Data about a file is stored in several locations: system metadata (generated by file system or doc management of the OS), substantive metadata (information that defines modifications to a document), embedded metadata (information embedded by the application that creates or edits the file), external metadata (separate doc, for example, a database).
LNK There are several artifacts indicating user activity. One of them is LNK files. To analyse acquired LNK files use π LECmd (E.
Login activity For admin account go to IAM -> Credential report to see all the users and the following information:
Trash /home/%username%/.local/share/Trash/ Recent Files /home/%username%/.local/share/recently-used.xbel References Expand… Something here
AppStore Downloads /Library/Receipts/InstallHistory.plist Search Spotlight shortcuts /Users/%username%/Library/Application Support/com.apple.spotlight.Shortcuts Finder MRU /Users/%username%/Library/Preferences/com.apple.finder.plist Share Points] plutil -p ".
iOS KnowledgeC: https://www.magnetforensics.com/blog/analysis-of-graykey-images-with-axiom-new-knowledgec-database-artifact-additions/ β’ /private/var/mobile/Library/CoreDuet/Knowledge/ knowledgeC.db Screentime: /private/car/mobile/Library/Application Support/com.apple.remotemanagementd/ RMAdminStore-Local.sqlite Snapshots: β’ /private/var/mobile/Library/Containers/Data/ Application/[APPGUID]/Library/Splashboard/ Snapshots/