Mac OS X 10.11 (ElCapitan) - Artifacts Location

From ForensicsWiki
Jump to: navigation, search

The content of this page is automatically generated from the "Mac OS X artifacts location" of the mac4n6 project. Please refer to that for any mistake/correction or if you wish to contribute.


Autorun Locations

Launch Agents files
Launch Daemons files
Startup Items file

System Logs

System Log files main folder
Apple System Log

Filename format as YYYY.MM.DD.[UID].[GID].asl, while YYYY.MM.DD.[UID].[GID].asl of logs per user

Audit Log
Installation log

It contains install date of system, as well as date of system and software updates


System Preferences

System Preferences files
Global Preferences

It contains Global Preferences information such as the local time zone, geographical coordinates, etc.

Login Window Info

Plist containing last user logged in

Bluetooth Preferences and paierd device info

Bluetooth preferences and paired devices

Time Machine Info

Time Machine backup info


System Settings and Informations

OS Installation time

Empty file. Its last modification time represent the date/time the OS was installed

OS name and version

Plist describing the installed Operating System

Users Log In Password Hash Plist

Contains the salted SHA-512 hash value for the user's log in password


Sleep/Hibernate and Swap Image File

Sleep Image File

Contents of RAM are written to this file when the computer is put to sleep

Swap Files

Numerous swap files may be found in this directory with the naming convention of swapfile# (swapfile0, swapfile1, swapfile2, etc.)


Kernel Extension

Kernel Extension

Kext files are essentially drivers for Mac OS X.


Software Installation

Software Installation History

It contains a history of installed applications and updates

Software Update

Plist describing last attempt and last successful attempt at updating OS X software


System Info Misc.

Current Time Zone

Simlink pointing to /usr/share/zoneinfo/XYZ

Mac OS X at jobs
Cron tabs
Periodic system functions scripts and configuration


Hosts file
Remembered Wireless Networks

Remembered wireless networks



Autorun Locations

Login Items

Plists listing applications that automatically start when the user is logged in



Users directories in /Users

User Directories

Downloads Directory
Documents Directory
Music Directory
Desktop Directory
Library Directory
Movies Directory
Pictures Directory
Public Directory


User preferences directory

Directory containing user preference settings for applications and utilities

iCloud user preferences
Sidebar Lists Preferences

Lists the names of volumes mounted on the desktop that have appeared in the sidebar list. [Different from previous version]

Global Preferences

Global Preferences Plist

Dock database

It containing directories, files, and apps that have appeared in the Dock

Attached iDevices

Attached iDevices

Quarantine Event Database

SQLite database that keeps track of files that have the quarantine extended attribute that is given to applications, scripts, and executables downloaded from potentially untrustworthy locations/people. The SQLite database contains URLS, email addresses, email subjects, and other potentially useful information.



User and Applications Logs Directory

Directory containing numerous application's log files user specific

Misc. Logs

Miscellaneous logs and diagnostic reports

Terminal Commands History

Terminal commands history


User's Accounts

User's Social Accounts

iDevice Backup

iOS device backups directory
%%users.homedir%%/Library/Application Support/MobileSync/Backup/*
iOS device backup information

It's a plist file in plain text. It stores data about the backed up device (such as device name, GUID, ICCID, IMEI, Product type, iOS version, serial numbers, UDID etc.) and the iTunes software used to create the backup (iTunes version number, iTunes settings).

%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist
iOS device backup apps information

It's a plist file in plain text and it describes the content of the backup. Inside this file we can find the list of applications installed on the backed up device. For every application there are the name and the particular version. Inside the file there is also the date the backup was made, the backup type (encrypted vs. unencrypted) and some information about the iDevice and the iTunes software used.

%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist
iOS device backup files information

It's a binary file that stores the descriptioons of all the other files in the backup directory. It contains a record for each element in the backup.

%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mbdb
iOS device backup status information

It's a plist file in binary format and it stores information about the completion of the backup

%%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist

Recent Items

Recent Items

Recently opened applications, files, and servers

Recent Items application specific

Recently opened files specific for each application



Application Support Directory

Contains application-specific folders used to support applications and utilities

%%users.homedir%%/Library/Application Support/*
Keychain Directory

Directory containing user keychain files

User Trash Folder

User Trash directory




iCloud Accounts
%%users.homedir%%/Library/Application Support/iCloud/Accounts/*


Skype Directory

Directory containing Skype user artifacts

%%users.homedir%%/Library/Application Support/Skype/*
Skype User profile

Directory containing Skype user artifacts

%%users.homedir%%/Library/Application Support/Skype/*/*
Skype Preferences and Recent Searches

Skype preferences and recent user searches

Main Skype database

Database of contacts, SMS's, calls, conversations, videos, messages, etc.

%%users.homedir%%/Library/Application Support/Skype/*/Main.db
Chat Sync Directory

Directory containing chat logs

%%users.homedir%%/Library/Application Support/Skype/*/chatsync/*


Safari Main Folder
Safari Bookmarks

Plist listing default and user-added Safari bookmarks

Safari Downloads

Plist listing files downloaded using Safari Browser

Safari Installed Extensions

Plist describing installed Safari Extensions

Safari History

Plist listing Safari web browsing history

Safari History

SQLite Safari web browsing history since version... [missing]

Safari History Index

An index of Safari History allowing a user to perform keyword searches of visited webpages

Safari Last Session

A plist describing the state of Safari when it was last closed

Safari Local Storage Directory

A directory for webpage-specific storage. Each webpage stores data in a SQLite database with the file extension of .localstorage.

