I recently attended the awesome SANS DFIR, Mac and iOS Forensics and Incident Response course with Sarah Edwards. This has obviously given me lots of great inspiration on how to negotiate Mac analysis in general and to take a closer look at some of those system files that we covered in training.
I’ve spent a little bit of time digging through the log files on my MacBook (Mojave 10.14.2). I’m sure this isn’t new to most practised Unix beards but for those who aren’t aware, there’s a really great little log file called daily.out in /var/log. I had previously given little credence to this log but realised it can be used to determine a whole wealth of useful information. I also reviewed the weekly.out and monthly.out files but these were, in my case, far less granular.
Daily offers powerful features enabling you to:. View and edit your timesheets for a specific day, week, month or year. You may want to check out more Mac applications, such as Work Time Monitor - Daily Activity Tracker, Time Track Pro - Document and web activity or Time Tracker Pro Limited, which might be related to Daily Time Tracking. If you’re a registered Apple developer then you may be able to download Mac OS X Snow Leopard and Mac OS X Leopard directly from Apple ADC using the following links: Download Mac OS X Snow Leopard (DMG file, via Apple ADC downloads) Download Mac OS Leopard (DMG file, ADC download link). The following version: 1.1 is the most frequently downloaded one by the program users. Webdailies.zip is the default file name to indicate this program's installer. The actual developer of this free software for Mac is Malarkey Software. This Mac download was checked by our antivirus and was rated as virus free. Runner3 (itch) mac os.
At a high level daily.out contains information relating to disk usage and networking, this file is written at least daily and the configurations for all three of the periodic logs are stored in plist files in the following location:
/System/Library/LaunchDaemons/com.apple.periodic-*****.plist
After reviewing the content of this file, it made me consider how this might assist in some of my casework?
Disk Usage
Firstly, I borrowed some grep skills from a very knowledgeable and tall colleague on my team to see if we could parse out just some specific information from the daily.out file. We extracted the lines only containing the dates, followed by the lines which related specifically to disk usage.
![Daily macros needed Daily macros needed](https://img.yumpu.com/36574584/1/500x640/download-datasheet-dft-filmcom.jpg)
Cats in universe mac os. From this, we were able to find entries dating back as early as 3 months, and that the log contains:
- Logical volumes mounted at the time entries are written
- Size of volumes
- Space used on volumes
As you can imagine, disk volume information will be highly valuable in showing drives or images which were attached when the log was written and especially if you know the volume name used by a device you’re looking to prove access to.
We can also ascertain some other information from this log which is quite valuable.
Bootcamp!
You may have an instance where a suspect, subject or general bad person is saying they have never used their Bootcamp install, however, you can see from the Bootcamp disk usage that the volume is being written to and from regularly. Perhaps a big chunk of data has been deleted before a date of interest?
Uptime
Another interesting piece from the daily.out file is that it will show uptime of the system when the log entries are written. This could help prove whether or not the system was switched on and in use over a specific period.
Krash on planet x full mac os. This may also show some interesting information about account usage on the computer. As Mac computers generally tend to be used by individuals, this means there’s usually only ever one account logged on at any time. If you have an experienced user who is elevating to root every day, then seeing multiple accounts logged on may not be uncommon. Although, if an inexperienced user who has no knowledge of the root account, is logged on many times when another account is logged on, it may be suspicious or warrant further analysis.
Again, we extracted the lines from the daily.out file we are interested in using a simple grep command:
Cached
As you can see we can pull some interesting information about computer and account usage:
- Shows uptime of the system at the point in which the daily.out entry is written
- Also shows the number of users logged on, remember this is usually going to be one
RStudio-1.4.1688.dmg
There are also some very useful network interface statistics listed in this file which are probably more relevant to IR investigations but we may look at these another time.
Reference:
RStudio Desktop (Mac OS X)
Daily builds are intended for testing purposes, and are not recommended for general use. For stable builds, please visit rstudio.com.
Filename | Size | Published | Commit | Build ID |
---|---|---|---|---|
RStudio-1.4.1695.dmg | 193.6 MB | 2021-04-30 00:54:50 | 8aed5680 | 33d02cdd3bbac321f104f916fd1c4f6a-25 |
RStudio-1.4.1694.dmg | 193.6 MB | 2021-04-29 07:45:40 | ca079b3c | 3e12626c8bc726cd8a1280e434677e5a-25 |
RStudio-1.4.1693.dmg | 194.0 MB | 2021-04-29 05:58:56 | cee6c3e8 | b82a606a3d44bb8c4de74596e5623b23-25 |
RStudio-1.4.1692.dmg | 193.6 MB | 2021-04-28 23:18:29 | 30872eae | 046ac3f989780b7b153a5355870657c5-25 |
RStudio-1.4.1690.dmg | 193.9 MB | 2021-04-28 00:07:37 | aa192da1 | 594c4619869565b38b60fab4b49f5ad2-25 |
RStudio-1.4.1689.dmg | 192.3 MB | 2021-04-26 23:44:25 | ec4f319f | 08399f9fad5d8e9f23485b36a2acf7d3-25 |
RStudio-1.4.1688.dmg | 193.0 MB | 2021-04-26 21:06:11 | 8e8e4382 | 2642a9cb84d77f8875f72bc7238743b3-25 |
RStudio-1.4.1687.dmg | 193.0 MB | 2021-04-25 20:25:36 | 8f0abea7 | 7562f4304cc32bc9bef3ce6ae6eafc2e-25 |
RStudio-1.4.1686.dmg | 193.0 MB | 2021-04-24 01:53:34 | e473e465 | 80bcab2ba3252162ad0debc73e9637ba-25 |
RStudio-1.4.1685.dmg | 193.3 MB | 2021-04-23 22:14:26 | 123fdff0 | 7e6b9fad8e12f6f2d86dcc50076c6e48-25 |
RStudio-1.4.1684.dmg | 193.1 MB | 2021-04-22 22:10:07 | 2171c9fa | 3110b5efc9c86ce6dd7ba0ae0a0d01f3-25 |
RStudio-1.4.1683.dmg | 193.1 MB | 2021-04-21 23:32:47 | c7f3621e | a4dedc651bf1a23a8891013f8821aaf7-25 |
RStudio-1.4.1682.dmg | 193.1 MB | 2021-04-21 21:50:16 | a447dcf3 | a7a095ba0618d18c47ead84d90e315dc-25 |
RStudio-1.4.1681.dmg | 193.3 MB | 2021-04-21 18:13:41 | 6381b1a1 | bdfec27dc6b3190d0f20213e3c946f84-25 |
RStudio-1.4.1680.dmg | 193.3 MB | 2021-04-20 19:32:42 | 19c6fe31 | 59347823d8ee4accd75ab15f2d44eb00-25 |
RStudio-1.4.1679.dmg | 192.9 MB | 2021-04-16 21:42:00 | e40d7eb5 | e780f3cd7c59d086d1c96ca9868653b1-25 |
RStudio-1.4.1678.dmg | 193.3 MB | 2021-04-16 19:31:05 | e017c1fe | aa38a515a733290e644d868f4e8851c1-25 |
RStudio-1.4.1677.dmg | 192.9 MB | 2021-04-14 04:56:37 | a363a0ba | 843c6ad5cca46f0bc0e2f70ea6fc96e3-25 |
RStudio-1.4.1676.dmg | 192.9 MB | 2021-04-13 21:36:54 | e89f2666 | 7dc8fd98d924362d413ffe4b72bd974a-25 |
RStudio-1.4.1675.dmg | 192.9 MB | 2021-04-13 20:20:09 | da93c183 | 1a4268fd189f353850810a1a363c6f69-25 |
RStudio-1.4.1674.dmg | 192.9 MB | 2021-04-13 07:17:16 | bfb2b922 | dc14297193d745c6afbfabfb4ea615d2-25 |
RStudio-1.4.1673.dmg | 192.9 MB | 2021-04-13 03:46:31 | 3c179e7d | 014b47502a36c656922cf033f442fca9-25 |
RStudio-1.4.1671.dmg | 192.9 MB | 2021-04-09 21:25:53 | 9ec82bad | 3119afb80bb56174d877f0d2cd85b1d8-25 |
RStudio-1.4.1670.dmg | 192.9 MB | 2021-04-09 19:11:43 | ca273e00 | d4ce077c0cfb25c60441d5d243e768e8-25 |
RStudio-1.4.1669.dmg | 192.7 MB | 2021-04-09 18:16:27 | f037109e | 32c3178241e202b93fbd2739285720b6-25 |
RStudio-1.4.1668.dmg | 193.0 MB | 2021-04-07 20:52:04 | b2e5ae4e | 5b5000915f3dc5117498d3654290e253-25 |
RStudio-1.4.1667.dmg | 193.0 MB | 2021-04-07 19:08:31 | 81a6fbc2 | 6d6a59eb86cc9f9dffe33bbad186c718-25 |
RStudio-1.4.1666.dmg | 193.0 MB | 2021-04-05 17:41:28 | e4877187 | 040ccfd348b8c664444ebc12e7572bc8-25 |
RStudio-1.4.1665.dmg | 191.7 MB | 2021-04-05 15:34:46 | c0683705 | ea13b3bf927d0879f93e5d361b1b5b4d-24 |
RStudio-1.4.1662.dmg | 193.1 MB | 2021-04-02 18:01:44 | b2f3bc97 | ccea30c51a842e7733b33dcabf5d1d63-25 |