.dmg
: Apple Disk Image files are very frequent for installers..kext
: It must follow a specific structure and it's the OS X version of a driver..plist
: Also known as property list stores information in XML or binary format.defaults read config.plist
/usr/libexec/PlistBuddy -c print config.plsit
plutil -p config.plist
.app
: Apple applications that follows directory structure..dylib
: Dynamic libraries (like Windows DLL files).pkg
: Are the same as xar (eXtensible Archive format). The installer command can be use to install the contents of these files.stat a.txt
you obtain something like 16777223 7545753 -rw-r--r-- 1 username wheel ...
where the first number is the id number of the volume where the file exists and the second one is the inode number. You can access the content of this file through /.vol/ with that information running cat /.vol/16777223/7545753
.DS_Store
: This file is on each directory, it saves the attributes and customisations of the directory..Spotlight-V100
: This folder appears on the root directory of every volume on the system..metadata_never_index
: If this file is at the root of a volume Spotlight won't index that volume.<name>.noindex
: Files and folder with this extension won't be indexed by Spotlight.$HOME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV
**2: Contains information about downloaded files, like the URL from where they were downloaded./var/log/system.log
: Main log of OSX systems. com.apple.syslogd.plist is responsible for the execution of syslogging (you can check if it's disabled looking for "com.apple.syslogd" in launchctl list
./private/var/log/asl/*.asl
: These are the Apple System Logs which may contain interesting information.$HOME/Library/Preferences/com.apple.recentitems.plist
: Stores recently accessed files and applications through "Finder".$HOME/Library/Preferences/com.apple.loginitems.plsit
: Stores items to launch upon system startup$HOME/Library/Logs/DiskUtility.log
: Log file for thee DiskUtility App (info about drives, including USBs)/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
: Data about wireless access points./private/var/db/launchd.db/com.apple.launchd/overrides.plist
: List of daemons deactivated./private/etc/kcpassword
: If autologin is enabled this file will contain the users login password XORed with a key.state=("automaticTime" "afpGuestAccess" "filesystem" "guestAccount" "smbGuestAccess"); for i in "${state[@]}"; do sysadminctl -"${i}" status; done;
/System
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System
contains the risk associated to files depending on the file extension.System Preferences --> Security & Privacy --> Privacy --> Files and Folders
./Library/Application Support/com.apple.TCC/TCC.db
and a per-user one located in /Users/<username>/Library/Application Support/com.apple.TCC/TCC.db
. The first database is protected from editing with SIP(System Integrity Protection), but you can read them by granting terminal(or your editor) full disk access./usr/share/sandbox
directory. Other sandbox profiles can be checked in https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles.~$
)./System/Library/Sandbox/rootless.conf
holds a list of files and directories that cannot be modified. But if the line starts with an asterisk it means that it can be modified as exception.
For example, the config lines:/usr
cannot be modified except for the 3 allowed folders allowed./System/Library/LaunchDaemons
appears listed but it doesn't exist. A malware may create one and use it as persistence mechanism.rootless.conf
have a rootless extended attribute:csrutil disable
You can also maintain it enable but without debugging protections doing:launchd
is the first process executed by OX S kernel at startup and the last one to finish at shut down. It should always have the PID 1. This process will read and execute the configurations indicated in the ASEP plists in:/Library/LaunchAgents
: Per-user agents installed by the admin/Library/LaunchDaemons
: System-wide daemons installed by the admin/System/Library/LaunchAgents
: Per-user agents provided by Apple./System/Library/LaunchDaemons
: System-wide daemons provided by Apple./Users/$USER/Library/LaunchAgents
and /Users/$USER/Library/LaunchDemons
are started with the logged users permissions./Library/LaunchAgents
(see here an example).launchctl load <target.plist>
It's also possible to load .plist files without that extension with launchctl -F <file>
(however those plist files won't be automatically loaded after reboot).
It's also possible to unload with launchctl unload <target.plist>
(the process pointed by it will be terminated),sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist
/usr/lib/cron/tabs/
and /var/at/tabs/
(needs root).periodic daily
./System/Library/Extensions
/Library/Extensions
/Users/$USER/Library/Preferences/com.apple.loginwindow.plist
/private/var/root/Library/Preferences/com.apple.loginwindow.plist
/Library/StartupItems/
or /System/Library/StartupItems/
/private/var/vm/swapfile0
: This file is used as a cache when physical memory fills up. Data in physical memory will be pushed to the swapfile and then swapped back into physical memory if it’s needed again. More than one file can exist in here. For example, you might see swapfile0, swapfile1, and so on./private/var/vm/sleepimage
: When OS X goes into hibernation, data stored in memory is put into the sleepimage file. When the user comes back and wakes the computer, memory is restored from the sleepimage and the user can pick up where they left off.sysctl vm.swapusage
.osxpmem.app/MacPmem.kext failed to load - (libkern/kext) authentication failure (file ownership/permissions); check the system/kernel logs for errors or try kextutil(8)
You can fix it doing:/var/db/dslocal/nodes/Default/users/
.
The following oneliner can be use to dump all the information about the users (including hash info):