Macintosh İşletim Sistemlerinin adli incelemelerinde yaygın olarak kullanılan kısayol listelesi aşağıya çıkarılmıştır. Yapılan incelemelerde bu bilgilerin el altında bulunmasının faydalı olacağını düşünüyorum..
|
.bash_history This file maintains a set of commands entered in the terminal by the user |
Root of /Users Home Directory |
|
Calendar Events User’s iCal calendar events |
/Username/Library/Calendars /GL//D /Events |
|
Documents Directory |
/Username/Documents |
|
Entourage Database User is using Microsoft Office for Mac, and is using Entourage as the email client |
/usernome /Documents/Microsoft User Data/Office 2008 Identities/Main Identity/Database |
|
Entourage Mail Contacts |
/usernome /Library/Caches/Metadata/Microsoft/Entourage/2008/ Main Identity/Contacts/0T/0B/0M/0K |
|
Entourage Mail Messages |
/usernome /Library/Caches/Metadata/Microsoft/Entourage/2008/ MainIdentity/Messages/0T/0B/0M/0K/ |
|
Home Directory |
/Users/Username |
|
iPhoto Library Modified version of photos |
/usernome /Pictures/iPhoto Library/Modified |
|
iPhoto Library Original version of photos |
/usernome /Pictures/iPhoto Library/Originals |
|
Network Information |
/Library/Preferences/com.apple.network.identification.plist |
|
Photo Booth Photos captured with Webcam |
/usernome /Pictures/Photo Booth |
|
Pictures Directory |
/Username/Pictures |
|
Programs Directory |
/Applications |
|
Public Directory If file sharing is enabled via any protocol, sharing is enabled on the Public directory |
/username/Public |
|
Recent Items The 10 most recently run applications, connected server information, and documents recently accessed by the user |
/Username/Library/Preferences/com.apple.recentitems.plist |
|
System Logs |
/usernome/Library/Logs/ |
|
System Registration |
/Username/Library/Assistants/Send Registration.setup |
|
System Version |
/System/Library/CoreServices/SystemVersion.plist |
|
Trash Files moved to the trash by the logged on user |
/usernome/.Trash |
|
User Contacts |
/Username/Library/Preferences/AddressBookMe.plist |
|
User Identification Examination of plists will show generateduid for user identification |
/private/var/db/dslocal/nodes/Default/users |
|
User Logon Information • Last logon date • Failed logons • Account creation date |
/private/var/db/shadow/hash GUID file with .state extension |
|
User Logon Password Hash |
/private/var/db/shadow/hash GUID file with no extension |
|
Volumes information about all volumes mounted on the computer |
/usernome/Library/Preferences/ByHost/com.apple.systempreferen ces/0017f2c9b67f.plist (Hex name will be different – this is the MAC address of the computer’s Ethernet adapter) |
|
Wireless Networks |
/Library/Preferences/com.apple.airport.preferences.plist |
Safari Kısayolları
|
Bookmarks |
/username/Library/Safari/Bookmarks.plist |
|
Bookmarks Backup |
/username/Library/Caches/Metadata/Safari/Bookmarks |
|
Browsing History |
/username/Library/Safari/History.plist |
|
Browsing History Backup |
/username/Library/Caches/Metadata/Safari/History |
|
Cache |
/username/Library/Caches/com.apple.Safari/cache.db/tables/ cfurl_cache_blob_data (Expand to show Blob Data) |
|
Cache URL Response |
/username/Library/Caches/com.apple.Safari/cache.db/tables/ cfurl_cache_response (View HTML file) |
|
Cookies |
/username/Library/Cookies/Cookies.plist |
|
Downloads History |
/username/Library/Safari/Downloads.plist |
|
Home Directory |
/username/Library/Safari |
|
Last Session |
/username/Library/Safari/LastSession.plist |
|
Preferences |
/username/Library/Preferences/com.apple.Safari.plist |
Firefox Kısayolları
|
Bookmarks and Form History |
/username/Library/Application Support/Firefox/ Profiles/ abcdef7g.default/formhistory.sqlite/tables/moz_formhistory (Profiles default directory name is randomly generated for each user)(View HTML file) |
|
Bookmarks Backup |
/username/Library/Application Support/Firefox/ Profiles/ abcdef7g.default/bookmarkbackup (Profiles default directory name is randomly generated for each user) (View files named bookmarks-yyyy-mm-dd.json) |
|
Browsing History |
/username/Library/Application Support/Firefox/ Profiles/ abcdef7g.default/places.sqlite/tables/moz_history (Profiles default directory name is randomly generated for each user)(View HTML file) |
|
Cache |
/username/Library/Application Support/Firefox/ Profiles/ abcdef7g.default/Cache (Profiles default directory name is randomly generated for each user) |
|
Cookies |
/username/Library/Application Support/Firefox/ Profiles/ abcdef7g.default/Cookies.sqlite/tables/moz_cookies (Profiles default directory name is randomly generated for each user)(View HTML file) |
|
Downloads History |
/username/Library/Application Support/Firefox/ Profiles/ abcdef7g.default/downloads.sqlite/tables/moz_downloads (Profiles default directory name is randomly generated for each user)(View HTML file) |
|
Home Directory |
/username/Library/Application Support/Firefox/Profiles/ abcdef7g.default |
|
Stored Passwords |
/username/Library/Application Support/Firefox/ Profiles/ abcdef7g.default signons3.txt file |
iChat Kısayolları
|
Account Settings |
/username/Library/Preferences/com.apple.ichat.plist |
|
Saved Chats If chats are saved, they will be in directories named with the date of the chat Flag 1 – Incoming message Flag 5 – Outgoing message |
/username/Documents/iChat |
|
User Chat Picture |
/username/Library/Caches/com.apple.iChat/Pictures/ PictureNameMap.plist |
|
Apple Mail Kısayolları |
|
|
Mail Directory |
/username/Library/mail |
|
POP3 Mail Boxes |
/username/Library/mail/ [email protected] |
|
IMAP Mail Boxes |
/username/Library/mail/Mailboxes |
|
iPod Kısayolları |
|
|
Cache |
/username/Pictures/iPhoto Library/iPod Photo Cache (Photos will have .ithmb extension. Photos needed converted using a program such as iThmbConv) |
|
Syncing Clients |
/username/Library/Application Support/SyncServices/Local/ Syncingclients.plist |
Macintosh Shortcuts
iPhone Yedekleme Kısayolları
|
Account Settings |
/usernome /Library/Application Support/MobileSync/Backup /GU/D/ Info.plist |
|
Address Book Contact Icons |
/usernome /Library/Application Support/MobileSync/Backup /GU/D/ cd6702cea29fe89cf280a76794405adb17f9a0ee.mddata/ ABImage/Blobs |
|
Address Book Information |
/usernome /Library/Application Support/MobileSync/Backup /GU/D/ 3 1bb7ba8914766d4ba40d6dfb6113c8b614be442.mddata/ ABPerson (Select HTML file) |
|
Backup Directory (MAC) |
/usernome /Library/Application Support/MobileSync/Backup /GU/D |
|
Backup Directory (Windows) |
\Documents and Settings\username\Application Data\Apple Computer\Mobile Sync\Backup |
|
Calendar Information |
/usernome /Library/Application Support/MobileSync/Backup /GU/D/ 2041457d5fe04d39d0ab481178355df6781e6858.mddata/ _SqliteDatabaseProperties (Select HTML file) |
|
Call Log |
/usernome /Library/Application Support/MobileSync/Backup /GU/D/ ff1324e6b949111b2fb449ecddb50c89c3699a78.mddata/ Call (Select HTML file) |
|
Notes |
/usernome /Library/Application Support/MobileSync/Backup /GU/D/ 740b7eaf93d6ea5d305e88bb349c8e9643f48c3b.mddata/ Note (Select HTML file) |
|
Text Messages • 2 – External Number • 3 – Local Number |
/usernome /Library/Application Support/MobileSync/Backup /GU/D/ 3d0d7e5fb2ce288813306e4d4636395e047a3d28.mddata/ Group_member (Select HTML file) |
|
Voice Mail Log |
/usernome /Library/Application Support/MobileSync/Backup /GU/D/ 992df473bbb9e132f4b3b6e4d33f72171e97bc7a.mddata/ Voicemail (Select HTML file) |
|
|
|
|
Other Property Lists |
Overview Tab > File Category > Other Known Types > Property List File |
|
Address Book Listings |
b64e73540b6221bffc16b18f2205e1335e31d7d8.mddata |
|
Email Account Usage |
5fd03a33c2a31106503589573045150c740721dd.mddata |
|
Last Number Dialed |
fb7786ced1add24313fa258c8e1ed041e24d52a4.mddata |
|
Map Directions |
b60c382887dfa562166f099f24797e55c12a94e4.mddata |
|
Map Pin Drop |
b88b75bddaa69139b66d948b7cbd4f41d9dd416d.mddata |
|
Map Searches |
a30335a2c0f0316c9610d868a527b2ade1911542.mddata |
|
Purchase Information |
3b2f19b7d02788a824d3d1f7b9ba5e4c7108485c.mddata |
|
Safari Browsing History Lowest number is most recent |
1d6740792a2b845f4c1e6220c43906d7f0afe8ab.mddata |
|
Safari Cookies |
1dd07f2fbb1169bed93c21047ca5616371ea4a04.mddata |
|
Safari Searches |
bd38afa30b5a43c146db02a46ee11d82cdc817fe.mddata |
|
Safari Web Pages |
9281049ff1d27f1129c0bd17a95c863350e6f5a2.mddata |
|
Voice Mail |
Conduct a search for files with header 23-21-41-4D-52-0A Files must be exported from case and renamed with .amr extension Use program such as AMR Player to listen to voice mails |
|
Wireless Networks |
34f7f8423d8f77bc812dd8d70f84c33a5caacbe8.mddata |