RSS Feed

🍏 🐧 UNIX Artefacts

Apple Platform Security

Applications or even OS itself doesn’t know the keys that are protected by Secure Enclave. OS only sees Keychain, but the Security Enclave is separated.

🗝️ Credentials

In this article, I will gather information regarding common UNIX-specific credentials and the artefacts linked to them.

Apple Plist

This is about … .

👥 Users

macOS /Users/%username%/ Password hashes sudo plutil -p /var/db/dslocal/nodes/Default/users/<usename>.plist Account Info sudo plutil -p /private/var/db/dslocal/nodes/Default/Users/<User>.plist Contains name, profile name, password hint, account image, UID

DNS Cache

macOS To achieve the same on a macOS machine: awk -F',' 'NR>1{print $1","$2}' *.csv | sort | uniq -c | awk '{print $1","$2","$3}' > merged.

Network Connections

For Mac OS netstat there is no -o switch, so I’ve used netstat -ban. sudo lsof -i -n -p lsof -i :443 will show you all connections associated with port 443, commonly used for TLS communication.

Spotlight Data

/Users/username/.zsh_history look for something like hdiutil mount silenteye-0.4.1b-snowleopard.dmg and sudo cp -R /Volumes/SilentEye/silenteye-0.4.1b-snowleopard_installer.app /Applications. Also, /Users/sneaky/Library/Application Support/com.

UNIX Shell

macOS By default, all console data is not being logged. Only staff that was typed with sudo is.


/Users/%username%/Library/Application Support/MobileSync/Backup/ References Expand… Something here

macOS Logs

macOS Syslog syslog. Since macOS Sierra (10.12, 2016) Apple has redesigned its log system. Unix logs were replaced (syslog, for example).


This is about … .

UNIX Configs

Linux SSH Files /home/%username%/.ssh/authorized_keys /home/%username%/.ssh/known_hosts /home/%username%/.ssh/config /home/%username%/.ssh/id_* (defualt) and just /home/%username%/.ssh/ for all the keys