MAC OS Architecture

The macOS architecture consists of several key components that work together to provide a
stable, secure, and user-friendly operating system:

1. Darwin Core:
o The foundation of macOS, combining the XNU (X is Not Unix) kernel and
basic UNIX services.
o Handles memory management, process scheduling, and inter-process
communication.
2. File System:
o Supports multiple file systems, including HFS+ and APFS (the current
default).
o Facilitates data storage, retrieval, and management.
3. Frameworks:
o Software libraries providing reusable components for developers.
o Examples: Cocoa (used for macOS applications), Core Foundation, and Core
Graphics.
4. Application Layer:
o User-visible components, such as Finder, Safari, and third-party apps.
o Utilizes frameworks for graphical interfaces and services.
5. User Interface:
o Provides the desktop, Dock, and menu bar.
o Based on the Aqua graphical interface.

HFS and HFS+ File System Analysis

HFS (Hierarchical File System):

 Introduction: Introduced by Apple in 1985 for early Macintosh computers.

 Structure:
o Organized as a tree-like structure for directories and files.
o Uses a Master Directory Block (MDB) to store metadata about the file
system.
 Limitations:
o No support for large volumes or files over 2 GB.
o Lacks journaling capabilities.

HFS+ (Hierarchical File System Plus):

 Introduction: Introduced and replacing HFS, and used until the introduction of
APFS.
 Features:
o Journaling: Keeps a log of changes, improving reliability and recovery.
o Unicode Support: Allows filenames in various languages.
o Large File Support: Supports larger file sizes and volumes.
 Structure:
 o Uses a Volume Header (instead of MDB).
o File metadata is managed using Catalog Files and Extents Overflow Files.

Structure of the HFS+ File System:

Nine primary structures make up an HFS+ file system volume:

1. Sectors 0 and 1 include boot blocks similar to the HFS boot blocks.
2. Sector 2 contains Drive Header, similar to the Master Directory Block in an HFS
volume. The size of the assignment blocks, timestamps, and the locations of additional
volume structures like the Catalog File or Extent Overflow File are among the
information about the volume stored in this file. It can always be located there.
3. Free blocks and those being used are recorded in the allocation file. Each allocation
block in HFS is represented by one bit, much as in the Volume Bitmap. If the bit is
zero, the block is free, and if it is one, it is in use. In contrast to the HFS Disk Bitmap,
the Allocation File is saved as a regular file and does not take up any specific reserved
space at the beginning of the volume. Therefore, it is not required to be kept
consecutively inside a volume, and its size may alter.
4. Similar to the HFS Catalog file, the Catalog File is a B-tree containing entries for every
file and directory stored on the disk. The primary difference between them is the size of
the records with HFS+, which are bigger to accommodate more and larger fields. This
may be observed in the fact that the HFS Catalog File is just 512 bytes in size, but the
HFS+ Catalog File is 4 KB in Mac OS and 8 KB in Mac OS X. In HFS+, unlike HFS,
where the fields are fixed, the fields are also variable based on the data they hold.
5. A B-tree called the Extents Overflow File keeps track of the allocation blocks given to
each file as extents. Up to eight extents may be stored for each fork in a file in the
Catalog File record; extra extents are kept in the Extents Overflow File. Here, bad
blocks are also counted as extents. This file's default sizes are 1 KB and 4 KB in Mac
OS and Mac OS X, respectively.
6. Only the HFS+ file system has the B-tree known as Attributes File. Inline Data
Attribute records, Fork Data Attribute records, and Extension Attribute records are the
three different sorts of 4 KB records that it may hold. The table below lists each of their
objectives.
7. Like the HFS volume Boot Blocks, Startup File is intended for non-Mac OS systems
without HFS or HFS+ compatibility.
8. The HFS+ volume's Alternate Volume Header, similar to the HFS Alternate Master
Directory Block, may be found in the second-to-last sector.
9. The last sector is set aside for Apple to utilize when making computers.
Recreating HFS Partitions

1. Purpose: Useful in forensic investigations or recovery scenarios to restore corrupted

or deleted HFS partitions.
2. Steps:
o Identify the disk using tools like diskutil or fdisk.
o Recreate the partition using a disk editor or partition recovery software.
o Rebuild file structures by analyzing volume headers and catalog files.

