Recent Items in MacOS Sierra

Knowing specifically what a user has viewed on their computer is part of what an examiner does.  Determining whether or not a user has opened a file, points to “knowledge” of the existence of the file.  Knowledge is an essential element when attempting to prove possession.

Operating systems track usage on computers in different ways.  Forensic examiners try to leverage usage artifacts to determine exactly what has occurred on the system. In the past, OS X has saved recent items in one simple file, com.apple.recentitems.plist.  Learn more about .plist files here. Starting with OS X 10.11, Apple began changing this using a new type of file called LSShareFileList.  

Recent Items Settings

For the user, viewing recent items on a computer running macOS Sierra is easy.   Just as it has been on previous versions of OS X, users can access Recent Items by selecting (on the Menu bar) the ‘’ ➔ Recent Items

Recent Items on macOS Sierra

Figure 1: Viewing Recent Items on computer running macOS Sierra

Recent Items are shown to the user in alphabetical order.

Users can adjust the number of Recent Items tracked by macOS by changing the setting contained in System Preferences ➔ General ➔ Recent Items.

Recent Items settings

Figure 2: Recent Items setting found in System Preferences ➔ General

Although the default value is set to 10, users can change the value from none (do not track) to fifty.

Analysis

SharedFileList

Recent items are tracked for each user account on macOS Sierra.  Located in the User’s Library (that is hidden by default) macOS Sierra saves Recent Items at the following path:

/Users/<username>/Library/ApplicationSupport/com.apple.sharedfilelist

com.apple.sharedfilelist folder containing Recent Items

Figure 3: View of com.apple.sharedfilelist folder containing Recent Items in macOS Sierra

Apple has now divided each of the types of Recent Items, into Recent Applications, Recent Documents, and Recent Servers.

Recent Applications

Recent Applications are tracked using com.apple.LSSharedFileList.RecentApplications.sfl.   Do not let the .sfl extension throw you, this is a binary plist file.

Let’s have a look once again at the Recent Items shown to the user.

Recent Applications on macOS Sierra

Figure 4:  Recent Applications as viewed in macOS Sierra

Now, lets look at the artifact and see that the LSSharedFileList file shows the examiner.

LSSharedFileList.RecentApplications.sfl       Figure 5:  LSSharedFileList.RecentApplications.sfl

Looking at the artifact shown above (Figure 5) item 7 shows a value of com.apple.LSShareFileList.MaxAmount and then in item 8 the value listed is 10.  This is the value set for Recent Items in System Preferences ➔ General.   Listed below are the ten (as per the user setting reflected in com.apple.LSShareFileList.MaxAmount ) most recently opened applications, showing their name and full path.

Recent Documents

Recent Documents are tracked using com.apple.LSSharedFileList.RecentDocuments.sfl.

Once again, the user will see the Recent Documents listed alphabetically.

Recent Documents on macOS Sierra

Figure 6:  Recent Documents as viewed in macOS Sierra  

com.apple.LSSharedFileList.RecentDocuments.sfl

Figure 7:  com.apple.LSSharedFileList.RecentDocuments.sfl

Just as with Recent Applications, the maximum number of Recent Documents tracked is listed, along with the name and full path of the document.  The word document is being used quite liberally here, as it seems that virtually every file is considered a document.

In the artifact shown above (Figure 7), at item 35 “Centennial Classic.m4v”  is actually contained on an external volume called “D@NGER”.  This means items accessed on external devices are also tracked within this artifact.

Recent Servers

Recent Servers are a little different, macOS Sierra shows the name of the server, not the network address of the server.

Recent Servers on macOS Sierra

Figure 8:  Recent Servers as viewed in macOS Sierra

MacOS Sierra actually does track both,  in separate artifacts, com.apple.LSSharedFileList.RecentServers and com.apple.LSSharedFileListRecentHosts.

com.apple.LSSharedFileList.RecentServers and com.apple.LSSharedFileListRecentHosts

Figure 9:  com.apple.LSSharedFileList.RecentServers and com.apple.LSSharedFileListRecentHosts

Recent Items Tracked by Individual Application

Contained in the /Users/<username>/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments subfolder are separate LSSharedFileList files for each application that has been used on the system.

Subfolder com.apple.LSSharedFileList.ApplictionRecentDocuments

Figure 10: Subfolder com.apple.LSSharedFileList.ApplicationRecentDocuments

In a rather funny twist Apple appears to have borrowed something from the Windows playbook, as this appears to be similar to Jump Lists on Windows systems (only in that Recent Items are tracked by application).

Again, like Recent Documents, Applications, and Servers these LSSharedFileList files follow the same structure showing the maximum number of recent items recorded, the name of the file and the file’s full path.

LSSharedFileList for com.apple.quicktimeplayerx.sfl

Figure 11: LSSharedFileList for com.apple.quicktimeplayerx.sfl

A Few Caveats

As with everything in forensics there is always a downside.

  • There are no dates recorded within the LSSharedFileList items, so while we know that these files are ‘recent’ we don’t know when these files were last opened.
  • It does not appear that there is an order to the items contained in the LSSharedFileList.  Previously, when Apple gave us recentitems.plist files were recorded in descending order from 0 ➔ 10 (or whatever the Recent Items value was set to) most recent to oldest.
  • While all launched applications are recorded in Users/<username>/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments it appears that at this time not all the applications are actually recording recent items.
  • Previous version of OS X tracked recent items in /Users/<username>/Library/Preferences, we like to say that Apple does not like to clean up after itself.  Examiners, should ensure they check this location for previous LSSharedFileList items as well as com.apple.recentitems.plist.  Testing has found that on upgraded systems the property list files for recent files from past OS X installs may still exist, however in some cases they are empty.  None the less it is always advisable to check these artifacts for data.

Conclusion

Examiners need to ensure that they fully appreciate despite the yearly releases of the Mac operating system, not all the changes made are necessarily cosmetic.  Some changes are less noticeable; but it’s these changes that have the greatest impact on our forensics examinations.

Surely recent items are going to continue to evolve with macOS. Will all applications begin recording recent items?  Of course a lot of this depends on the programmers, and their implementation of LSSharedFileList items.



Leave a Reply

Sorry, you must be logged in to post a comment.