The FINDER SIDEBAR
This week it’s back to Mac forensics with a look at the the Finder Sidebar and it’s value for File Use & Knowledge investigations.
What is the FINDER Sidebar?
Finder windows have a sidebar with items users frequently access such as folders, disks, and tags.
By default a User’s Finder Sidebar will be divided into four sections.
Favorites – Applications folder, Documents folder, iCloud Drive as well as User added folders..
Devices – System HDD, disks attached to the Mac, DMGs and optical drive discs.
Shared – local network shares, AirPort devices and Time Capsules.
Tags – Provides quick access to all the items using a particular tag.
see https://support.apple.com/kb/PH22024?locale=en_US for more details
How Users can customize their Finder Sidebar
In the Finder, choose Finder > Preferences, then click Sidebar or Tags.
Where is it located?
How do you interpret it?
The PLIST shows Volume names along with codes displaying an “entry type” code. Because the PLIST does not plainly tell you what type of device the volume is from (i.e Time Machine HDD, USB HDD, DMG file, etc) an examiner must look to the entry type codes for answers.