Analyzing Unallocated Partitions

1. Unallocated Partition:
o A space on the disk not assigned to any file system.
o Commonly appears after accidental deletion or corruption of partitions.
2. Analysis Process:
o Disk Imaging: Create a raw image of the unallocated space using tools like
dd.
o Signature Search: Look for file headers or known structures to identify data
remnants.
o File Carving: Extract files without relying on the file system.

Log Analysis in macOS

Understanding Various Logs:

Logs are records generated by the operating system and applications, capturing events, errors,
and other system activities. macOS logs include:

1. System Logs:
o Contain information about system-level events and kernel messages.
o Found in /var/log or accessed through the Console app.
2. Application Logs:
o Generated by individual applications.
o Stored in application-specific directories.
3. Security Logs:
o Record security-related events, such as user authentications.
o Managed by the syslog and unified logging system.

Analyzing Important Logs

Key Artefacts:

1. User Activities:
o Login/logout events.
o File and application accesses.
2. User/Application Configurations:
o Preference files (.plist) in ~/Library/Preferences/.
3. Attached Devices:
o Connection history of external devices like USB drives.
o Found in logs such as system.log.
4. Shared Locations:
o Access records for network drives and shared folders.
5. Recently Accessed Documents and Programs:
o Tracked in Recent Items (~/Library/Application Support/).
6. Installed Applications:
o Metadata and installation history located in ~/Applications/ or /Applications/.

Techniques and Tools

1. Forensic Tools:
o Autopsy: Open-source tool for file system and log analysis.
o BlackBag: Specialized macOS forensic suite.
o Digital collector
o FTK Imager
2. Command Line:
o log show: View macOS unified logs.
o fsck_hfs: Check and repair HFS+ volumes.
3. Visualization:
o Use graphical log analyzers to correlate events across time.
Application Logs:

\Users\<username>\Library\Application Support\

 <application name>; this stores configuration, logs, and preference files for an application

that has been installed onto the machine.

 CrashReporter; this is the directory where crash logs are stored, and keeps track of when

an application has crashed and why (although, sometimes, the errors are quite generic —

who’s surprised?).

A quick note: CrashReporter logs (and many other artefacts) are most likely going to have the

extension .plist, which are also known as property lists. Sometimes they are binary files, so a

neat way to view these on a Mac is to select the file and hit the spacebar.

\Users\<username>\Library\Launch Agents\

Applications listed in this directory are launched each time the computer boots, similar to

Startup applications on a Windows machine.

User Browser Logs:

\Users\<username>\Library\Safari\

 History.db; this can be viewed with the free version of “DB Browser for SQLite”, as

shown below. The main table you want to look at here is history_items, which the URLs
 viewed within this browser, and how many times it was visited. ‘History_visits’ only

shows the title of the webpage, and the time it was accessed.

Yes, as you can tell I don’t use Safari a lot.

\Users\<username>\Caches\Metadata\Safari\

 History; this directory is full of .webhistory and .bplist files, of which I use the ‘cat’

command to view their contents; you might find some URLs here that could be useful in

an investigation.

 Bookmarks; much the same as History, however these are .webbookmark files.

\Users\<username>\Library\Application Support\Firefox\Profiles

 places.sqlite; this is a database file that can be viewed with DB Browser. Tables of

interest include -

‘moz_bookmarks’ will show the sites bookmarked by the user

‘moz_items_annos’ are annotations for bookmarked items

‘moz_places’ are the list of viewed URLs from the Firefox browser.

\Users\<username>\Library\Application Support\Google\Chrome\Default

 History.sqlite tables of interest include -

‘downloads’ will obviously list downloads with filename and URL

‘keyword_search_items’ for keyword terms typed into the browser

‘urls’ is the user’s browser history with the url and title of the site visited
 ‘visits’ also shows you the number of times the user visited a particular URL, and how

long for (visit_duration).

\Users\<username>\Library\Internet Plug-Ins

Provides a list of plugins that have been added to the browser.

For Firefox, extensions are stored in \User\<username>\Library\Application Support\Firefox\

Profiles\*\extensions.json.

For Chrome, it’s in \User\<username>Library\Application Support\Google\Chrome\

Extensions.

System Logs:

\private\var\log\asl

These are Apple System Logs, and are generally thought of as a replacement to syslog. You

can view these files by running syslog -f log.asl, as shown below.

\private\var\log\install.log

This log contains a list of applications that have been installed onto the machine.

For networking:

Library\Preferences\SystemConfiguration
 com.apple.airport.preferences.plist contains all of the remembered wireless networks for

the machine

 NetworkInterfaces.plist.