Difference between pages "Tools:Memory Imaging" and "Mac OS X"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(New freeware tool for Live RAM dumping added)
 
(EFI boot)
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
+
{{Expand}}
  
One of the most vexing problems for memory imaging is verifying that the image has been created correctly. That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same.  Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation.  [[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
+
Apple Inc.'s Macintosh OS X (pronounced "'''OS Ten'''") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including [[Apple Mail]], a web browser called [[Apple Safari | Safari]], and an [[Apple Address Book]], and [[iCal]].  
  
== Memory Imaging Techniques ==
+
== EFI boot ==
 +
The firmware is responsible for initializing the hardware and performing a POST (Power-On Self Test).
  
; Crash Dumps
+
The default boot volume is stored in NVRAM and can be configured through the "Startup Disk" preference pane or the nvram command line utility [https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man8/nvram.8.html]. Additional boot arguments can be provided via the "boot-args" value [http://www.cnet.com/news/boot-argument-options-in-os-x/].
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
+
; LiveKd Dumps
+
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
+
; Hibernation Files
+
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
+
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
+
; Firewire
+
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
: The [http://digitalfire.ucd.ie/?page_id=430 Goldfish] tool automates this exploit for investigators needing to analyze the memory of a Mac.
+
; Virtual Machine Imaging
+
: There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. [http://www.qemu.org Qemu ] supports the pmemsave function, [http://www.xen.org Xen] has the xm dump-core command.
+
  
== Memory Imaging Tools ==
+
Mac OS X estends EFI with a read-only HFS+ driver.
===x86 Hardware===
+
  
; [http://www.windowsscope.com WindowsSCOPE] CaptureGUARD PCIe card (commercial) - desktops, servers
+
HFS+ volume header fields are used to point to a "blessed file" to be loaded as an EFI application.
: Publicly available, supports all Windows OS; windd and other formats.
+
: CaptureGUARD Gateway performs DRAM acquisition even on locked computers
+
: Inquire at http://www.windowsscope.com.
+
  
; [http://www.windowsscope.com WindowsSCOPE] CaptureGUARD ExpressCard (commercial) - laptop applications
+
Mac OS X EFI boot process supports both MZ-PE/COFF and EFI fat binary type [[Executable|executables]].
: Publicly available, supports all Windows OS; windd and other formats.
+
<pre>
: CaptureGUARD Gateway performs DRAM acquisition even on locked computers
+
/com.apple.recovery.boot/boot.efi
: Inquire at http://www.windowsscope.com.  
+
/System/Library/CoreServices/boot.efi
 +
/usr/standalone/i386/boot.efi
 +
</pre>
  
; Tribble PCI Card (research project)
+
The behavior of boot.efi can be configured in the com.apple.Boot.plist [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/com.apple.Boot.plist.5.html] which can be found in:
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
<pre>
 +
/Library/Preferences/SystemConfiguration/
 +
</pre>
  
; CoPilot by Komoku
+
== Disk image types ==
: Komoku was acquired by Microsoft and the card was not made publicly available.
+
  
; Forensic RAM Extraction Device (FRED) by BBN
+
Mac OS X has support for various disk image types build-in, some of which are:
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
+
* read-write disk image (.dmg) some of which use the [[Raw Image Format]]
 +
* [[Sparse Image format|Sparse disk image (.spareimage)]]
 +
* [[Sparse Bundle Image format|Sparse bundle disk image (.sparsebundle)]]
  
===[[Windows]] Software===
+
== Burn Folder ==
There are many Windows memory acquisition tools. Most of them will not work on Windows Vista or 7, as user programs have been denied access to the ''\Device\Physicalmemory'' object starting in Windows 2003 Service Pack 1 and Windows Vista. Modern tools acquire physical memory by first installing a device driver, so administrative privileges are needed.
+
  
We have edited this list so that it only includes current tools:
+
Mac OS X Burn Folder:
 +
<pre>
 +
$NAME.fpbf
 +
</pre>
  
; Belkasoft Live RAM Caputer
+
This folder normally contains [[Mac OS X Alias Files|alias files]] (similar to LNK files under Windows). Which should have the following signature.
: This free tool, unlike many others, works in kernel-mode, what allows to fight with proactive protection, used by many modern applications (for example, games), and in general gives more correct results.  
+
<pre>
: http://forensic.belkasoft.com/en/ram-capturer
+
00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|
 +
</pre>
  
; WindowsSCOPE Pro and Ultimate, available at  http://www.windowsscope.com
+
These [[Mac OS X Alias Files|alias files]] contain additional date and time values.
: Can capture, analyze, graph in depth physical and virtual memory codes and structures
+
: Proprietary and standard formats (windd), snapshot repository, snapshot comparison
+
: All Windows OSs (Xp, Vista, 7), 32 and 64 bit supported
+
: Phantom Probe USB based fetch
+
: CaptureGUARD PCIe card and ExpressCard for hardware-assisted DRAM acquisition
+
: CaptureGUARD Gateway for hardware-assisted DRAM acquisition of locked computers
+
: launched in 2011
+
  
; WindowsSCOPE Live
+
Also check the following files for references to deleted .fpbf paths:
: available at http://www.windowsscope.com and Android market
+
<pre>
: allows live memory analysis of Windows computers from Android phones and tablets
+
/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
: launched in 2011
+
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist
 +
</pre>
  
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
+
Actual burning of optical media is logged in:
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
<pre>
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
+
/var/log/system.log
 +
/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
</pre>
  
; [[Mdd]] (Memory DD) ([[ManTech]])
+
== HFS/HFS+ date and time values ==
: http://sourceforge.net/projects/mdd
+
  
; MANDIANT Memoryze
+
In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: [http://web.archive.org/web/20090214212148/http://developer.apple.com/technotes/tn/tn1150.html Technical Note TN1150 - HFS Plus Volume Format]
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
+
: http://www.mandiant.com/software/memoryze.htm
+
  
; [[Kntdd]]
+
Converting HFS/HFS+ date and time values with Python:
: http://www.gmgsystemsinc.com/knttools/
+
<pre>
 +
import datetime
  
;[[Moonsols]]: [[DumpIt]]
+
print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )
: This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.
+
</pre>
: The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting.
+
: Perfect to deploy the executable on USB keys, for quick incident responses needs.
+
: http://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7
+
  
;[[HBGary]]: Fastdump and Fastdump Pro
+
== Launch Agents ==
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
+
System-wide:
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs.  Additionally, Fastdump Pro supports:
+
<pre>
:-32 bit and 64 bit architectures
+
/Library/LaunchAgents
:-Acquisitions of greater than 4GB
+
/System/Library/LaunchAgents
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
+
</pre>
:-Process probing which allows for a more complete memory image of a process of interest.
+
:-Acquisition of the system page file during physical memory acquisition.  This allows for a more complete memory analysis.
+
  
;[[FTK Imager]]: FTK Imager
+
Per user:
:http://accessdata.com/support/adownloads#FTKImager
+
<pre>
:FTK Imager can acquire live memory and paging file on 32bit and 64bit systems.
+
/Users/$USERNAME/Library/LaunchAgents
 +
</pre>
  
;[[OSForensics]]: OSForensics
+
These directories contain  [[Property list (plist)]] files.
:http://www.osforensics.com/
+
:OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process's memory space or physical memory dump can be done. Output can be a straight dump or a Microsoft crash dump file, for use with Micrsoft's WinDbg debugger.
+
  
;[https://volatility.googlecode.com/svn/branches/scudette/docs/pmem.html WinPmem]
+
== Launch Daemons ==
:WinPmem is a free, actively developed, opensource forensic memory acquisition tool for Windows. It supports Windows XP to Windows 8, both 32 and 64 bit architectures. It can produce raw dumps as well as dumps in crashdump format (for analysis with Volatility or windbg). It supports output to STDOUT for piping the dump through tools like netcat or ssh. WinPmem can be used together with the Volatility Technology Preview to analyse a live windows system for live response and triaging.
+
System-wide:
 +
<pre>
 +
/Library/LaunchDaemons
 +
/System/Library/LaunchDaemons
 +
</pre>
  
;[http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/windows-memory-reader Windows Memory Reader]
+
These directories contain [[Property list (plist)]] files.
:Windows Memory Reader is a simple command-line utility to capture the contents of physical RAM.  Results are stored in a Windows crash dump or raw binary file.  Researchers can also use Windows Memory Reader to capture memory-mapped device data, such as shared video memory.  Windows Memory Reader supports Windows XP through Windows 8, both 32-bit and 64-bit versions, and is available free of charge.
+
  
===Linux===
+
== Startup Items ==
;[[/dev/mem]]
+
<pre>
: On older Linux systems, the program [[dd]] can be used to read the contents of [[physical memory]] from the device file <tt>/dev/mem</tt>. On recent Linux systems, however, /dev/mem provides access only to a restricted range of addresses, rather than the full physical memory of a system.  On other systems it may not be available at all. Throughout the 2.6 series of the Linux kernel, the trend was to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.
+
/Library/StartupItems/
;[[/dev/crash]]
+
/System/Library/StartupItems/
:On Red Hat systems (and those running related distros such as Fedora or CentOS), the crash driver can be loaded to create pseudo-device /dev/crash for raw physical memory access (via command "modprobe crash"). This module can also be compiled for other Linux distributions with minor effort (see, for example, http://gleeda.blogspot.com/2009/08/devcrash-driver.html). When the crash driver is modified, compiled, and loaded on other systems, the resulting memory access device is not safe to image in its entirety. Care must be taken to avoid addresses that are not RAM-backed. On Linux, /proc/iomem exposes the correct address ranges to image, marked with "System RAM".
+
</pre>
;[http://secondlookforensics.com Second Look: Linux Memory Forensics]
+
: This commercial memory forensics product ships with a modified version of the crash driver and a script for safely dumping memory using the original or modified driver on any given Linux system.
+
;[http://hysteria.sk/~niekt0/foriana/fmem_current.tgz fmem]
+
: fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
+
;[http://code.google.com/p/lime-forensics/ LiME]
+
: Linux Memory Extractor (LiME) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports dumping memory either to the file system of the device or over the network.
+
  
