Collecting macOS artifacts with Oxygen Forensic® KeyScout

Sometimes evidence, credentials, or tokens crucial to an investigation are not found on a mobile device, but a Mac. Today, macOS is the primary operating system for Apple’s Mac computers. Within the desktop, laptop, and home computer market, it is the second most widely used desktop OS, after Microsoft Windows.

Oxygen Forensic® KeyScout can extract and decrypt data from macOS, including pre-installed Apple apps, user-installed apps, system files, and user credentials.

Pre-installed Apple apps

MacOS comes with the pre-installed Apple apps which can be synchronized with other iOS devices. These apps store different data that can be extracted and decrypted with the aid of Oxygen Forensic® KeyScout.

Safari (Apple’s web browser): extract web history, download history, search data, bookmarks, tokens, and cookies. 

Apple Mail (Apple’s email client): extract information about the device owner’s accounts, credentials, tokens, and mail, using its metadata, attachments, and list of their mail folders with the appropriate marks.

iMessages (Apple’s messenger and replacement for SMS/MMS): extracts iMessages, SMS, and MMS content, as well as sent attachments and contact data.

FaceTime (Apple’s video chat platform): extract the history of the account owner’s video calls.

When Oxygen Forensic®’s KeyScout is deployed on a Mac, the investigator can extract calendar events from Apple Calendar, contacts from Apple Contacts, favorite places and search history from Apple Maps, notes and folders from Apple Notes, albums, media, and media metadata from Apple Photos, as well as reminders and events from Apple Reminders.

These apps cover the various sides of a Mac owner’s life and activities, and each of them when extracted and parsed will provide the investigator with valuable information and insights.

System files

Oxygen Forensic® KeyScout can extract system information from macOS devices, including general information about the system, QuarantineEvents, and FS events data. 

QuarantineEvents

QuarantineEvents keeps a log of all the user’s downloads coming from all possible external sources, including files received from the Internet or via AirDrop. QuarantineEventsV2 files are separate for each user on the system. It’s important to note that Quarantine data is preserved even if related files were deleted from the system.

The extracted data includes the File ID, Quarantine timestamp, Source application name, Source type, and more. 

All the macOS system files mentioned can be found in the OS artifacts section in Oxygen Forensic Detective, once a KeyScout extraction is imported into the software. 

Quarantine Events analysis is useful for: 

  • Tracing file origins
  • Tracing malware infections
  • Determining which files were shared by users

FSEvents

These files store all the activity regarding the computer filesystem and include records related to deleted or unmounted files and disks. Please note that FSEvents can be found in the system folder and require root privileges, meaning the root user must be enabled on the mac where the investigator is going to collect FSEvents files. 

The extracted data contains: Event ID, Path to object, Type of object: File, directory or volume, List of operations, Filesystem node ID, and Time interval.

FSEvents analysis is useful for:

  • Establishing which files the user opened, modified, or deleted at a certain time period
  • Establishing the usage of removable media and data transfer from/to removable media

Other apps and credentials

In some cases, the usage of a Mac is not limited to the pre-installed apps. Armed with Oxygen Forensic® KeyScout, investigators can extract artifacts from:

  • Popular web browsers, such as Google Chrome, Opera, or Mozilla Firefox;
  • Mail clients other than Apple Mail, such as Mozilla Thunderbird;
  • Popular and “secure” messengers, including Signal, Telegram, and TamTam.

In addition, Oxygen Forensic® KeyScout can extract credentials and tokens that can be imported to Oxygen Forensic® Cloud Extractor to acquire even more data from more apps and services!

We hope that you find Oxygen Forensic® KeyScout useful in your macOS investigations.

Don’t forget to share your feedback with us!

Leave a Reply

Your email address will not be published. Required fields are marked *