Jul 04 2009 49 mins
This episode covers why we point everyone to the user's Home folder first. Ryan talks about Diskarbitration for Leopard and Tiger. Chris showcases the Plists of the Week, Safari bookmarks, history, downloads, TopSites & Last Session.
Websites of the Week: MacTracker & EveryMac
Podcasts to listen to: CyberSpeak & Forensic 4Cast
Show notes are available for download. They are more detailed than the synopsis below:
Click here to Download
Show notes synopsis:
Home Folder:
-Most of the evidence is located in the Userʼs Home Folder
-Majority of the Preference PLists with user-specific settings are in
User/Library/ Preferences
-User Logs:
-Indicative of the userʼs activity
-Not system activity, but user specific logs
-Preferences:
-PLists files or proprietary format files for the User
-Contains configurations and settings for the User
-I.E. Online activity, buddy lists, email, logins, etc.
-Application Support:
-Mozilla Cache, iPhone backup files from MobileSync folder -Application PLists with information
LEOPARD:
-Disk Arbitration looks at devices and mounts the device and makes icon
to access this device available to the user
-On Boot, Disk Arbitration recognizes the internal hard drive. Recognizes
file system. Mounts partitions on desktop.
-In order to prevent writes, we must prevent the mount.
-To turn off Disk Arbitration, enter Terminal and type:
sudo launchctl unload System/Library/LaunchDaemon/com.apple.diskarbitrationd.plist
-Now when you connect a disk, the disk will not mount
-To turn back on, enter Terminal and type:
sudo launchctl load System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
or Reboot system and diskarbitration will become active again
TIGER:
-Not controlled by LaunchCtl process
-Need to move the PList from one location to another
-Method:
1. Make copy of the diskarbitrationd.plist
2.Once the copy is made, use the remove command in Terminal to delete
the com.apple.diskarbitrationd.plist from the /etc/mach_init.d folder
3.Reboot system
4.Only OS Boot partition will mount.
To UNDO, Copy the diskarbitrationd.plist back to the /etc/mach_init.d
folder and reboot the system.
PList(s) of the Week(PLOW):
User/Library/Safari:
Bookmarks.plist:
-User created/maintained bookmarks
Downloads.plist
-Any downloads specific to Safari
-Download history
History.plist:
-History from Safari if not cleared
TopSites.plist
-Came with Safari 4
-When a New Tab is opened, it opens thumbnails of most visited sites
-Instead of typing URL, just click on thumbnail and it opens the site.
LastSession.plist:
-Indicates what was open on last Safari session
-If multiple windows opened, it will indicate each as a different Item
Websites of the Week: MacTracker & EveryMac
Podcasts to listen to: CyberSpeak & Forensic 4Cast
Show notes are available for download. They are more detailed than the synopsis below:
Click here to Download
Show notes synopsis:
Home Folder:
-Most of the evidence is located in the Userʼs Home Folder
-Majority of the Preference PLists with user-specific settings are in
User/Library/ Preferences
-User Logs:
-Indicative of the userʼs activity
-Not system activity, but user specific logs
-Preferences:
-PLists files or proprietary format files for the User
-Contains configurations and settings for the User
-I.E. Online activity, buddy lists, email, logins, etc.
-Application Support:
-Mozilla Cache, iPhone backup files from MobileSync folder -Application PLists with information
LEOPARD:
-Disk Arbitration looks at devices and mounts the device and makes icon
to access this device available to the user
-On Boot, Disk Arbitration recognizes the internal hard drive. Recognizes
file system. Mounts partitions on desktop.
-In order to prevent writes, we must prevent the mount.
-To turn off Disk Arbitration, enter Terminal and type:
sudo launchctl unload System/Library/LaunchDaemon/com.apple.diskarbitrationd.plist
-Now when you connect a disk, the disk will not mount
-To turn back on, enter Terminal and type:
sudo launchctl load System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
or Reboot system and diskarbitration will become active again
TIGER:
-Not controlled by LaunchCtl process
-Need to move the PList from one location to another
-Method:
1. Make copy of the diskarbitrationd.plist
2.Once the copy is made, use the remove command in Terminal to delete
the com.apple.diskarbitrationd.plist from the /etc/mach_init.d folder
3.Reboot system
4.Only OS Boot partition will mount.
To UNDO, Copy the diskarbitrationd.plist back to the /etc/mach_init.d
folder and reboot the system.
PList(s) of the Week(PLOW):
User/Library/Safari:
Bookmarks.plist:
-User created/maintained bookmarks
Downloads.plist
-Any downloads specific to Safari
-Download history
History.plist:
-History from Safari if not cleared
TopSites.plist
-Came with Safari 4
-When a New Tab is opened, it opens thumbnails of most visited sites
-Instead of typing URL, just click on thumbnail and it opens the site.
LastSession.plist:
-Indicates what was open on last Safari session
-If multiple windows opened, it will indicate each as a different Item