Mac Basics for Forensics

Questions and Answers

Which operating system was developed as a replacement for Apple DOS 3.3 and had more support for programming, including assembly and BASIC?

ProDOS (correct)

Lisa OS

Apple SOS

Apple Pascal

What was the name of the first edition of the Apple DOS released in 1978?

Apple Pascal

ProDOS 16

Apple SOS

Apple DOS 3.1 (correct)

Which Apple II model was the first to feature color graphics in a plastic case with a built-in keyboard?

Apple II+ (correct)

Apple IIc+

Apple IIe Enhanced

Apple IIGS

What was the acronym SOS in Apple SOS operating system stood for?

Sophisticated Operating System

Which Apple II model was released as a 16-bit computer, unlike its predecessors which were 8-bit?

Apple IIGS

Which operating system had a full graphical user interface with a file browser navigated with mouse clicks?

Lisa OS

What is the main reason many forensic examiners lack a good working knowledge of Mac OS systems?

They have more exposure to Windows than to Mac OS.

Who were the three founders of Apple Computer?

Steve Wozniak, Steve Jobs, Ronald Wayne

What was the first computer created by Wozniak for Apple Computer?

Apple I

Which company originally had the right of first refusal on any new inventions by Steve Wozniak?

Hewlett-Packard

How fast was the 8-bit microprocessor in the first Apple computer running?

~1 MHz

What technology did Steve Wozniak's employment contract with Hewlett-Packard lead to being released to him?

The technology of the first Apple computer.

What was the main change with the introduction of Mac OS X?

It was the first Apple operating system to use a Unix clone.

Which product introduced by Apple did not perform well in the market and was discontinued in 1997?

Apple Network Server with AIX system

What was the operating system for the Macintosh computer initially released by Apple in January 1984?

System 7

Which processor speed did the Macintosh have when it was released in January 1984?

8 MHz

What distinguished the Macintosh II from its predecessor, the Macintosh?

Had a color display

In what year did Apple release the Apple Network Server with a variation of the IBM AIX system?

1996

When did Apple change the operating system brand name to macOS?

2016

Which Mac OS version introduced Handoff, allowing interaction between iPhones and Mac OS computers?

Yosemite

What was the main focus of Mac OS X 10.6, Snow Leopard, upon its release in 2009?

Performance enhancements

Which Mac OS version was the last to be named after animals?

Mountain Lion

What was one significant change in Mac OS X v10.7, Lion, regarding its interface?

Making it more like iOS interfaces

Which Mac OS version allowed users to complete unfinished iPhone emails on their Mac OS computer?

Yosemite

What technology supported by Big Sur helps ease the transition to Apple's silicon processor architecture?

File-level encryption

Which Mac OS version included built-in support for iCloud to support cloud computing?

Mountain Lion

Which file system used concepts from the SOS operating system designed for the Apple III?

Hierarchical File System

Which file system introduced to support Apple's new hard drive in 1985?

HFS Standard

Which file system supported filenames of up to 255 characters, unlike the DOS system?

HFS

Which file system was an enhancement of the HFS file system?

Hierarchical File System Plus

Which file system replaced the HFS file system with Mac OS 8.1?

Hierarchical File System Plus

Which file system feature keeps a record of file transactions to aid in file recovery after a crash?

Journaling

What type of link in HFS+ is an inode linking directly to a specific file?

Hard link

Which file system uses Unicode for file naming information encoding?

HFS+

When does an HFS+ file get defragmented upon opening?

If the file is less than 20 megabytes in size and fragmented

What storage system used in HFS+ keeps track of free and in-use allocation blocks?

Catalog file

Which Mac OS feature allows execution of Linux commands through a BASH shell prompt?

Command prompt

In HFS+, what is a significant difference compared to HFS regarding allocation blocks?

HFS uses 16 bits while HFS+ uses 32 bits for allocation blocks.

What file system is used by DVD-ROM discs?

Universal Disk Format

What is a key feature of APFS in comparison to HFS+?

Optimized for flash drives and solid-state drives

Which partition scheme is used primarily with computers that have an Intel-based processor?

GUID Partition Table

Which file system is associated with CDs?

ISO9660

What utility allows one to install additional operating systems alongside Mac OS in a nondestructive manner?

Boot Camp Assistant

What type of drive partition can Mac OS read with read-only support?

NTFS

What does the Apple Partition Map work with?

PowerPC-based Macs

Which Apple device is likely to use APFS as its file system?

iPad Pro (released in 2016)

Which partition scheme requires OS X v10.4 or later?

GUID Partition Table

Which file system has specific extensions developed by Apple?

ISO9660

What should you not create if the system is using APFS according to the text?

Separate partition for Windows dual boot

In Mac OS, support for which file system allows reading floppy disks?

FAT16

What type of information can be found in the /var/spool/cups folder in Mac OS logs?

Details about printed documents

Which log in Mac OS provides data on all mounted volumes, including the dates they were mounted?

/var/log/daily.out

In Mac OS, which folder can give information about devices that have been attached and data from them?

