SANS Digital Forensics and Incident Response Blog: Tag - plist

OSX Lion User Interface Preservation Analysis

Recently I've updated to OS X Lion (10.7) and started testing my incident response scripts on the system. I started looking through new default folders created for users and ran across a folder called "Saved Application State." I began researching this folder and determined that it's used to store settings for a new feature called … Continue reading OSX Lion User Interface Preservation Analysis


Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)

In Part 1 of this post, I showed you how to acquire the contents of physical RAM of a Mac OS X computer using ATC-NY's Mac Memory Reader, and did some simple analysis using strings and grep searches. Today I'll provide a few more examples of what evidence can be found in a Mac OS X memory dump and how to extract it using file carving techniques. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)


Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1)

A simple how-to on capturing contents of physical RAM on Mac OS computer using Mac Memory Reader. I will demonstrate how incident responders can do a simple analysis on the resulting binary file using strings, a hex-editor and foremost. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1)


Safari Browser Forensics

Since Apple started installing Safari for Windows by default when you update iTunes, I imagine there's going to be considerably more interest in performing forensic analysis of Safari browser artifacts than there has been previously.

Safari for Windows


Safari Forensics

In searching for some tools to help with analysis of Safari artifacts on a case I recently worked, I came across SFT 1.1.1. SFT was first released about a year and a half ago, and was updated several times over the following six months. There are no recent updates. Except for one issue noted below, it seems to work OK. SFT 1.1.1 contains the

...