.Super Cool Investigative information for a Malware type investigations. This is one of the way modern malware maintains persistence in the system across shutdowns and reboots.
sudo mkdir /Volumes/apfs_disk_image/
sudo mkdir /Volumes/apfs_disk_mount/
sudo xmount --in ewf --out dmg /Users/<Username>/APFS/apfs_disk.E01 /Volumes/apfs_disk_image/
hdiutil attach -nomount /Volumen/apfs_disk_image/apfs_disk.dmg
diskutil ap list
Step -6 (Optional)In case of encryption use this:
diskutil ap unlockVolume <Disk Guid> -nomount
sudo mount_apfs -o rdonly,noexec,noowners /dev/disk#/Volumes/apfs_disk_mount/
Install.log file has an immense value to see all the installations on you Mac.
Use this command on your terminal to get the list:
grep 'Installed' /private/var/log/install.log
This log file has an immense forensic value to identify the user installation activity. Questions like remotely installed applications, failed installation can be answered by analyzing the 'Install.log' file.
MacOs Key Chain Analysis
File of interest: keychain-2.db
Data in Login & System Keychain can be very useful in an investigation.
Once you copy the keychain-db file - you can use keychain native app to view the content.
$ cd /Users/<Username>/Library/Preferences
$ open -a xcode com.apple.loginitems.plist
You can use any hex editor to read the hex data. Hex will give you the location of the file path of the login item.
The data from this DB can be very handy in investigation ot get access to the suspects' machine.
Following plist hold the information of the application that get start at the system boot:
open -a xcode ~/Library/Preferences/com.apple.loginitems.plist
Launch Agents (User Level) - Background User Process
$ cd /System/Library/LaunchAgents/
$ cd /Library/LaunchAgents/
Launch Deamons (System Level) - Background System Process
$ cd /Library/LaunchDaemons/
This is basically like a cron jobs.Best examples of Launch Daemons are following plist files: