How can I find out dates of auto-logins set/disabled on Mac?
I want to know if the Mac was auto-login enabled during certain period. How can I Do that? If it is disabled now, I can’t assume it’s always been so..
Try to investigate the KnowledgeC database.
You may want to look over Sarah Edwards SANs presentation on Macintosh logs https://digital-forensics.sans.org/summit-archives/2012/analysis-and-correlation-of-macintosh-logs.pdf
Really depends on which version of Mac you are looking at.
Sarah Edwards pdf listed above is a good source of information. Mounting the image in your Mac and using console to pull some logs from it would be a good idea. e.g. system.log
Also look in the following plists
com.apple.loginwindow.plist - info a about last logged on user
com.apple.preferences.accoubts.plist - keeps info on deleted user accounts, this will only be present if an account has been deleted.
Within the plists above, keep an eye out for guest profile, if the guest option is active a person could boot the Mac, login to guest without password, do some "naughty things" and log out.
As pointed out, the autologin enable/disable setting is in this plist
The password (its obfuscated version actually) is stored here
I would also look at timestamps on that file, if it exists. And review logs of course.
My mac_apt tool (https://github.com/ydkhatri/mac_apt) will pull out all these files for you automatically when you run it on your evidence.