Artifacts

11 results - showing 1 - 11
Details
Device and account holder information 

MacOS Bluetooth plist

"LNK files (labels or Windows shortcut files) are typically files which are created by the Windows OS automatically, whenever a user opens their files. These files are used by the operating system to secure quick access to a certain file. In addition, some of these files can be created by users themselves to make their activities easier."

https://web.archive.org/web/20210226131111/https://belkasoft.com/forensic-analysis-of-lnk-files 

MacOS has a retention period for some log files, so the longer you keep the machine running, the higher are the chances that valuable logs will be overwritten. - https://medium.com/about-developer-blog/macos-forensics-diy-style-3369868505dd

"This folder contains items that run automatically when you log in to any user account on your Mac, and it’s a typical place for nefarious apps to stick files, as doing so could mean that their software will launch whenever you log in." https://www.macobserver.com/tips/quick-tip/macos-check-launchagents-malicious-software/

A startup item is a specialized bundle whose code is executed during the final phase of the boot process, and at other predetermined times (see Managing Startup Items). The startup item typically contains a shell script or other executable file along with configuration information used by the system to determine the execution order for all startup items. - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html

This plist file contains most recently used (MRU) Illustrator and Photoshop files. - https://cyberforensicator.com/2017/11/06/the-hitchhikers-guide-to-macos-usb-forensics/

USB Device Tracking on Mac OS X

11 results - showing 1 - 11