Join Us!

How can I find out ...
 
Notifications
Clear all

How can I find out dates of auto-logins set/disabled on Mac?  

  RSS
samsacksons
(@samsacksons)
New Member

I want to know if the Mac was auto-login enabled during certain period. How can I Do that? If it is disabled now, I can’t assume it’s always been so..

Quote
Posted : 18/11/2019 9:28 pm
Igor_Michailov
(@igor_michailov)
Senior Member

Try to investigate the KnowledgeC database.

ReplyQuote
Posted : 20/11/2019 5:27 am
mjpetersen
(@mjpetersen)
New Member

You may want to look over Sarah Edwards SANs presentation on Macintosh logs https://digital-forensics.sans.org/summit-archives/2012/analysis-and-correlation-of-macintosh-logs.pdf

Really depends on which version of Mac you are looking at.

ReplyQuote
Posted : 20/11/2019 3:33 pm
dandaman_24
(@dandaman_24)
Active Member

Sarah Edwards pdf listed above is a good source of information. Mounting the image in your Mac and using console to pull some logs from it would be a good idea. e.g. system.log

Also look in the following plists

com.apple.loginwindow.plist - info a about last logged on user

com.apple.preferences.accoubts.plist - keeps info on deleted user accounts, this will only be present if an account has been deleted.

Within the plists above, keep an eye out for guest profile, if the guest option is active a person could boot the Mac, login to guest without password, do some "naughty things" and log out.

ReplyQuote
Posted : 20/11/2019 7:07 pm
YogeshKhatri
(@yogeshkhatri)
Junior Member

As pointed out, the autologin enable/disable setting is in this plist
com.apple.loginwindow.plist

The password (its obfuscated version actually) is stored here
/private/etc/kcpassword

I would also look at timestamps on that file, if it exists. And review logs of course.

My mac_apt tool (https://github.com/ydkhatri/mac_apt) will pull out all these files for you automatically when you run it on your evidence.

ReplyQuote
Posted : 02/12/2019 3:35 am
Share: