SFL Mac OS

broken image


Mar 02, 2019 Apple's Mac Operating system still has artifact files, but in a slightly different way. The majority of all forensic data will be found within logs, plist files, and SFL (Shared File Lists). Much like in Windows, the Mac operating system has seen updates which has changed how this forensic data can be found. Find the latest SFL Corporation Ltd (SFL) stock quote, history, news and other vital information to help you with your stock trading and investing.

Lost ones mac os. Our digital forensics lab receives Mac computers for examination more and more often. There are some powerfull forensic suites for OS X analysis, but also there are a lot of very useful open source tools and scripts. One of such scripts is MacMRU-Parser.

MacMRU-Parser is a Python script written by Sarah Edwards and is available for downlpad from her GitHub. The script is able to parse both new SFL-based MRU plist files and 'older' format plists used in OS X 10.10 and older.

The script should be run on a directory: you can use both a directory with extracted files and, for example, user directory from a mounted image.

According to Sarah's blog, the script parses the following files:

  • /Users//Library/Preferences/.LSShardFileList.plist
  • /Users//Library/Preferences/com.apple.finder.plist
  • [10.10-] /Users//Library/Preferences/com.apple.recentitems.plist
  • [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/.sfl
  • [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl
  • [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl
  • [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl
  • [10.11+] /Users//Library/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl

In this example we are going to use this script in Windows environment. Don't forget to install Python before trying to use it!

Ok, the first problem is how to make a Windows system mount an HFS+ partition? There is a solution! The first thing you should do is mounting the whole drive via, for example FTK Imager (read only, of course). After you could use Paragon HFS+ for Windows to access partitions. Now you can browse an HFS+ partition like regular NTFS partition.

The script we are going to use has two dependances: hexdump.py and ccl_bplist.py. Just download both and put them to the same directoty with macMRU.py.

Here is how the contents of this folder should look like:

Now start cmd.exe and change directory to the one with the script inside. Start script with the directory of your choice as the argument. In our case we have chosen the user's directory:

Battleroom (ashleycheung) mac os. Also, you can use '–blob' argument if you want to include binary BLOB hex dump of the Bookmark data.

How often do you examine Mac computers? And what tools do you usually use?

Happy forensicating!

Authors:

SFL

Igor Mikhaylov & Oleg Skulkin

Finder includes the Connect to Server option that is useful for a variety of things. Connections can be added to a Favorite Servers list by clicking the plus button which then remembers connection paths:

Sfl Mac Os Update

The paths added to Favorite Servers are actually stored within a file located at: ~/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteServers.sfl

NOTE: .SFL files are binary plist files that are frequently used in Mac OS X 10.11 El Capitan and above. This file may be different or not exist on older versions of macOS.

With this file, we can import it into another user profile or extract the data directly.

Mac

Igor Mikhaylov & Oleg Skulkin

Finder includes the Connect to Server option that is useful for a variety of things. Connections can be added to a Favorite Servers list by clicking the plus button which then remembers connection paths:

Sfl Mac Os Update

The paths added to Favorite Servers are actually stored within a file located at: ~/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteServers.sfl

NOTE: .SFL files are binary plist files that are frequently used in Mac OS X 10.11 El Capitan and above. This file may be different or not exist on older versions of macOS.

With this file, we can import it into another user profile or extract the data directly.

To Extract the Favorite Servers Data

Mac Os Download

Open up the file with a powerful text editor like TextWrangler or BBEdit (TextEdit won't work).

Sfl Mac Os X

The data may seem a bit convoluted, but any Favorite Servers that were stored will be within a set of tags:

To Import the File into Another Profile

Copy the file to the same path within a new user profile. If copying to a different username, the ownership of the file may need to be changed:

Sfl Mac Os Catalina

  1. Right-click the file in the new location and select Get Info
  2. Under Sharing & Permissions, click the Lock icon to unlock (enter credentials if needed)
  3. Click the Plus icon to add the new user's account and set the privilege drop-down to Read & Write
  4. With the new user highlighted, click the Gear icon and select Make user the owner
  5. Relaunch Finder (if needed)




broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save