===Mac OS X===
+
== Crash Reporter ==
;[http://digitalfire.ucd.ie/?page_id=430 Goldfish]
+
<pre>
:Goldfish is a [[Mac OS X]] live forensic tool. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a [[Firewire]] connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Please see [http://digitalfire.ucd.ie/?page_id=430] for more information.
+
/Library/Application Support/CrashReporter
 +
</pre>
  
;[http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/mac-memory-reader Mac Memory Reader]
+
Contains text files named .crash, .diag, .spin
:Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM.  Results are stored in a Mach-O binary or raw data file.  Mac Memory Reader is available free of charge.  It executes directly on 32- and 64-bit target machines running Mac OS X 10.4 through 10.7 and requires a PowerPC G4 or newer, or any Intel processor.
+
  
;[https://volatility.googlecode.com/svn/branches/scudette/docs/pmem.html OSXPmem]
+
== Diagnostic Reports ==
:The OSX Memory Imager is an open source tool to acquire physical memory on an Intel based Mac. The imager supports multiple output formats, at the moment these are Mach-O, ELF and zero-padded RAW.
+
<pre>
 +
/Library/Logs/DiagnosticReports
 +
</pre>
  
===Virtual===
+
== Internet Plug-Ins ==
; Qemu
+
System-wide:
: Qemu allows you to dump the memory of a running image using pmemsave.
+
<pre>
: e.g. pmemsave 0 0x20000000 /tmp/dumpfile
+
/Library/Internet Plug-Ins
; Xen
+
</pre>
: Xen allows you to live dump the memory of a guest domain using the dump-core command.
+
: You can list the available machines to find the host machine you care about using xm list and see the configuration.
+
: Dumping is a matter of sudo xm dump-core -L /tmp/dump-core-6 6
+
  
==See Also==
+
Per user:
* [[Windows Memory Analysis]]
+
<pre>
* [[Linux Memory Analysis]]
+
/Users/$USERNAME/Library/Internet Plug-Ins
 +
</pre>
 +
 
 +
== Quarantine event database ==
 +
See [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/]
 +
 
 +
Snow Leopard and earlier
 +
<pre>
 +
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
 +
</pre>
 +
 
 +
<pre>
 +
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;
 +
</pre>
 +
 
 +
Lion and later
 +
<pre>
 +
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
 +
</pre>
 +
 
 +
== sleepimage ==
 +
This file is similar to the hibernation file on Windows.
 +
<pre>
 +
/private/var/vm/sleepimage
 +
</pre>
 +
 
 +
Also see: [http://osxdaily.com/2010/10/11/sleepimage-mac/]
 +
 
 +
== Last shutdown logs ==
 +
<pre>
 +
/private/var/log/com.apple.launchd/launchd-shutdown.system.log
 +
/private/var/log/com.apple.launchd/launchd-shutdown.system.log.1
 +
</pre>
 +
 
 +
== Package Files (.PKG) ==
 +
Package Files (.PKG) are XAR archives [http://en.wikipedia.org/wiki/Xar_(archiver)] that contain a cpio archive and metadata [http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html].
 +
 
 +
== Also see ==
 +
* [[MacOS Process Monitoring]]
 +
* [[Acquiring a MacOS System with Target Disk Mode]]
 +
* [[Converting Binary Plists]]
 +
* [[FileVault Disk Encryption]]
 +
* [[File Vault]]
 +
 
 +
=== Formats ===
 +
* [[Basic Security Module (BSM) file format]]
 +
* [[Property list (plist)]]
  
