Notifications

Clear all

In OS X, how to know...

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Skywalker 9 years ago

5 Posts

2 Users

0 Reactions

702 Views

RSS

Skywalker

(@skywalker)

Reputable Member

Joined: 11 years ago

Posts: 150

Topic starter 26/07/2016 10:26 pm

Hello everybody,

In MAC OS X, I would need to know tho things

-The activity about a single file. I mean, if it was copied and, in case of it was really copied, where it was copied (email, USB drive, etc.).

-If there was activity in the computer between tho instants of time.

Thanks!!!

Quote

UnallocatedClusters

(@unallocatedclusters)

Honorable Member

Joined: 13 years ago

Posts: 576

27/07/2016 2:40 am

Depending upon the version of Mac OSX you are analyzing, an excellent file to analyze should be the "system.log" file, which is basically a super timeline of activities performed on a Mac OSX computer.

In terms of USB analysis, here are some resources for you

https://www.blackbagtech.com/resources/freetools/ioreg-info.html

https://www.blackbagtech.com/blog/2012/11/09/locating-usb-device-connection-artifacts-on-a-mountain-lion-computer/

https://www.blackbagtech.com/blog/2011/02/01/snow-leopard-logs-usb-serial-numbers

Also, search for the term "USBMSC" one you have created an index of your forensic image of the Mac OSX system. The term "USBMSC" should return hits in potentially relevant files for you to analyze regarding USB device usage.

ReplyQuote

Skywalker

(@skywalker)

Reputable Member

Joined: 11 years ago

Posts: 150

Topic starter 28/07/2016 5:48 am

Depending upon the version of Mac OSX you are analyzing, an excellent file to analyze should be the "system.log" file, which is basically a super timeline of activities performed on a Mac OSX computer.

In terms of USB analysis, here are some resources for you

https://www.blackbagtech.com/resources/freetools/ioreg-info.html

https://www.blackbagtech.com/blog/2012/11/09/locating-usb-device-connection-artifacts-on-a-mountain-lion-computer/

https://www.blackbagtech.com/blog/2011/02/01/snow-leopard-logs-usb-serial-numbers

Also, search for the term "USBMSC" one you have created an index of your forensic image of the Mac OSX system. The term "USBMSC" should return hits in potentially relevant files for you to analyze regarding USB device usage.

Thank you very much. When you say I have to search for the term or string "USBMSC", where in MACOSX should I search for it?

Thanks!!!

ReplyQuote

UnallocatedClusters

(@unallocatedclusters)

Honorable Member

Joined: 13 years ago

Posts: 576

29/07/2016 12:07 am

Hello,

Once you have created a searchable index of the forensic image of the Mac computer, then you can search for the term USBMSC globally across all Mac OSX files.

Positive hits will likely be items directly related to USB device usage on the Mac.

ReplyQuote

Skywalker

(@skywalker)

Reputable Member

Joined: 11 years ago

Posts: 150

Topic starter 29/07/2016 5:15 am

Hello,

Once you have created a searchable index of the forensic image of the Mac computer, then you can search for the term USBMSC globally across all Mac OSX files.

Positive hits will likely be items directly related to USB device usage on the Mac.

How should I create a forensic image of a MAC OS X system and then a searchable index of it? I have no experience with MAC OS forensic…

Are you meaning to clone the HDD?

Thanks!

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
241 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed