Mac OS X

Apple Inc.'s Macintosh OS X (pronounced "OS Ten") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including Apple Mail, a web browser called Safari, and an Apple Address Book, and iCal.

Quarantine event database

See [1]

Snow Leopard and earlier

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents

SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;

Lion and later

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

Package Files (.PKG)

Package Files (.PKG) are XAR archives [2] that contain a cpio archive and metadata [3].

Also see

• MacOS Process Monitoring
• Acquiring a MacOS System with Target Disk Mode
• Converting Binary Plists

External Links

• Official website
• Wikipedia entry on OS X
• Quarantine event database
• Mac Forensics: Mac OS X and the HFS+ File System by P. Craiger

Apple Examiner

• The Apple Examiner
• USB Entries on OS X
• Macintosh Forensics - A Guide for the Forensically Sound Examination of a Macintosh Computer by Ryan R. Kubasiak