Hi,
New to OSX forensics, can someone help me? I'm looking for the following artefacts
1. Original OS installation date
2. Details of the accounts stored on a Mac running OSX 10.11.2 Creation dates, last logged in times etc.
Any help id be very grateful.
Don
Hi,
Installation date for 10.6 and above
creation date of this file /private/var/db/.AppleSetupDone (installation or update)
users
/private/var/db/dslocal/nodes/Default/users
last user connected Library/Preferences/com.apple.loginwindow.plist
deleted users /Library/Preferences/com.apple.preferences.accounts.plist
User preferences directory
– %%users.homedir%%/Library/Preferences/*
not sure it is completely accurate and update.
You may find this OS X (macOS) artifact spreadsheet helpful.
http//
Hi,
Thank you both. Good information and very helpful.
I have been looking at the .AppleSetupDone file, but in my case i think it refers to an update that the system has carried out.
I have also looked at install.log located at /private/var/log/ but again it just details the update carried out by the system.
Is there anywhere else the original OS installation date could be. What about volume creation date?
Cheers
Don
Installation log
It contains install date of system, as well as date of system and software updates
/var/log/install.log
It is from http//
Let us know if it helps
Regards
/var/log/install.log
For some reason the file on this system I am looking does not go back very far and there are a number of entries without date and times. It maybe that this file has been damaged or corrupted in some way.
Thanks again.