Artifacts

Explore forensically relevant macOS artifacts organised by category. Each article documents file locations, data formats, key fields for analysis, timestamp handling, and investigative tips.

Categories

• Browsers — Safari, Chrome, Firefox history, cookies, downloads, sessions, and more
• Communication — Messages, Mail, FaceTime, and Contacts
• Filesystem — FSEvents, Spotlight, APFS, .DS_Store, Quick Look, extended attributes, Trash
• System — Unified Logs, Keychain, Launch Agents/Daemons, user accounts, login items, audit trail, crash reports
• Security — TCC permissions, Gatekeeper, XProtect, quarantine events
• User Activity — Shell history, KnowledgeC, Biome, Screen Time, location services, notifications
• Network — Wi-Fi history, Bluetooth, VPN, firewall, DNS configuration
• Applications — CoreAnalytics execution history, installed apps, Dock preferences
• Productivity — Calendar, Reminders, Notes
• Devices — USB device history, iOS backups, AirDrop