 
== External Links ==
 
== External Links ==
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF Windows Memory Analysis (Sample Chapter)]
+
* [http://www.apple.com/macosx/ Official website]
* [http://blogs.23.nu/RedTeam/0000/00/antville-5201/ RedTeam: FireWire round-up],  
+
* [http://en.wikipedia.org/wiki/OS_X Wikipedia entry on OS X]
* [http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf FireWire Memory Dump of a Windows XP Computer: A Forensic Approach], by [[Antonio Martin]], 2007
+
* [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/ Quarantine event database]
 +
* [http://www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf Mac Forensics: Mac OS X and the HFS+ File System] by P. Craiger
 +
* [http://web.me.com/driley/iWeb/Previous_files/Directory_Services_Overview.pdf Mac OS X Directory Services Integration including Active Directory]
 +
* [http://digitalinvestigation.wordpress.com/2012/04/04/geek-post-nskeyedarchiver-files-what-are-they-and-how-can-i-use-them/ NSKeyedArchiver files – what are they, and how can I use them?]
 +
* [http://krypted.com/mac-os-x/command-line-alf-on-mac-os-x/ Command Line ALF on Mac OS X]
 +
* [http://newosxbook.com/DMG.html Demystifying the DMG File Format]
 +
* [https://code.google.com/p/mac-security-tips/wiki/ALL_THE_TIPS mac-security-tips]
 +
 
 +
=== Apple Examiner ===
 +
* [http://www.appleexaminer.com/ The Apple Examiner]
 +
* [http://www.appleexaminer.com/MacsAndOS/Analysis/USBOSX/USBOSX.html USB Entries on OS X]
 +
* [http://www.appleexaminer.com/Downloads/MacForensics.pdf Macintosh Forensics - A Guide for the Forensically Sound Examination of a Macintosh Computer] by Ryan R. Kubasiak
 +
 
 +
=== EFI ===
 +
* [http://refit.sourceforge.net/info/boot_process.html The Intel Mac boot process], by the [[rEFIt|rEFIt project]]
 +
* [http://ho.ax/posts/2012/02/carving-up-efi-fat-binaries/ Carving up EFI fat binaries], by snare, February 24, 2012
 +
 
 +
=== iCloud ===
 +
* [http://support.apple.com/kb/HT4865?viewlocale=en_US&locale=en_US iCloud: iCloud security and privacy overview]
  
[[Category:Tools]]
+
[[Category:Mac OS X]]
 +
[[Category:Operating systems]]

Revision as of 06:33, 25 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Inc.'s Macintosh OS X (pronounced "OS Ten") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including Apple Mail, a web browser called Safari, and an Apple Address Book, and iCal.

EFI boot

The firmware is responsible for initializing the hardware and performing a POST (Power-On Self Test).

The default boot volume is stored in NVRAM and can be configured through the "Startup Disk" preference pane or the nvram command line utility [1]. Additional boot arguments can be provided via the "boot-args" value [2].

Mac OS X estends EFI with a read-only HFS+ driver.

HFS+ volume header fields are used to point to a "blessed file" to be loaded as an EFI application.

Mac OS X EFI boot process supports both MZ-PE/COFF and EFI fat binary type executables.

/com.apple.recovery.boot/boot.efi
/System/Library/CoreServices/boot.efi
/usr/standalone/i386/boot.efi

The behavior of boot.efi can be configured in the com.apple.Boot.plist [3] which can be found in:

/Library/Preferences/SystemConfiguration/

Disk image types

Mac OS X has support for various disk image types build-in, some of which are:

Burn Folder

Mac OS X Burn Folder:

$NAME.fpbf

This folder normally contains alias files (similar to LNK files under Windows). Which should have the following signature.

00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|

These alias files contain additional date and time values.

Also check the following files for references to deleted .fpbf paths:

/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist

Actual burning of optical media is logged in:

/var/log/system.log
/Users/$USERNAME/Library/Logs/DiscRecording.log
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log

HFS/HFS+ date and time values

In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: Technical Note TN1150 - HFS Plus Volume Format

Converting HFS/HFS+ date and time values with Python:

import datetime

print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )

Launch Agents

System-wide:

/Library/LaunchAgents
/System/Library/LaunchAgents

Per user:

/Users/$USERNAME/Library/LaunchAgents

These directories contain Property list (plist) files.

Launch Daemons

System-wide:

/Library/LaunchDaemons
/System/Library/LaunchDaemons

These directories contain Property list (plist) files.

Startup Items

/Library/StartupItems/
/System/Library/StartupItems/

Crash Reporter

/Library/Application Support/CrashReporter

Contains text files named .crash, .diag, .spin

Diagnostic Reports

/Library/Logs/DiagnosticReports

Internet Plug-Ins

System-wide:

/Library/Internet Plug-Ins

Per user:

/Users/$USERNAME/Library/Internet Plug-Ins

Quarantine event database

See [4]

Snow Leopard and earlier

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;

Lion and later

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

sleepimage

This file is similar to the hibernation file on Windows.

/private/var/vm/sleepimage

Also see: [5]

Last shutdown logs

/private/var/log/com.apple.launchd/launchd-shutdown.system.log
/private/var/log/com.apple.launchd/launchd-shutdown.system.log.1

Package Files (.PKG)

Package Files (.PKG) are XAR archives [6] that contain a cpio archive and metadata [7].

Also see

Formats

External Links

Apple Examiner

EFI

iCloud