How can I find out ...
 
Notifications
Clear all

How can I find out dates of auto-logins set/disabled on Mac?

5 Posts
5 Users
0 Likes
772 Views
(@samsacksons)
Posts: 8
Active Member
Topic starter
 

I want to know if the Mac was auto-login enabled during certain period. How can I Do that? If it is disabled now, I can’t assume it’s always been so..

 
Posted : 18/11/2019 9:28 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Try to investigate the KnowledgeC database.

 
Posted : 20/11/2019 5:27 am
mjpetersen
(@mjpetersen)
Posts: 12
Active Member
 

You may want to look over Sarah Edwards SANs presentation on Macintosh logs https://digital-forensics.sans.org/summit-archives/2012/analysis-and-correlation-of-macintosh-logs.pdf

Really depends on which version of Mac you are looking at.

 
Posted : 20/11/2019 3:33 pm
(@dandaman_24)
Posts: 172
Estimable Member
 

Sarah Edwards pdf listed above is a good source of information. Mounting the image in your Mac and using console to pull some logs from it would be a good idea. e.g. system.log

Also look in the following plists

com.apple.loginwindow.plist - info a about last logged on user

com.apple.preferences.accoubts.plist - keeps info on deleted user accounts, this will only be present if an account has been deleted.

Within the plists above, keep an eye out for guest profile, if the guest option is active a person could boot the Mac, login to guest without password, do some "naughty things" and log out.

 
Posted : 20/11/2019 7:07 pm
(@yogeshkhatri)
Posts: 26
Eminent Member
 

As pointed out, the autologin enable/disable setting is in this plist
com.apple.loginwindow.plist

The password (its obfuscated version actually) is stored here
/private/etc/kcpassword

I would also look at timestamps on that file, if it exists. And review logs of course.

My mac_apt tool (https://github.com/ydkhatri/mac_apt) will pull out all these files for you automatically when you run it on your evidence.

 
Posted : 02/12/2019 3:35 am
Share: