Artefacts and tricks for Mac OS X
Note : if "$ xxx" => command xxx to launch, else => file or directory to dump. FORENSICS - SYSTEM INFO AND LEAK INFO PROOF OF CONCEPT Pac4Mac : https://github.com/sud0man/pac4mac SYSTEM INFO General information $ System_profiler Owner (name, address, tel, etc.) /Users/ USERNAME /Library/ Preferences / AddressBookMe . plist / Library / Preferences / AddressBookMe . plist / private / var / db /. AppleSetupDone Kernel Version and state /System/ Library / PreferencePanes / Ink . prefPane / Contents / Info . plist $ sysctl - A OS version /System/ Library / PreferencePanes / Ink . prefPane / Contents / Info . plist / System / Library / CoreServices / SystemVersion . plist / System / Library / CoreServices / ServerVersion . plist ( if server ) $ uname - an Timezone /Library/ Preferences /. GlobalPreferences . plist / etc / localtime AUTHENTICATION DATA Usernames and password hashes /Users/ USERNAME [ 10.6 ]/ var / db / shadow