File System Artifacts

• /Users//: User documents, downloads, Desktop files
• .bash_history / .zsh_history: Shell command history
• .plist files: Application and system preferences (in ~/Library/Preferences/)
• Spotlight Metadata: /Volumes/<volume>/.Spotlight-V100
• Quarantine Database: ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

Log Files

• Unified Logs: Use log show or Console.app (live & historical logs)
• /var/log/system.log: System-level events
• /var/log/install.log: Software install history
• /var/log/asl/: Apple System Logger files (legacy)
• /private/var/log/secure.log: Authentication & security events (if enabled)

Process & Execution Artifacts

• Running Processes: ps aux, top
• LaunchAgents:
  • Per-user: ~/Library/LaunchAgents/
  • System-wide: /Library/LaunchAgents/
• LaunchDaemons: /Library/LaunchDaemons/
• cron jobs: crontab -l
• Login/Logout Hooks (deprecated but may exist): /etc/rc.common

Network Artifacts

• Active Connections: netstat -anv, lsof -i, nettop
• Firewall Logs: /var/log/appfirewall.log
• Wi-Fi Logs: /private/var/log/wifi.log
• Network Interfaces: ifconfig, networksetup

User Artifacts

• User Accounts: dscl . list /Users
• Login History: last, last -x, log show --predicate 'eventMessage contains "login"'
• AirDrop Usage: Look for sharingd logs
• USB Device History: system_profiler SPUSBDataType
• Disk Mounts: diskutil list, mount, /Volumes/

Tools

• OSXCollector: Framework for automated artifact collection
• KnockKnock: Checks for persistent items
• OverSight: Detects webcam/mic usage
• BlockBlock: Monitors persistence changes
• mac_apt: macOS Artifact Parsing Tool
• Volatility / Rekall: Memory analysis (with OSXpmem dump)

Note: SIP (System Integrity Protection) can restrict access to sensitive artifacts. Live analysis should respect macOS privacy boundaries unless fully authorized.

Proceed wisely, investigator.