Mac Forensics Essentials: The Guest User Account
The guest user account on a Mac OS X machine is often overlooked. However, during a Mac forensic examination, an examiner may gain additional insight into a case by looking at the Guest Account settings. The Guest Account settings are accessed in the same System Preferences pane as other user accounts here:
Apple Menu > System Preferences > Accounts (Snow Leopard) or,
Apple Menu > System Preferences > Users & Groups (Lion)
On the left side of the Accounts or Users & Groups preference pane, select Guest Account and the preference setting options appear.
The following account settings are of particular interest during a Mac forensic examination.
The “Allow Guests to Connect to Shared Folders” Setting
The default Guest User account setting on a Mac OS X machine is “Allow guests to connect to shared folders.” Note the following:
• By default, all Public folders in local users’ home directories (/Users/<username>/Public) are shared, except
• When a user account has FileVault enabled, and that user is logged out, the “FileVaulted” user’s Public folder is not available to a guest user. If the “FileVaulted” user is logged in, that user’s Public folder is shared by default. If a user does not have FileVault enabled, that user’s Public folder remains available to a guest user when the “non-FileVaulted” user is logged in and logged out.
When this Guest Account option is selected, a guest user may access local users’ shared folders and files without a password. When only this option is enabled, the label under the Guest User account displays “Sharing only.”
The “Allow Guests to Log Into This Computer” Setting
When the “Allow guests to log into this computer” option is enabled, a guest user may log into the system, but must do so locally (a remote user connected as guest has access to shared files as described above, but a user cannot login to the Guest Account remotely). When only this option is enabled, the label under the Guest Account displays “Login only.”
This setting has several attributes of interest:
• A password is not required to log into the Guest Account.
• A temporary guest home directory structure is created each time a guest user logs in.
• A guest user may not modify other users’ shared files and folders while they are in other users’ home directories; however,
• A guest user may duplicate other users’ documents and save them to the Guest User account (anywhere), or save them to the /Users/Shared folder without the need for credentials.
• A guest user may otherwise act as a regular user within the bounds of any administrator restrictions placed on the guest account (see below).
• When a guest logs out, all files and folders within the temporary guest user home directory are deleted. This includes Internet artifacts, Desktop files, etc.; however,
• A Mac forensic examiner may use the BlackLight forensic analysis software to recover (carve) these files from unallocated space.
• Any files or folders that a guest user saves outside the guest home directory, such as in the /Users/Shared folder, remain active (in allocated space) after the guest user logs out.
The “Allow Guests to Log Into This Computer” Setting with Parental Controls Enabled
When the “Allow guests to log into this computer” option is selected, an administrator may choose to set several Parental Controls to restrict guest account usage. These controls include limiting:
• Application usage
• Website access
• Who a guest user may and may not contact via email and/or chat
• What times and days of the week a guest account is available and for how long
• Printer usage and DVD burning
• Hiding access to profanity in the Dictionary application
An examiner can quickly tell if “Allow guests to log into this computer” is enabled with Parental Controls in place, as the label under the Guest Account displays “Enabled, Managed.”
When both “Allow Guests to Connect to Shared Folders” and “Allow Guests to Log Into This Computer” Settings are Enabled
The “Allow guests to connect to shared folders” and “Allow guests to log into this computer” options may be enabled simultaneously. When this occurs:
• A local guest user and a remote user connected as guest may have access to the computer at the same time without entering a password.
• A local guest user and a remote user connected as guest can access shared files and folders in other local users’ home directories without a password; however,
• A remote user connected as guest cannot access shared Guest Account files and folders (including the Guest Account Public folder!) without system modification settings that require administrator credentials.
An examiner can quickly tell if both of these options are enables simultaneously, as the label under the Guest Account displays “Login, Sharing.”
Advanced Guest Account Options
To access the advanced settings preference pane, on the left side of the Accounts or Users & Groups preference pane, right- or control-click the Guest Account and select Advanced Options..
The User ID, and Universally Unique Identifier (UUID) are the most important advanced options an examiner should investigate. Under normal circumstances, the User ID and UUID are exactly the same for every Guest user on any Mac OS X system. By default, the Guest Account User ID is 201; however, an administrator may easily change these two advanced options.
Therefore, there are a couple things to keep in mind during a forensic examination:
1 – Under normal circumstances, if an examiner locates files with User ID 201 during a forensic examination, these files may be associated with the Guest Account. However, because a password is not required to log into the Guest Account, files created under User ID 201 may not be attributed to a specific person, unless additional evidence is present that establishes who was using the computer at the time the file was created.
2 – If an administrator changed the Guest Account User ID, an examiner must know the Guest Account User ID to conclude a file was created by a Guest Account user. If the examiner does not know the modified Guest Account User ID, but suspects that a guest user did access the machine using the Guest Account, an examiner might look for other accounts with out-of-the-ordinary User IDs (i.e., non- or unusual “500” IDs) to help establish Guest Account file ownership.
Back To My Mac Settings
A user may log into the local Guest Account on any Mac machine and access other remote Macintosh computers via the MobileMe/iCloud ‘Back to My Mac’ feature. When this occurs:
• The local Guest Account user may connect as guest to shared files and folders on the remote machine (if the remote machine’s guest account is also enabled) without needing a local or remote password.
• When the user logs out of the local Guest Account, local machine artifacts such as MobileMe/iCloud preferences and Internet History files are deleted. (Again, BlackLight may be able to recover these.)
The Forensic Analysis Workstation
In our BBT-200 Macintosh Forensic Primary Analysis course, we discuss Mac OS X preference settings and how Mac forensic examiners must modify these settings on their forensic analysis workstations to properly protect and preserve evidence during a forensic examination. Guest Account preference settings is one of the topics we cover. For the reasons discussed in this blog, we strongly recommend disabling all Guest Account options on all analysis workstations in the lab.
For more information about BlackLight forensic analysis software, please visit our BlackLight product page or BlackBag TV. For more information about upcoming Mac Forensics training courses and our MiCFE Mac and iOS Forensics certification program, please visit the BBT training portal.
Please contact support with any additional questions or comments you may have.