System
System Information
Overview
System information collection gathers comprehensive metadata about the macOS system under investigation. This data serves three critical forensic purposes:
- Evidence identification -- Precisely identifies the device through serial number, model, hostname, and volume UUID.
- Context for analysis -- OS version, architecture, and security state determine which artifact locations, file formats, and parsing strategies apply.
- Chain of custody -- Documents the exact system state at collection time, who performed the collection, and with what privileges.
macfor collects system information automatically at the start of every collection run. The data is embedded in the evidence container manifest and is available to all plugins for version-aware behaviour.
Forensic Significance
| Category | Forensic Value |
|---|---|
| OS version and build | Determines artifact paths, database schemas, and format versions |
| Hardware model and serial | Uniquely identifies the physical device for evidence tracking |
| Security state (SIP, FileVault, Gatekeeper) | Indicates system hardening level and potential attacker capabilities |
| Boot time and uptime | Anchors timeline -- identifies when the system was last restarted |
| Timezone | Critical for correlating timestamps from different artifact sources |
| Network identity | Hostname variants help match the device to network logs |
| Collection environment | Documents who ran the tool, with what privileges, and when |
File Locations
System information is not stored in a single file. It is collected from multiple sources:
| Information | Source | Method |
|---|---|---|
| OS version, build | /System/Library/CoreServices/SystemVersion.plist | Plist parsing |
| Hardware model | sysctl hw.model | Sysctl query |
| CPU type | sysctl machdep.cpu.brand_string | Sysctl query |
| CPU cores | sysctl hw.physicalcpu | Sysctl query |
| Memory | sysctl hw.memsize | Sysctl query |
| Kernel version | sysctl kern.osrelease | Sysctl query |
| Serial number | ioreg -l (IOPlatformSerialNumber) | IOKit registry |
| SIP status | csrutil status | Command execution |
| FileVault status | fdesetup status | Command execution |
| Gatekeeper status | spctl --status | Command execution |
| Secure boot level | bputil -d (Apple Silicon only) | Command execution |
| Hostname | os.Hostname() | Go runtime |
| Local hostname | scutil --get LocalHostName | Command execution |
| Computer name | scutil --get ComputerName | Command execution |
| Timezone | /etc/localtime, time.Local | System library |
| Boot time | sysctl kern.boottime | Sysctl query |
| Boot volume info | diskutil info -plist / | Command execution + plist |
Database Schema / File Format
SystemVersion.plist
Located at /System/Library/CoreServices/SystemVersion.plist, this binary plist contains:
| Key | Example Value | Description |
|---|---|---|
ProductVersion | "14.2.1" | macOS version (major.minor.patch) |
ProductBuildVersion | "23C71" | Build identifier |
ProductName | "macOS" | Product name |
Boot Time (sysctl)
The kern.boottime sysctl returns a timeval struct as text:
{ sec = 1706428530, usec = 0 }
The sec value is a Unix epoch timestamp. macfor parses this to determine the last boot time.
Disk Utility Output
diskutil info -plist / returns a binary plist with:
| Key | Description |
|---|---|
VolumeName | Boot volume name (e.g., "Macintosh HD") |
VolumeUUID | Volume UUID |
FilesystemType | Filesystem type (e.g., "apfs") |
Key Fields for Analysis
Operating System
| Field | Description | Example |
|---|---|---|
os_name | Always "macOS" | "macOS" |
os_version | Major.minor.patch version | "14.2.1" |
os_build | Build identifier | "23C71" |
os_codename | Marketing name (derived) | "Sonoma" |
kernel_version | Darwin kernel version | "23.2.0" |
Hardware
| Field | Description | Example |
|---|---|---|
hardware_model | Model identifier | "Mac14,2" |
hardware_model_name | Human-readable model name | "MacBook Air (M2, 2022)" |
serial_number | System serial number (may require root) | "C02XX123XXXX" |
architecture | CPU architecture | "arm64" or "amd64" |
cpu_type | CPU identifier string | "Apple M2" |
cpu_cores | Physical core count | 8 |
memory_gb | Total RAM in GB | 16 |
Security State
| Field | Description | Example |
|---|---|---|
sip_enabled | System Integrity Protection status | true |
filevault_enabled | FileVault full-disk encryption | true |
gatekeeper_enabled | Gatekeeper application verification | true |
secure_boot_level | Secure boot setting (Apple Silicon only) | "full" |
boot_volume_encrypted | Boot volume encryption state | true |
Network Identity
| Field | Description | Example |
|---|---|---|
hostname | Primary hostname | "investigators-mac.local" |
local_hostname | Bonjour/mDNS name | "investigators-mac" |
computer_name | Sharing display name | "Investigator's Mac" |
Temporal Context
| Field | Description | Example |
|---|---|---|
timezone | System timezone (IANA name) | "America/Los_Angeles" |
timezone_offset | UTC offset | "-08:00" |
boot_time | Last boot timestamp (UTC) | "2026-01-28T09:15:30Z" |
uptime_seconds | Seconds since last boot | 86400 |
collection_time | When macfor ran (UTC) | "2026-01-29T14:30:00Z" |
Collection Environment
| Field | Description | Example |
|---|---|---|
collection_user | User running macfor | "investigator" |
collection_uid | UID of collection user | 501 |
is_root | Whether running as root | true |
source_type | Collection source type | "live" |
Timestamps
System information timestamps use standard formats:
| Source | Format | Notes |
|---|---|---|
| Boot time | Unix epoch (from sysctl) | Parsed from kern.boottime timeval struct |
| Collection time | UTC (from Go time.Now().UTC()) | Always in UTC |
Boot time and collection time are stored as RFC 3339 timestamps in the evidence manifest.
Analysis Notes
Security State Interpretation
The security state fields provide immediate insight into the system's hardening level:
| State | Forensic Interpretation |
|---|---|
| SIP disabled | Attacker may have had access to protected system locations; rootkit possible |
| FileVault off | Disk contents accessible without user password from another boot device |
| Gatekeeper off | Unsigned or unnotarised applications could run without warnings |
| Secure Boot reduced/off | Boot chain integrity not guaranteed; bootkits possible |
A system with all security features disabled warrants heightened scrutiny. On managed enterprise systems, these should typically all be enabled.
Timeline Anchoring
The boot time and timezone are critical for timeline analysis:
- Boot time establishes when the current session began. Commands and file modifications before this time occurred in a previous session.
- Timezone is essential for converting local time references in other artifacts to UTC. Misinterpreting timezone can shift entire timelines by hours.
- Uptime combined with boot time validates temporal consistency.
Device Identification
For chain of custody and evidence attribution:
- Serial number uniquely identifies the physical hardware.
- Hardware model + model name identifies the device type.
- Hostname variants help correlate the device with network logs, DHCP records, and Active Directory entries.
- Boot volume UUID ties filesystem artifacts to this specific installation.
Privilege Assessment
The collection environment fields indicate what data macfor could access:
| Collection Context | Accessible Data |
|---|---|
Root (is_root: true) | All user directories, system keychains, protected artifacts |
| Standard user | Only the collection user's own files |
If is_root is false, the evidence container may be incomplete for multi-user systems.
Hardware Model Database
macfor includes a comprehensive mapping of model identifiers (e.g., Mac14,2) to human-readable names (e.g., "MacBook Air (M2, 2022)"). This covers all Mac models from 2012 onwards. Unknown model identifiers are returned as-is for future-proofing.
Version Differences
macOS Codename Mapping
| Version | Codename | Release Year | Notable Forensic Changes |
|---|---|---|---|
| 10.12 | Sierra | 2016 | Minimum supported version |
| 10.13 | High Sierra | 2017 | APFS default filesystem |
| 10.14 | Mojave | 2018 | Full Disk Access (FDA) requirement introduced |
| 10.15 | Catalina | 2019 | APFS volume split (read-only system + data volume) |
| 11 | Big Sur | 2020 | Apple Silicon support, Signed System Volume |
| 12 | Monterey | 2021 | Passkeys introduced |
| 13 | Ventura | 2022 | Rapid Security Response updates |
| 14 | Sonoma | 2023 | Various Safari and system changes |
| 15 | Sequoia | 2024 | Apple Intelligence, Passwords app |
Architecture Differences
| Architecture | Platforms | Notes |
|---|---|---|
arm64 | Apple Silicon (M1, M2, M3, M4) | Secure Enclave, always-on SIP by default |
amd64 | Intel Macs | T2 chip on later models provides some Secure Enclave features |
Sysctl Key Reference
| Key | Description | Type |
|---|---|---|
hw.model | Hardware model identifier | string |
hw.physicalcpu | Physical CPU core count | int |
hw.memsize | Total memory in bytes | int64 |
machdep.cpu.brand_string | CPU brand string | string |
kern.osrelease | Kernel version | string |
kern.boottime | Last boot timestamp (timeval) | struct |
kern.hostname | Hostname | string |
Tool Support
| Tool | Support |
|---|---|
| macfor | Comprehensive system info collection embedded in evidence manifest |
| system_profiler (macOS built-in) | Detailed hardware and software reports |
| sw_vers (macOS built-in) | OS version and build information |
| sysctl (macOS built-in) | Kernel and hardware parameters |
| diskutil (macOS built-in) | Volume and disk information |
| csrutil (macOS built-in) | SIP status check |
| fdesetup (macOS built-in) | FileVault status |