/var/log/daily.out

What is the significance of the /private/var/audit logs in Mac OS forensics?

Logs of system audits, including user login

Which log directory in Mac OS is similar to Linux file structures due to its FreeBSD base?

/var/log

Why is checking logs considered one of the first steps in any forensic examination?

Because logs are essential sources of information in computer examinations

Where can important forensic data be found in Mac OS audit logs?

/private/var/VM Folder

Which folder in Mac OS contains user preferences, including preferences of deleted programs?

/Users//Library/Preferences Folder

In which folder of Mac OS can you find lists of recently opened applications and temporary data used by applications?

/var/vm Folder

Where would you look to find items saved to iCloud in Mac OS?

/Library/Mobile Documents

Which folder in Mac OS is less useful for forensic investigation but can indicate if a patch was applied and when?

/Library/Receipts Folder

Where can you find a log showing a variety of commands executed in the terminal window of Mac OS?

/Users//.bash_history Log

Where can a forensic examiner find information about mounted devices in Mac OS?

/Volumes Directory

Which Mac OS directory should a forensic examiner check primarily for user accounts and associated files?

/Users Directory

In a forensic examination of a Mac machine, where would an examiner look for network properties and servers information?

/Network Directory

Which Mac OS directory is particularly important to check in cases involving malware?

/Applications Directory

Where are configuration files typically located in a Mac OS system that could be of interest in a forensic investigation?

/etc Directory

If an examiner needs data regarding mounted devices like CDs and external disks in Mac OS, which directory should they explore?

/Volumes Directory

Where is the network configuration data for each network card stored in Mac OS?

/Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File

Which Mac OS directory is essential for examining user accounts and associated files?

/Users Directory

Where can an examiner find information about servers, network libraries, and network properties in Mac OS?

/Network Directory

In which Mac OS directory are configuration files located, often manipulated by cybercriminals?

/etc Directory

Where does an examiner need to look to find information on mounted devices like CDs and external disks in Mac OS?

/Volumes Directory

Which directory in Mac OS stores applications and is particularly critical to check in cases involving malware?

/Applications Directory

What is one advantage of using Target Disk Mode in a Mac OS forensic investigation?

It provides a quick inspection on-site before transporting the computer

Which tool can be used in Mac OS forensics to create a bit-level copy of a suspect drive?

EnCase

In Mac OS forensics, what command can be used along with netcat to make a forensic copy of a drive?

dd

What is the primary benefit of placing the suspect computer into Target Disk Mode during imaging?

Prevents writing to the source disk

What differentiates Target Disk Mode from traditional imaging tools like EnCase or Forensic Toolkit in Mac OS forensics?

Provides a way to preview the computer on-site

Which option correctly describes the process of connecting to a suspect computer in Target Disk Mode?

Connect with USB or FireWire for imaging the disk

What is the purpose of using the ls -al command in a Mac OS forensic examination?

To list all the files in virtual memory along with program launch details

Which command should a forensic examiner use to list the device files that are currently in use on a Mac machine?

ls/dev/disk?

In Mac OS forensics, what information can be obtained using the system_profiler SPHardwareDataType command?

Hardware information of the host system

Which directory in Mac OS is particularly important to check for user accounts and associated files during a forensic investigation?

/private/var/audit

What type of information does the date command provide in a Mac OS forensic examination?

Current date and time zone

Why is it essential to know the partitions recognized by a Mac machine upon boot-up in a forensic examination?

To understand the storage allocation blocks on the device

What is the purpose of using the ls -al command in a Mac OS forensic examination?

To list all files in the virtual memory folder along with additional details

What information does the date command provide in a forensic examination on a Mac OS?

Current date and time of the system

Which command should a forensic examiner use to list the device files that are currently in use on a Mac machine?

ls /dev/disk?

Why is it important to document the information from the ls /dev/disk? command before shutting down a Mac system for transport to a forensic lab?

To identify mounted devices on the system

What type of information does the system_profiler SPHardwareDataType command return in a forensic examination on a Mac OS?

Hardware information for the host system

In Mac OS forensics, what does the grep search tool allow an examiner to do in the virtual memory folder?

Search for specific files based on content

Which folder in Mac OS contains the swap file/virtual memory?

/var/vm/

How can a forensic examiner check the partitions recognized by a Mac machine upon boot-up?

ls /dev/disk? command

What is a significant advantage of using shell commands in Mac OS forensic examinations?

To retrieve information from virtual memory

What does the hdiutil partition /dev/disk0 command primarily help in listing during a forensic examination of a Mac system?

Boot drive partition table

What is a critical step to remember when mounting a forensic image as a VM?

Mount it as read-only

Which software mentioned allows the creation of a VM from a forensic image?

OSForensics version 4

In Mac OS forensics, what is the purpose of converting a forensic image to a VM?

To maintain data integrity and prevent modifications

Which tool allows mounting forensic images as read-only VMs using the VM of your choice?

Forensic Explorer

What technique is recommended to examine directories and execute BASH commands in Mac OS forensics when standard tools are insufficient?

Creating a read-only VM from the forensic image