Difference between pages "Windows" and "Mac OS X"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(RPC)
 
 
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
Apple Inc.'s Macintosh OS X (pronounced "'''OS Ten'''") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including [[Apple Mail]], a web browser called [[Apple Safari | Safari]], and an [[Apple Address Book]], and [[iCal]].  
  
There are 2 main branches of Windows:
+
== EFI boot ==
* the DOS-branch: i.e. Windows 95, 98, ME
+
The firmware is responsible for initializing the hardware and performing a POST (Power-On Self Test).
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
  
== Features ==
+
The default boot volume is stored in NVRAM and can be configured through the "Startup Disk" preference pane or the nvram command line utility [https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man8/nvram.8.html]. E.g. to print all of the firmware variables.
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
<pre>
 +
nvram -p
 +
</pre>
  
=== Introduced in Windows NT ===
+
Additional boot arguments can be provided via the "boot-args" value [http://www.cnet.com/news/boot-argument-options-in-os-x/].
* [[NTFS]]
+
  
=== Introduced in Windows 2000 ===
+
Mac OS X extends EFI with a read-only HFS+ driver. According to [http://refit.sourceforge.net/info/boot_process.html] HFS+ volume header fields are used to point to a "blessed file" to be loaded as an EFI application. Though it is not clear which header field the source is referring to but likely related to the "bless" utility [https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man8/bless.8.html].
  
=== Introduced in Windows XP ===
+
The firmware start the Mac OS X boot loader (boot.efi). The bootloader displays a dark grey Apple logo on the screen and loads the Darwin kernel from disk, as well as the essential driver extensions.
* [[Prefetch]]
+
* System Restore (Restore Points); also present in Windows ME
+
  
==== SP2 ====
+
The bootloader can be eithe a MZ-PE/COFF or EFI fat binary type [[Executable|executables]] and is commonly stored in:
* Windows Firewall
+
<pre>
 +
/com.apple.recovery.boot/boot.efi
 +
/System/Library/CoreServices/boot.efi
 +
/usr/standalone/i386/boot.efi
 +
</pre>
  
=== Introduced in Windows Server 2003 ===
+
The behavior of the bootloader can be configured in the com.apple.Boot.plist [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/com.apple.Boot.plist.5.html] which can be found in:
* Volume Shadow Copies
+
<pre>
 +
/Library/Preferences/SystemConfiguration/
 +
</pre>
  
=== Introduced in [[Windows Vista]] ===
+
== Disk image types ==
* [[BitLocker Disk Encryption | BitLocker]]
+
* [[Windows Desktop Search | Search]] integrated in operating system
+
* [[ReadyBoost]]
+
* [[SuperFetch]]
+
* [[NTFS|Transactional NTFS (TxF)]]
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
* $Recycle.Bin
+
* [[Windows XML Event Log (EVTX)]]
+
* [[User Account Control (UAC)]]
+
  
=== Introduced in Windows Server 2008 ===
+
Mac OS X has support for various disk image types build-in, some of which are:
 +
* read-write disk image (.dmg) some of which use the [[Raw Image Format]]
 +
* [[Sparse Image format|Sparse disk image (.spareimage)]]
 +
* [[Sparse Bundle Image format|Sparse bundle disk image (.sparsebundle)]]
  
=== Introduced in [[Windows 7]] ===
+
== Burn Folder ==
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
* [[Jump Lists]]
+
* [[Sticky Notes]]
+
  
=== Introduced in [[Windows 8]] ===
+
Mac OS X Burn Folder:
* [[Windows File History | File History]]
+
<pre>
* [[Windows Storage Spaces | Storage Spaces]]
+
$NAME.fpbf
* [[Search Charm History]]
+
</pre>
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
+
  
=== Introduced in Windows Server 2012 ===
+
This folder normally contains [[Mac OS X Alias Files|alias files]] (similar to LNK files under Windows). Which should have the following signature.
* [[Resilient File System (ReFS)]]
+
<pre>
 +
00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|
 +
</pre>
  
== Forensics ==
+
These [[Mac OS X Alias Files|alias files]] contain additional date and time values.
  
=== Partition layout ===
+
Also check the following files for references to deleted .fpbf paths:
Default partition layout, first partition starts:
+
<pre>
* at sector 63 in Windows 2000, XP, 2003
+
/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
* at sector 2048 in Windows Vista, 2008, 7
+
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist
 +
</pre>
  
=== Filesystems ===
+
Actual burning of optical media is logged in:
* [[FAT]], [[FAT|exFAT]]
+
<pre>
* [[NTFS]]
+
/var/log/system.log
* [[Resilient File System (ReFS) | ReFS]]
+
/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log
 +
</pre>
  
=== Recycle Bin ===
+
== HFS/HFS+ date and time values ==
  
==== RECYCLER ====
+
In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: [http://web.archive.org/web/20090214212148/http://developer.apple.com/technotes/tn/tn1150.html Technical Note TN1150 - HFS Plus Volume Format]
Used by Windows 2000, XP.
+
Uses INFO2 file.
+
  
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
+
Converting HFS/HFS+ date and time values with Python:
 +
<pre>
 +
import datetime
  
==== $RECYCLE.BIN ====
+
print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )
Used by Windows Vista.
+
</pre>
Uses $I and $R files.
+
  
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
+
== Launch Agents ==
 +
System-wide:
 +
<pre>
 +
/Library/LaunchAgents
 +
/System/Library/LaunchAgents
 +
</pre>
  
=== Registry ===
+
Per user:
 +
<pre>
 +
/Users/$USERNAME/Library/LaunchAgents
 +
</pre>
  
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
+
These directories contain  [[Property list (plist)]] files.
  
=== Thumbs.db Files ===
+
== Launch Daemons ==
 +
System-wide:
 +
<pre>
 +
/Library/LaunchDaemons
 +
/System/Library/LaunchDaemons
 +
</pre>
  
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
+
These directories contain [[Property list (plist)]] files.
  
See also: [[Vista thumbcache]].
+
== Startup Items ==
 +
<pre>
 +
/Library/StartupItems/
 +
/System/Library/StartupItems/
 +
</pre>
  
=== Browser Cache ===
+
== Crash Reporter ==
 +
<pre>
 +
/Library/Application Support/CrashReporter
 +
</pre>
  
=== Browser History ===
+
Contains text files named .crash, .diag, .spin
  
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
+
== Diagnostic Reports ==
 +
<pre>
 +
/Library/Logs/DiagnosticReports
 +
</pre>
  
=== Search ===
+
== Internet Plug-Ins ==
See [[Windows Desktop Search]]
+
System-wide:
 +
<pre>
 +
/Library/Internet Plug-Ins
 +
</pre>
  
=== Setup log files (setupapi.log) ===
+
Per user:
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
+
<pre>
 
+
/Users/$USERNAME/Library/Internet Plug-Ins
=== Sleep/Hibernation ===
+
</pre>
  
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
+
== Quarantine event database ==
 +
See [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/]
  
=== Users ===
+
Snow Leopard and earlier
Windows stores a users Security identifiers (SIDs) under the following registry key:
+
 
<pre>
 
<pre>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
 
</pre>
 
</pre>
  
The %SID%\ProfileImagePath value should also contain the username.
 
 
=== Windows Error Reporting (WER) ===
 
 
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
 
 
<pre>
 
<pre>
C:\ProgramData\Microsoft\Windows\WER\
+
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;
 
</pre>
 
</pre>
  
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
+
Lion and later
 
<pre>
 
<pre>
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
+
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
 
</pre>
 
</pre>
  
Corresponding registry key:
+
== sleepimage ==
 +
This file is similar to the hibernation file on Windows.
 
