The FINDER SIDEBAR

This week it’s back to Mac forensics with a look at the the Finder Sidebar and it’s value for File Use & Knowledge investigations.

Show Notes

 What is the FINDER Sidebar?

Finder windows have a sidebar with items users frequently access such as folders, disks, and tags.

By default a User’s Finder Sidebar will be divided into four sections.

Favorites –  Applications folder, Documents folder, iCloud Drive as well as User added folders..

Devices – System HDD, disks attached to the Mac, DMGs and optical drive discs.

Shared – local network shares, AirPort devices and Time Capsules.

Tags  Provides quick access to all the items using a particular tag.

see https://support.apple.com/kb/PH22024?locale=en_US for more details

screen-shot-2016-11-01-at-8-23-02-pm

How Users can customize their Finder Sidebar

In the Finder, choose Finder > Preferences, then click Sidebar or Tags.

Where is it located?

~/Library/Preferences/com.apple.sidebarlists.plist

How do you interpret it?

The PLIST shows Volume names along with codes displaying an “entry type” code. Because the PLIST does not plainly tell you what type of device the volume is from (i.e Time Machine HDD, USB HDD, DMG file, etc) an examiner must look to the entry type codes for answers.

screen-shot-2016-11-01-at-8-29-40-pm

screen-shot-2016-11-01-at-8-34-15-pm

261 – HDD (Boot HDD)

16 – Network HDD,  iDisk,  “Computer”

1027 – Disk Image & DVD

1029 – Unknown

515 – USB Flash, Time Machine Volumes & SD Cards

517 – USB HDD

source:  https://digital-forensics.sans.org/summit-archives/2012/analysis-and-correlation-of-macintosh-logs.pdf

SDF Training Class of the Week

Learn More

What the Shellbag!

Windows Shellbag Forensics online training
Learn More