The locations you have mentioned are the first places I have looked along with many others.
The spreadsheet whilst good hasn't been updated in quite some time and locations of a lot of artifacts have changed for the more modern versions of OSX. The version i'm dealing with is OSX 10.11.2
The case i'm looking at is not straight forward and there are things missing...for example the install.log file should contain a good deal of information....but it doesn't, along with the others. AppleSetupDone.log is another file that should have some good info...but this details last OS update instead of Original installation date of OS...So do you know any others?
Do you know the location of the login times for different accounts as I can not find this anywhere. In fact I can't find a lot of forensic information of the OSX User accounts on the latest Operating Systems.
If you cant be of further help, id love to hear from you.
10.11.2, well that does make a difference. Your original post was so generic and lacking specifics that a general answer was all it merited. I am traveling today, but if you can post some specifics about exactly what you are trying to find I will get you some answers when I get back to the lab.
There are so many students and people with little clue about what they are doing that post questions and never return to follow up that spending a lot of time on questions is just not worth it.
Sorry for my delay in reply, I have been away on a course.
Your quite right, looking back at my original post maybe it should have had more detail in it, problem was when i wrote it I was not at my forensic workstation, so needed to generalise a little.....anyway to business....
So what I'm actually trying to work out is pretty much the same data you would find on a windows system in the registry...account login times, last shutdown etc. I cannot find the original OS install time anywhere..the previous places I mentioned do not have reliable info.
On another note, I've just come across something interesting in Unallocated Clusters regarding what I think maybe file access of the HDD. 'File:/// <path>'. Do you think this may indicate local file access? I have seen similar in windows systems that indicates local file access, do you think this is the same here on OSX?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum