Mac Forensics Essentials: The Mac OS X Library Directories
From time to time we like to revisit the basics! Whether you are new to Macintosh and iOS forensics and wish to build sound foundational knowledge, or you are a seasoned Mac forensics expert looking to brush up on core concepts as Apple devices and products continue to evolve, we hope you find our Mac Forensics Essentials blogs helpful and informative.
The Mac OS X operating system stores essential configuration, system preference, and user data and settings in four separate Library folders. Forensic artifacts found in these Library directories often contain cornerstone case information. The four Library folders, listed in order of importance to a forensic examination, are:
• The User Library folder – /Users/username/Library
• The Global or Application Library folder – /Library
• The System Library folder – /System/Library
• The Network Library folder – /Network/Library
A User Library stores user-specific files for each account on an OS X installation. Under normal circumstances, and assuming a user is the only person with access to their user account login information, the User Library contains information such as how a user set up their account ‘look and feel‘ (such as desktop pictures and dock configurations), along with user-specific browsing habits, email account settings and data, chat histories, etc.. Under normal circumstances, each Mac OS X user account is completely self-contained; users on the machine do not have access to accounts other than their own.
The Global or Application Library folder stores system-wide settings for third-party add-ons, drivers, application serial numbers (may vary per application), network settings, printer configurations and preferences for printers that have been used on the system. This library folder also contains information about resources available globally to all users on the machine such as commonly shared applications and fonts.
The System Library folder typically stores only Apple and Apple-related product setup and configuration information. Third-party data is sometimes found in the System Library folder, but only occasionally.
The Network Library stores settings for both the host Macintosh server and every local machine that logs onto the server through a network account. However, this Library folder only appears on the local machine when the machine is connected to a server by way of Open Directory using MCX.
The Library folder ‘order of importance’ is helpful to keep in mind during a forensic examination. For instance, if an examiner understands that user-specific data is stored in the User Library in each home directory on the machine, they may quickly locate and triage important case information such as email, Internet browsing history, and chat histories for a given person. During an examination involving an iOS device, an examiner can look at the com.apple.iPod.plist file in each User Library directory to determine which iOS devices may have been connected to the machine via which user account(s).
An examiner must also consider which OS X operating system version is installed on the computer when examining OS X Library directory data. For example, under older OS X installations, the com.apple.iPod.plist file is located in each user directory and also in the Global Library. But, the com.apple.iPod.plist file may no longer be installed in the Global Library directory under newer versions of the OS X operating system. However, if a user installs a newer, clean version of the OS X operating system and then migrates data from an older installation to the new installation, the com.apple.iPod.plist (and perhaps other older .plist files) may tag along for the ride. In this case, the older .plist file may in fact be found in the Global Library directory, though only the User Library com.apple.iPod.plist file is updated when an iOS device is connected.
A newer OS X operating system may update and/or recreate older .plist files if the user migrates and/or installs older applications that store information in the older .plist file. An examiner should not overlook the older com.apple.iPod.plist file in the Global Library directory, or other older .plist files as they may contain important forensic artifacts.
We strongly recommend that forensic examiners take time to familiarize themselves with the contents of each Mac OS X Library folder for all current and past OS X operating system versions, and to update this knowledge each time Apple releases a new version of the OS X operating system. Doing so can save much time and ensure important case information is not overlooked.