Knowing specifically what a user has viewed on their computer is part of what an examiner does. Determining whether or not a user has opened a file, points to “knowledge” of the existence of the file. Knowledge is an essential element when attempting to prove possession.
Operating systems track usage on computers in different ways. Forensic examiners try to leverage usage artifacts to determine exactly what has occurred on the system. In the past, OS X has saved recent items in one simple file, com.apple.recentitems.plist. Learn more about .plist files here. Starting with OS X 10.11, Apple began changing this using a new type of file called LSShareFileList.
Recent Items Settings
For the user, viewing recent items on a computer running macOS Sierra is easy. Just as it has been on previous versions of OS X, users can access Recent Items by selecting (on the Menu bar) the ‘’ ➔ Recent Items
Figure 1: Viewing Recent Items on computer running macOS Sierra
Recent Items are shown to the user in alphabetical order.
Users can adjust the number of Recent Items tracked by macOS by changing the setting contained in System Preferences ➔ General ➔ Recent Items.
Figure 2: Recent Items setting found in System Preferences ➔ General
Although the default value is set to 10, users can change the value from none (do not track) to fifty.
Recent items are tracked for each user account on macOS Sierra. Located in the User’s Library (that is hidden by default) macOS Sierra saves Recent Items at the following path:
Figure 3: View of com.apple.sharedfilelist folder containing Recent Items in macOS Sierra
Apple has now divided each of the types of Recent Items, into Recent Applications, Recent Documents, and Recent Servers.
Recent Applications are tracked using com.apple.LSSharedFileList.RecentApplications.sfl. Do not let the .sfl extension throw you, this is a binary plist file.
Let’s have a look once again at the Recent Items shown to the user.
Figure 4: Recent Applications as viewed in macOS Sierra
Now, lets look at the artifact and see that the LSSharedFileList file shows the examiner.
Looking at the artifact shown above (Figure 5) item 7 shows a value of com.apple.LSShareFileList.MaxAmount and then in item 8 the value listed is 10. This is the value set for Recent Items in System Preferences ➔ General. Listed below are the ten (as per the user setting reflected in com.apple.LSShareFileList.MaxAmount ) most recently opened applications, showing their name and full path.
Recent Documents are tracked using com.apple.LSSharedFileList.RecentDocuments.sfl.
Once again, the user will see the Recent Documents listed alphabetically.
Figure 6: Recent Documents as viewed in macOS Sierra
Figure 7: com.apple.LSSharedFileList.RecentDocuments.sfl
Just as with Recent Applications, the maximum number of Recent Documents tracked is listed, along with the name and full path of the document. The word document is being used quite liberally here, as it seems that virtually every file is considered a document.
In the artifact shown above (Figure 7), at item 35 “Centennial Classic.m4v” is actually contained on an external volume called “D@NGER”. This means items accessed on external devices are also tracked within this artifact.
Recent Servers are a little different, macOS Sierra shows the name of the server, not the network address of the server.
Figure 8: Recent Servers as viewed in macOS Sierra
MacOS Sierra actually does track both, in separate artifacts, com.apple.LSSharedFileList.RecentServers and com.apple.LSSharedFileListRecentHosts.
Figure 9: com.apple.LSSharedFileList.RecentServers and com.apple.LSSharedFileListRecentHosts
Recent Items Tracked by Individual Application
Contained in the /Users/<username>/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments subfolder are separate LSSharedFileList files for each application that has been used on the system.
Figure 10: Subfolder com.apple.LSSharedFileList.ApplicationRecentDocuments
In a rather funny twist Apple appears to have borrowed something from the Windows playbook, as this appears to be similar to Jump Lists on Windows systems (only in that Recent Items are tracked by application).
Again, like Recent Documents, Applications, and Servers these LSSharedFileList files follow the same structure showing the maximum number of recent items recorded, the name of the file and the file’s full path.
Figure 11: LSSharedFileList for com.apple.quicktimeplayerx.sfl
A Few Caveats
As with everything in forensics there is always a downside.
- There are no dates recorded within the LSSharedFileList items, so while we know that these files are ‘recent’ we don’t know when these files were last opened.
- It does not appear that there is an order to the items contained in the LSSharedFileList. Previously, when Apple gave us recentitems.plist files were recorded in descending order from 0 ➔ 10 (or whatever the Recent Items value was set to) most recent to oldest.
- While all launched applications are recorded in Users/<username>/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments it appears that at this time not all the applications are actually recording recent items.
- Previous version of OS X tracked recent items in /Users/<username>/Library/Preferences, we like to say that Apple does not like to clean up after itself. Examiners, should ensure they check this location for previous LSSharedFileList items as well as com.apple.recentitems.plist. Testing has found that on upgraded systems the property list files for recent files from past OS X installs may still exist, however in some cases they are empty. None the less it is always advisable to check these artifacts for data.
Examiners need to ensure that they fully appreciate despite the yearly releases of the Mac operating system, not all the changes made are necessarily cosmetic. Some changes are less noticeable; but it’s these changes that have the greatest impact on our forensics examinations.
Surely recent items are going to continue to evolve with macOS. Will all applications begin recording recent items? Of course a lot of this depends on the programmers, and their implementation of LSSharedFileList items.