<pre>
 
<pre>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
+
/private/var/vm/sleepimage
 
</pre>
 
</pre>
  
== Advanced Format (4KB Sector) Hard Drives ==
+
Also see: [http://osxdaily.com/2010/10/11/sleepimage-mac/]
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
  
== %SystemRoot% ==
+
== Last shutdown logs ==
The actual value of %SystemRoot% is store in the following registry value:
+
 
<pre>
 
<pre>
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
/private/var/log/com.apple.launchd/launchd-shutdown.system.log
Value: SystemRoot
+
/private/var/log/com.apple.launchd/launchd-shutdown.system.log.1
 
</pre>
 
</pre>
  
== See Also ==
+
== Package Files (.PKG) ==
* [[Windows Event Log (EVT)]]
+
Package Files (.PKG) are XAR archives [http://en.wikipedia.org/wiki/Xar_(archiver)] that contain a cpio archive and metadata [http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html].
* [[Windows XML Event Log (EVTX)]]
+
* [[Windows Vista]]
+
* [[Windows 7]]
+
* [[Windows 8]]
+
  
== External Links ==
+
== Also see ==
 
+
* [[MacOS Process Monitoring]]
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
+
* [[Acquiring a MacOS System with Target Disk Mode]]
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
+
* [[Converting Binary Plists]]
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
+
* [[FileVault Disk Encryption]]
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
+
* [[File Vault]]
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
+
 
+
=== Malware/Rootkits ===
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
+
 
+
=== Program execution ===
+
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
+
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
+
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
+
 
+
=== Tracking removable media ===
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
+
 
+
=== Under the hood ===
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
+
  
==== MSI ====
+
=== Formats ===
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
+
* [[Basic Security Module (BSM) file format]]
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
+
* [[Property list (plist)]]
  
==== Side-by-side (WinSxS) ====
+
== External Links ==
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
+
* [http://www.apple.com/macosx/ Official website]
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
+
* [http://en.wikipedia.org/wiki/OS_X Wikipedia entry on OS X]
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
+
* [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/ Quarantine event database]
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
+
* [http://www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf Mac Forensics: Mac OS X and the HFS+ File System] by P. Craiger
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
+
* [http://web.me.com/driley/iWeb/Previous_files/Directory_Services_Overview.pdf Mac OS X Directory Services Integration including Active Directory]
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
+
* [http://digitalinvestigation.wordpress.com/2012/04/04/geek-post-nskeyedarchiver-files-what-are-they-and-how-can-i-use-them/ NSKeyedArchiver files – what are they, and how can I use them?]
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
+
* [http://krypted.com/mac-os-x/command-line-alf-on-mac-os-x/ Command Line ALF on Mac OS X]
 
+
* [http://newosxbook.com/DMG.html Demystifying the DMG File Format]
==== Application Experience and Compatibility ====
+
* [https://code.google.com/p/mac-security-tips/wiki/ALL_THE_TIPS mac-security-tips]
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
+
 
+
==== System Restore (Restore Points) ====
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
+
 
+
==== Crash dumps ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
+
 
+
==== RPC ====
+
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
+
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
+
 
+
==== Windows Scripting Host ====
+
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
+
 
+
==== USB ====
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
 
+
==== WMI ====
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
+
 
+
==== Windows Error Reporting (WER) ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
  
==== Windows Firewall ====
+
=== Apple Examiner ===
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
+
* [http://www.appleexaminer.com/ The Apple Examiner]
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
+
* [http://www.appleexaminer.com/MacsAndOS/Analysis/USBOSX/USBOSX.html USB Entries on OS X]
 +
* [http://www.appleexaminer.com/Downloads/MacForensics.pdf Macintosh Forensics - A Guide for the Forensically Sound Examination of a Macintosh Computer] by Ryan R. Kubasiak
  
==== Windows 32-bit on Windows 64-bit (WoW64) ====
+
=== EFI ===
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
+
* [http://refit.sourceforge.net/info/boot_process.html The Intel Mac boot process], by the [[rEFIt|rEFIt project]]
 +
* [http://ho.ax/posts/2012/02/carving-up-efi-fat-binaries/ Carving up EFI fat binaries], by snare, February 24, 2012
  
=== Windows XP ===
+
=== iCloud ===
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
+
* [http://support.apple.com/kb/HT4865?viewlocale=en_US&locale=en_US iCloud: iCloud security and privacy overview]
  
 +
[[Category:Mac OS X]]
 
[[Category:Operating systems]]
 
[[Category:Operating systems]]

Revision as of 09:07, 25 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Inc.'s Macintosh OS X (pronounced "OS Ten") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including Apple Mail, a web browser called Safari, and an Apple Address Book, and iCal.

EFI boot

The firmware is responsible for initializing the hardware and performing a POST (Power-On Self Test).

The default boot volume is stored in NVRAM and can be configured through the "Startup Disk" preference pane or the nvram command line utility [1]. E.g. to print all of the firmware variables.

nvram -p

Additional boot arguments can be provided via the "boot-args" value [2].

Mac OS X extends EFI with a read-only HFS+ driver. According to [3] HFS+ volume header fields are used to point to a "blessed file" to be loaded as an EFI application. Though it is not clear which header field the source is referring to but likely related to the "bless" utility [4].

The firmware start the Mac OS X boot loader (boot.efi). The bootloader displays a dark grey Apple logo on the screen and loads the Darwin kernel from disk, as well as the essential driver extensions.

The bootloader can be eithe a MZ-PE/COFF or EFI fat binary type executables and is commonly stored in:

/com.apple.recovery.boot/boot.efi
/System/Library/CoreServices/boot.efi
/usr/standalone/i386/boot.efi

The behavior of the bootloader can be configured in the com.apple.Boot.plist [5] which can be found in:

/Library/Preferences/SystemConfiguration/

Disk image types

Mac OS X has support for various disk image types build-in, some of which are:

Burn Folder

Mac OS X Burn Folder:

$NAME.fpbf

This folder normally contains alias files (similar to LNK files under Windows). Which should have the following signature.

00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|

These alias files contain additional date and time values.

Also check the following files for references to deleted .fpbf paths:

/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
/Users/$USERNAME/Library/Preferences/com.apple.sidebarlists.plist

Actual burning of optical media is logged in:

/var/log/system.log
/Users/$USERNAME/Library/Logs/DiscRecording.log
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log

HFS/HFS+ date and time values

In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days. Also see: Technical Note TN1150 - HFS Plus Volume Format

Converting HFS/HFS+ date and time values with Python:

import datetime

print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )

Launch Agents

System-wide:

/Library/LaunchAgents
/System/Library/LaunchAgents

Per user:

/Users/$USERNAME/Library/LaunchAgents

These directories contain Property list (plist) files.

Launch Daemons

System-wide:

/Library/LaunchDaemons
/System/Library/LaunchDaemons

These directories contain Property list (plist) files.

Startup Items

/Library/StartupItems/
/System/Library/StartupItems/

Crash Reporter

/Library/Application Support/CrashReporter

Contains text files named .crash, .diag, .spin

Diagnostic Reports

/Library/Logs/DiagnosticReports

Internet Plug-Ins

System-wide:

/Library/Internet Plug-Ins

Per user:

/Users/$USERNAME/Library/Internet Plug-Ins

Quarantine event database

See [6]

Snow Leopard and earlier

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;

Lion and later

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

sleepimage

This file is similar to the hibernation file on Windows.

/private/var/vm/sleepimage

Also see: [7]

Last shutdown logs

/private/var/log/com.apple.launchd/launchd-shutdown.system.log
/private/var/log/com.apple.launchd/launchd-shutdown.system.log.1

Package Files (.PKG)

Package Files (.PKG) are XAR archives [8] that contain a cpio archive and metadata [9].

Also see

Formats

External Links

Apple Examiner

EFI

iCloud