Yogesh Khatri's forensic blog
All things forensic and security related
Saturday, December 29, 2018
Making NSKeyedArchives human readable
If you've been doing macOS analysis, you are definitely familiar with the ( now not so new ) serialized plist format also known as an N...
Saturday, November 24, 2018
$Recycle bin and Undo operations
This week Phil Moore made an excellent finding ( link here ), one that most of us have seen for years but not investigated. Those $I fil...
Tuesday, November 6, 2018
The ._ (dot-underscore) file format
If you've ever looked at removable media and found several hidden files which start with ._ and there exists one for almost every file...
Tuesday, October 16, 2018
The user spotlight database
On macOS, the spotlight database is a central database holding metadata of all files/folders that macOS indexes and is always located at t...
Tuesday, August 21, 2018
An open source spotlight parser
Spotlight is the name of the indexing system which comes built into macOS. It is responsible for continuous indexing of files and folders o...
Friday, July 20, 2018
APFS template for 010 Editor
For quite some time, I've been analyzing APFS mostly with custom python code, which is not very efficient and rather time consuming and...
Thursday, May 3, 2018
Bash sessions in macOS (and why you need to understand its working)
While all versions of macOS have provided bash_history for users, since macOS 10.11 (El Capitan), we get even more information on terminal...
View web version