Overview
macOS stores VPN configuration in the system configuration preferences and Network Extension framework. VPN profiles reveal the remote access infrastructure a user connects to, the authentication methods used, and (via Unified Logs) connection timing. This data is essential for understanding remote work patterns, identifying corporate network access, and detecting unauthorized VPN usage.
Forensic Significance
| Evidence Type | Forensic Value |
|---|
| VPN server addresses | Remote access endpoints (corporate, personal) |
| VPN protocols | IKEv2, L2TP, IPSec, WireGuard, OpenVPN |
| Authentication type | Certificate, password, shared secret |
| Connection timestamps | When VPN connections were established/terminated |
| Split tunnel config | Whether all traffic routes through VPN |
| Third-party VPN apps | Installed VPN client applications |
File Locations
| Artifact | Path | Format |
|---|
| System preferences | /Library/Preferences/SystemConfiguration/preferences.plist | Plist |
| Network Extensions | /Library/Preferences/com.apple.networkextension.plist | Plist |
| Per-app VPN config | ~/Library/Preferences/com.apple.networkextension.plist | Plist |
| Keychain (VPN credentials) | ~/Library/Keychains/ | SQLite |
| Unified Logs | /var/db/diagnostics/ | tracev3 |
Key Data
System Configuration
# Read VPN configurations
defaults read /Library/Preferences/SystemConfiguration/preferences.plist | grep -A 20 "VPN"
# List Network Extensions
defaults read /Library/Preferences/com.apple.networkextension.plist 2>/dev/null
Connection History (Unified Logs)
# VPN connection events
log show --predicate 'subsystem == "com.apple.networkextension" OR eventMessage contains "VPN"' --info --last 7d
# NE (Network Extension) events
log show --predicate 'subsystem == "com.apple.networkextension"' --info --last 7d
Analysis Notes
- Corporate network identification: VPN server addresses often reveal corporate infrastructure. Domain names and IP ranges help identify the organisation.
- Split tunnel analysis: If split tunnelling is disabled, all network traffic routes through the VPN, meaning browsing history and network activity occurred within the corporate network context.
- Third-party clients: Popular VPN apps (Cisco AnyConnect, GlobalProtect, Tailscale, WireGuard) store their own configuration files. Check application support directories.
- Credential storage: VPN passwords and shared secrets may be stored in the Keychain. Cross-reference Keychain analysis for VPN-related entries.
- Connection timing: VPN connection/disconnection timestamps from Unified Logs correlate with work schedules and remote access patterns.
| Tool | Support |
|---|
| macfor | Not yet implemented (planned) |
| defaults / plutil (macOS built-in) | Read VPN configuration |
| log (macOS built-in) | Query VPN connection events |
| networksetup (macOS built-in) | List network services including VPN |
References