Author Name
Douglas Brush
Artifact Name
SystemVersion.plist
Artifact/Program Version
OS X 10.x (Client)
Description
When you start your Macintosh investigation it is important to know
what version of the operating system is installed on the computer. The
version of OS X (10.4, 10.5, 10.6) can shape and direct the analysis
as each version has certain unique characteristics for other artifacts
as well as their locations on the disk.
Macintosh operating systems use plist files (.plist) as repositories
for system and program settings/information. Plist files can wither be
in a binary-encoded format (bplist file header) or as XML.
To get the operating system version the first plist files you will
want to examine is the “SystemVersion.plist” located in
“/System/Library/CoreServices/” folder. With this knowledge you
can be aware of other plists and system artifacts that are unique to
the OS under inspection.
File Locations
/System/Library/CoreServices/SystemVersion.plist
Research Links
Forensic Programs of Use
plist Edit Pro (Mac):
plist Editor Pro (Win):
轉自 http://forensicartifacts.com/2011/06/system-version-mac/
Douglas Brush
Artifact Name
SystemVersion.plist
Artifact/Program Version
OS X 10.x (Client)
Description
When you start your Macintosh investigation it is important to know
what version of the operating system is installed on the computer. The
version of OS X (10.4, 10.5, 10.6) can shape and direct the analysis
as each version has certain unique characteristics for other artifacts
as well as their locations on the disk.
Macintosh operating systems use plist files (.plist) as repositories
for system and program settings/information. Plist files can wither be
in a binary-encoded format (bplist file header) or as XML.
To get the operating system version the first plist files you will
want to examine is the “SystemVersion.plist” located in
“/System/Library/CoreServices/” folder. With this knowledge you
can be aware of other plists and system artifacts that are unique to
the OS under inspection.
File Locations
/System/Library/CoreServices/SystemVersion.plist
Research Links
Forensic Programs of Use
plist Edit Pro (Mac):
plist Editor Pro (Win):
轉自 http://forensicartifacts.com/2011/06/system-version-mac/
發表文章
0 意見: