iTunes Enhanced
Mp3 VersionSat, 4 July 2009
This episode covers why we point everyone to the user's Home folder first. Ryan talks about Diskarbitration for Leopard and Tiger. Chris showcases the Plists of the Week, Safari bookmarks, history, downloads, TopSites & Last Session.Websites of the Week: MacTracker & EveryMac Podcasts to listen to: CyberSpeak & Forensic 4Cast Show notes are available for download. They are more detailed than the synopsis below: Click here to Download Show notes synopsis: Home Folder: -Most of the evidence is located in the Userʼs Home Folder -Majority of the Preference PLists with user-specific settings are in User/Library/ Preferences -User Logs: -Indicative of the userʼs activity -Not system activity, but user specific logs -Preferences: -PLists files or proprietary format files for the User -Contains configurations and settings for the User -I.E. Online activity, buddy lists, email, logins, etc. -Application Support: -Mozilla Cache, iPhone backup files from MobileSync folder -Application PLists with information LEOPARD: -Disk Arbitration looks at devices and mounts the device and makes icon to access this device available to the user -On Boot, Disk Arbitration recognizes the internal hard drive. Recognizes file system. Mounts partitions on desktop. -In order to prevent writes, we must prevent the mount. -To turn off Disk Arbitration, enter Terminal and type: sudo launchctl unload System/Library/LaunchDaemon/com.apple.diskarbitrationd.plist -Now when you connect a disk, the disk will not mount -To turn back on, enter Terminal and type: sudo launchctl load System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist or Reboot system and diskarbitration will become active again TIGER: -Not controlled by LaunchCtl process -Need to move the PList from one location to another -Method: 1. Make copy of the diskarbitrationd.plist 2.Once the copy is made, use the remove command in Terminal to delete the com.apple.diskarbitrationd.plist from the /etc/mach_init.d folder 3.Reboot system 4.Only OS Boot partition will mount. To UNDO, Copy the diskarbitrationd.plist back to the /etc/mach_init.d folder and reboot the system. PList(s) of the Week(PLOW): User/Library/Safari: Bookmarks.plist: -User created/maintained bookmarks Downloads.plist -Any downloads specific to Safari -Download history History.plist: -History from Safari if not cleared TopSites.plist -Came with Safari 4 -When a New Tab is opened, it opens thumbnails of most visited sites -Instead of typing URL, just click on thumbnail and it opens the site. LastSession.plist: -Indicates what was open on last Safari session -If multiple windows opened, it will indicate each as a different Item |
Inside the Core
The Macintosh Forensic Podcast
Categories
generalpodcasts
Archives
NovemberJune
December
July
June
March
December
November
October
August
July
June
May
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 | ||||||
Syndication
Disclaimer:
The Inside the Core podcast is provided for entertainment only. Any information, techniques, software or equipment that is discussed should be researched, tested and validated prior to use. This podcast is not a substitute for specialized training that is required for computer forensics. The topics of discussion and/or opinions are those of the host(s) and do not reflect the views of the hosts employers or former employers. Discussion of content, goods, or services provided by outside entities does not imply endorsement. Nothing in the podcast should be construed as an offer, solicitation or recommendation to buy or sell any specific products or training.
