🍏 🐧 UNIX Artefacts

Apple Platform Security

Applications or even OS itself doesn’t know the keys that are protected by Secure Enclave. OS only sees Keychain, but the Security Enclave is separated.

🗝️ Credentials

In this article, I will gather information regarding common UNIX-specific credentials and the artefacts linked to them.

macOS /Users/%username%/ Password hashes sudo plutil -p /var/db/dslocal/nodes/Default/users/<usename>.plist Account Info sudo plutil -p /private/var/db/dslocal/nodes/Default/Users/<User>.plist Contains name, profile name, password hint, account image, UID

DNS Cache

macOS To achieve the same on a macOS machine: awk -F',' 'NR>1{print $1","$2}' *.csv | sort | uniq -c | awk '{print $1","$2","$3}' > merged.

Network Connections

For Mac OS netstat there is no -o switch, so I’ve used netstat -ban. sudo lsof -i -n -p lsof -i :443 will show you all connections associated with port 443, commonly used for TLS communication.

Spotlight Data

/Users/username/.zsh_history look for something like hdiutil mount silenteye-0.4.1b-snowleopard.dmg and sudo cp -R /Volumes/SilentEye/silenteye-0.4.1b-snowleopard_installer.app /Applications. Also, /Users/sneaky/Library/Application Support/com.

UNIX Shell

macOS By default, all console data is not being logged. Only staff that was typed with sudo is.

Backups

/Users/%username%/Library/Application Support/MobileSync/Backup/ References Expand… Something here

macOS Logs

macOS Syslog syslog. Since macOS Sierra (10.12, 2016) Apple has redesigned its log system. Unix logs were replaced (syslog, for example).

RAM

This is about … .

UNIX Configs

Linux SSH Files /home/%username%/.ssh/authorized_keys /home/%username%/.ssh/known_hosts /home/%username%/.ssh/config /home/%username%/.ssh/id_* (defualt) and just /home/%username%/.ssh/ for all the keys