Safari Local Storage Database

A database listing the webpage specific databases

Safari Top Sites

A Plist listing the webpages belonging to a Safari's Top Sites

Safari Webpage Icons Database

A database containing saved web page icons for webpages visited [missing in latest browser version. Exact reference to be found]

Safari Webpage Databases

A directory for webpage-specific database storage

Safari Cache Directory

A directory containing Safari-specific cache items

Safari Cache

A cache of data from visited webpages

Safari Extensions Cache

A directory containing cached items for Safari Extensions

Safari Webpage Previews

A directory containing images of viewed webpages in .png and .jpg formats. The file name is a hash of the webpage URL. [missing in latest browser version. Exact reference to be found]

%%users.homedir%%/Library/Caches/ Previews/*
Safari Cookies

Cookies from visited webpages

Safari Preferences and Search terms

Contains recent safari search strings and downloads folder location in addition to preferences

Safari Extension Preferences

Contains preferences of Safari installed extensions

Safari Bookmark Cache

Each bookmark entry in Bookmarks.plist is stored as an individual file in this directory for more efficient use with Spotlight and to allow the user to select the bookmark entry from Spotlight and have Safari launch the corresponding webpage

Safari History Cache

Each website entry in History.plist is stored as an individual file in this directory for more efficient use with Spotlight and to allow the user to select the webpage entry from Spotlight and have Safari launch the corresponding webpage

Safari Temporary Images

It contains the images present/viewed in the web pages visited by the user



Firefox Directory

Directory containing user artifacts for Mozilla Firefox web browser

%%users.homedir%%/Library/Application Support/Firefox/*
Firefox Profiles
%%users.homedir%%/Library/Application Support/Firefox/Profiles/*
Firefox Cookies
%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Cookies.sqlite
Firefox Downloads

Download history. Removed in Firefox 26.0.

%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Downloads.sqlite
Firefox Form History

Text entered into forms including search terms, email addresses, and login information.

%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Formhistory.sqlite
Firefox History
%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/Places.sqlite
Firefox Signon

Encrypted saved passwords (and URL exceptions where "NEVER SAVE PASSWORD" is selected), requires key3.db to work.

%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/signons.sqlite
Firefox Key

It contains a key used to encrypt and decrypt saved passwords.

%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/key3.db
Firefox Permissions

Permission database for cookies, pop-up blocking, image loading and add-ons installation.

%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/permissions.sqlite
Firefox Add-ons

Stores AMO data for installed add-ons such as screenshots, ratings, homepage, and other details.

%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.sqlite
%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/addons.json
Firefox Extension

Installed extension information

%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.sqlite
%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/extensions.json
Firefox Pages Settings

Individual settings for pages.

%%users.homedir%%/Library/Application Support/Firefox/Profiles/*/content-prefs.sqlite

Google Chrome

Chrome Main Folder

Directory containing user artifacts for Google Chrome web browser

%%users.homedir%%/Library/Application Support/Google/Chrome/*
Chrome Default profile

Directory containing user artifacts for Google Chrome web browser

%%users.homedir%%/Library/Application Support/Google/Chrome/default/*
Chrome History

It contains the URL visited, a list of searched keywords/terms, a list of downloaded items

%%users.homedir%%/Library/Application Support/Google/Chrome/*/History
%%users.homedir%%/Library/Application Support/Google/Chrome/*/Archived History
Chrome Bookmarks
%%users.homedir%%/Library/Application Support/Google/Chrome/*/Bookmarks
Chrome Cookies
%%users.homedir%%/Library/Application Support/Google/Chrome/*/Cookies
Chrome Local Storage

Local Storage is a common name for part of HTML5 Web Storage. It is the newest version of cookies, and it serves the same purpose as “normal” cookies: enabling websites to store persistent data locally.

%%users.homedir%%/Library/Application Support/Google/Chrome/*/Local Storage/*.localstorage
Chrome Login Data
%%users.homedir%%/Library/Application Support/Google/Chrome/*/Login Data
Chrome Top Sites

Rank of the most visited websites

%%users.homedir%%/Library/Application Support/Google/Chrome/*/Top Sites
Chrome Web Data

The Web Data database records text a user enters into web forms to let Chrome to automatically fill in similar future forms.

%%users.homedir%%/Library/Application Support/Google/Chrome/*/Web Data
Chrome Extensions

It contains the databases of Chrome extensions, filled with the related usage data

%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/*
%%users.homedir%%/Library/Application Support/Google/Chrome/*/databases/Databases.db
Chrome Cache

Google Chrome cache

Chrome Preferences Files


Mail Main Folder

Apple Mail main directory

Mail Mailbox Directory

Apple Mail Mailboxes

Mail IMAP Synched Mailboxes

Synched IMAP Account(s)

Mail POP Synched Mailboxes

Synched POP Account(s)

Mail BackupTOC

Backup Plist that defines the mailbox structure

Mail Envelope Index

SQLite db. Keeps track of the location of Mail messages - the content of some messages is present as well

%%users.homedir%%/Library/Mail/V[0-9]/MailData/Envelope Index
Mail Opened Attachments

Plist listing opened Mail attachments (although often empty. more to do here)

Mail Signatures by Account

Plist containing Mail signatures

Mail Downloads Directory

Directory containing files downloaded from email messages

%%users.homedir%%/Library/Containers/ Downloads/*
Mail Preferences

Mail preferences

Mail Recent Contacts

SQLite database stored in Address Book's support directory containing recent Mail contacts

%%users.homedir%%/Library/Application Support/AddressBook/MailRecents-v4.abcdmr
Mail Accounts

Accounts configured in


Other Informations

Total Artifacts: 123

Total Locations/Paths: 136

External Links

The mac4n6 project: