
- Public Directory
/Users/$USERNAME/Public/*
- Applications
/Applications/*
Preferences
- User preferences directory
/Users/$USERNAME/Library/Preferences/*
- iCloud user preferences
/Users/$USERNAME/Library/Preferences/MobileMeAccounts.plist
Logs
- User Log Files
/Users/$USERNAME/Library/Logs/*
iDevice Backup
- iOS device backups directory
/Users/$USERNAME/Library/Application Support/MobileSync/Backup/*
- iOS device backup information
It's a plist file in plain text. It stores data about the backed up device (such as device name, GUID, ICCID, IMEI, Product type, iOS version, serial numbers, UDID etc.) and the iTunes software used to create the backup (iTunes version number, iTunes settings).
/Users/$USERNAME/Library/Application Support/MobileSync/Backup/$BACKUP_FOLDER/info.plist
- iOS device backup apps information
It's a plist file in plain text and it describes the content of the backup. Inside this file we can find the list of applications installed on the backed up device. For every application there are the name and the particular version. Inside the file there is also the date the backup was made, the backup type (encrypted vs. unencrypted) and some information about the iDevice and the iTunes software used.
/Users/$USERNAME/Library/Application Support/MobileSync/Backup/$BACKUP_FOLDER/Manifest.plist
- iOS device backup status information
It's a plist file in binary format and it stores information about the completion of the backup
/Users/$USERNAME/Library/Application Support/MobileSync/Backup/$BACKUP_FOLDER/Status.plist
Preferences
- Preferences Directory
Directory containing user preference settings for applications and utilities
/Users/$USERNAME/Library/Preferences/
- Global Preferences
Global Preferences Plist
/Users/$USERNAME/Library/Preferences/.GlobalPreferences.plist
APPLICATIONS ARTIFACTS
iCloud
- iCloud Accounts
/Users/$USERNAME/Library/Application Support/iCloud/Accounts/
Skype
- Skype Directory
Directory containing Skype user artifacts
/Users/$USERNAME/Library/Application Support/Skype/*
- Skype User profile
Directory containing Skype user artifacts
/Users/$USERNAME/Library/Application Support/Skype/$SKYPE_USERNAME/*
- Skype Preferences and Recent Searches
Skype preferences and recent user searches
/Users/$USERNAME/Library/Preferences/com.skype.skype.plist
- Main Skype database
Database of contacts, SMS's, calls, conversations, videos, messages, etc.
/Users/$USERNAME/Library/Application Support/Skype/$SKYPE_USERNAME/Main.db
- Chat Sync Directory
Directory containing chat logs
/Users/$USERNAME/Library/Application Support/Skype/$SKYPE_USERNAME/chatsync/*
Safari
- Safari Main Folder
/Users/$USERNAME/Library/Safari/*
- Safari Bookmarks
Plist listing default and user-added Safari bookmarks
/Users/$USERNAME/Library/Safari/Bookmarks.plist
- Safari Downloads
Plist listing files downloaded using Safari Browser
/Users/$USERNAME/Library/Safari/Downloads.plist
- Safari Installed Extensions
Plist describing installed Safari Extensions
/Users/$USERNAME/Library/Safari/Extensions/Extensions.plist /Users/$USERNAME/Library/Safari/Extensions/*
- Safari History
Plist listing Safari web browsing history
/Users/$USERNAME/Library/Safari/History.plist
- Safari History Index
An index of Safari History allowing a user to perform keyword searches of visited webpages
/Users/$USERNAME/Library/Safari/HistoryIndex.sk
- Safari Last Session
A plist describing the state of Safari when it was last closed
/Users/$USERNAME/Library/Safari/LastSession.plist
- Safari Local Storage Directory
A directory for webpage-specific storage. Each webpage stores data in a SQLite database with the file extension of .localstorage.
/Users/$USERNAME/Library/Safari/LocalStorage/*
- Safari Local Storage Database
A database listing the webpage specific databases
/Users/$USERNAME/Library/Safari/LocalStorage/StorageTracker.db
- Safari Top Sites
A Plist listing the webpages belonging to a Safari's Top Sites
/Users/$USERNAME/Library/Safari/TopSites.plist
- Safari Webpage Icons Database
A database containing saved web page icons for webpages visited
/Users/$USERNAME/Library/Safari/WebpageIcons.db
- Safari Cache Directory
A directory containing Safari-specific cache items
/Users/$USERNAME/Library/Caches/com.apple.Safari/*
- Safari Cache
A cache of data from visited webpages
/Users/$USERNAME/Library/Caches/com.apple.Safari/Cache.db
- Safari Extensions Cache
A directory containing cached items for Safari Extensions
/Users/$USERNAME/Library/Caches/com.apple.Safari/Extensions/*
- Safari Webpage Previews
A directory containing images of viewed webpages in .png and .jpg formats. The file name is a hash of the webpage URL.
/Users/$USERNAME/Library/Caches/com.apple.Safari/Webpage Previews/*
- Safari Cookies
Cookies from visited webpages
/Users/$USERNAME/Library/Cookies/Cookies.binarycookies
- Safari Preferences and Search terms
Contains recent safari search strings and downloads folder location in addition to preferences
/Users/$USERNAME/Library/Preferences/com.apple.Safari.plist
- Safari Extension Preferences
Contains preferences of Safari installed extensions
/Users/$USERNAME/Library/Preferences/com.apple.Safari.Extensions.plist
- Safari Bookmark Cache
Each bookmark entry in Bookmarks.plist is stored as an individual file in this directory for more efficient use with Spotlight and to allow the user to select the bookmark entry from Spotlight and have Safari launch the corresponding webpage
/Users/$USERNAME/Library/Caches/Metadata/Safari/Bookmarks/*
- Safari History Cache
Each website entry in History.plist is stored as an individual file in this directory for more efficient use with Spotlight and to allow the user to select the webpage entry from Spotlight and have Safari launch the corresponding webpage
/Users/$USERNAME/Library/Caches/Metadata/Safari/History/*
- Safari Temporary Images
It contains the images present/viewed in the web pages visited by the user
/Users/$USERNAME/Library/Caches/com.apple.Safari/fsCachedData/*
Firefox
- Firefox Directory
Directory containing user artifacts for Mozilla Firefox web browser
/Users/$USERNAME/Library/Application Support/Firefox/*
- Firefox Profiles
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/*
- Firefox Cookies
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/Cookies.sqlite
- Firefox Downloads
Download history. Removed in Firefox 26.0.
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/Downloads.sqlite
- Firefox Form History
Text entered into forms including search terms, email addresses, and login information.
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/Formhistory.sqlite
- Firefox History
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/Places.sqlite
- Firefox Signon
Encrypted saved passwords (and URL exceptions where "NEVER SAVE PASSWORD" is selected), requires key3.db to work.
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/signons.sqlite
- Firefox Key
It contains a key used to encrypt and decrypt saved passwords.
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/key3.db
- Firefox Permissions
Permission database for cookies, pop-up blocking, image loading and add-ons installation.
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/permissions.sqlite
- Firefox Add-ons
Stores AMO data for installed add-ons such as screenshots, ratings, homepage, and other details.
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/addons.sqlite /Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/addons.json
- Firefox Extension
Installed extension information
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/extensions.sqlite /Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/extensions.json
- Firefox Pages Settings
Individual settings for pages.
/Users/$USERNAME/Library/Application Support/Firefox/Profiles/$PROFILE/content-prefs.sqlite
Google Chrome
- Chrome Main Folder
Directory containing user artifacts for Google Chrome web browser
/Users/$USERNAME/Library/Application Support/Google/Chrome/*
- Chrome Default profile
Directory containing user artifacts for Google Chrome web browser
/Users/$USERNAME/Library/Application Support/Google/Chrome/default/*
- Chrome History
It contains the URL visited, a list of searched keywords/terms, a list of downloaded items
/Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/History /Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/Archived History
- Chrome Bookmarks
/Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/Bookmarks
- Chrome Cookies
/Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/Cookies
- Chrome Local Storage
Local Storage is a common name for part of HTML5 Web Storage. It is the newest version of cookies, and it serves the same purpose as ÒnormalÓ cookies: enabling websites to store persistent data locally.
/Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/Local Storage/*.localstorage
- Chrome Login Data
/Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/Login Data
- Chrome Top Sites
Rank of the most visited websites
/Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/Top Sites
- Chrome Web Data
The Web Data database records text a user enters into web forms to let Chrome to automatically fill in similar future forms.
/Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/Web Data
- Chrome Extensions
It contains the databases of Chrome extensions, filled with the related usage data
/Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/databases/* /Users/$USERNAME/Library/Application Support/Google/Chrome/$PROFILE/databases/Databases.db
- Chrome Cache
Google Chrome cache
/Users/$USERNAME/Library/Caches/com.google.Chrome/Cache.db
- Chrome Preferences Files
/Users/$USERNAME/Library/Preferences/com.google.Chrome.plist
- Mail Main Folder
Apple Mail main directory
/Users/$USERNAME/Library/Mail/V2/*
- Mail Mailbox Directory
Apple Mail Mailboxes
/Users/$USERNAME/Library/Mail/V2/Mailboxes/*
- Mail IMAP Synched Mailboxes
Synched IMAP Account(s)
/Users/$USERNAME/Library/Mail/V2/IMAP-<name@address>/*
- Mail POP Synched Mailboxes
Synched POP Account(s)
/Users/$USERNAME/Library/Mail/V2/POP-<name@address>/*
- Mail BackupTOC
Backup Plist that defines the mailbox structure
/Users/$USERNAME/Library/Mail/V2/MailData/BackupTOC.plist
- Mail Envelope Index
Keeps track of the location of Mail messages - the content of some messages is present as well
/Users/$USERNAME/Library/Mail/V2/MailData/Envelope Index
- Mail Opened Attachments
Plist listing opened Mail attachments (although often empty. more to do here)
/Users/$USERNAME/Library/Mail/V2/MailData/OpenedAttachmentsV2.plist
- Mail Signatures by Account
Plist containing Mail signatures
/Users/$USERNAME/Library/Mail/V2/MailData/Signatures/*
- Mail Downloads Directory
Directory containing files downloaded from email messages
/Users/$USERNAME/Library/Containers/com.apple.mail/Data/Library/Mail Downloads/*
- Mail Preferences
Mail preferences
/Users/$USERNAME/Library/Preferences/com.apple.Mail.plist
- Mail Recent Contacts
SQLite database stored in Address Book's support directory containing recent Mail contacts
/Users/$USERNAME/Library/Application Support/AddressBook/MailRecents-v4.abcdmr
- Mail Accounts
Accounts configured in Mail.app
/Users/$USERNAME/Library/Mail/V2/MailData/Accounts.plist
Misc.
- Misc. Logs
/private/var/log/
- Dock database
It containing directories, files, and apps that have appeared in the Dock
/Users/$USERNAME/Library/Preferences/com.apple.Dock.plist
- Mac OS X Quarantine Event DB
SQLite database that keeps track of files that have the quarantine extended attribute that is given to applications, scripts, and executables downloaded from potentially untrustworthy locations/people. The SQLite database contains URLS, email addresses, email subjects, and other potentially useful information.
/Users/$USERNAME/Library/Preferences/com.apple.LaunchServices.QuarantineEvents /Users/$USERNAME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
- Keychain Directory
Directory containing user keychain files
/Users/$USERNAME/Library/Keychains/
- User Setup Plist
Plist listing the information entered by the user at the time of the OS setup
/private/var/db/.AppleSetupDone
- Time Machine Info
Time Machine backup info
/Library/Preferences/com.apple.TimeMachine.plist
Networking
- Hosts file
/etc/hosts
- Remembered Wireless Networks
Remembered wireless networks
/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist