Getting Started

macOS Forensic Artifacts

A comprehensive reference for digital forensics and incident response (DFIR) professionals working with macOS systems.

Browsers

Safari, Chrome, and Firefox history, cookies, downloads, sessions, extensions, and more.

Communication

Messages, Mail, FaceTime call history, and Contacts database artifacts.

Filesystem

FSEvents, Spotlight metadata, and APFS filesystem artifacts.

System & Activity

Unified Logs, Keychain, Launch Agents, Shell History, KnowledgeC, and more.

About this knowledgebase

Each article documents file locations, database schemas, timestamp formats, key fields for analysis, version differences across macOS releases, and investigative tips.

Categories

  • Browsers — Safari, Chrome, Firefox history, cookies, downloads, sessions, and more
  • Communication — Messages, Mail, FaceTime, and Contacts
  • Filesystem — FSEvents, Spotlight metadata, APFS metadata
  • Network — Wi-Fi history, Bluetooth connections
  • System — Unified Logs, Keychain, Launch Agents/Daemons, System Info
  • User Activity — Shell history, Recent Items, KnowledgeC, Screen Time

macfor

This knowledgebase accompanies macfor, an open-source macOS forensic artifact collector. macfor automates the collection of the artifacts documented here, preserving forensic integrity through read-only access and cryptographic hashing.

Next
All Artifacts