Live MAC Forensics

Question 1

What does the export command do?

Answer 1

Gets system wide, and user
specific settings.

Question 2

What does sysctl do?

Answer 2

Saves info such as:

Computer name-kern. Hostname
Memory size-he.memsize
Kernel Version-kern.version

Question 3

How do you change where screenshots are saved?

Answer 3

Defaults write com.apple.screencapture location <new></new>

Question 4

What command reloads all daemons with updated settings?

Answer 4

Killall SystemUIServer

Question 5

What can be used to memory dump?

Answer 5

OSXPMEM

Question 6

How do you save all passwords to a text file?

Answer 6

Security dump -keychain - d login.keychain > $MYCASE/keychain.txt

Question 7

What commands can you use to save files?

Answer 7

-zip -r $mycase/archive name.zip folder2compress
-tar -jcvf $mycase/archive name.tar .bz2 folder2compress

Question 8

What is Spotlight?

Answer 8

A service running in the background.
Indexes everything that can be indexed.
Everything is combined in a database= Spotlight-Index-Files

Question 9

What does the defaults command do?

Answer 9

Gets information from page files.
Allows you to get application settings for the current user.

Question 10

How do you become root? (command)

Answer 10

Sudo bash

Question 11

What are plist files?

Answer 11

Mainly test based files. Can also be binary data.