Posted on

Revisit Unhiding the User Library folder

Back in 2011, when Apple released Mac OS X 10.7 Lion, it boasted over a hundred improvements to enhance the user experience, and one of them was the hiding of the User Library folder. To get around it, simply launch the Terminal (found in the Utilities folder inside your Applications folder) and paste in the following command and press the Enter key:

sudo chflags nohidden ~/Library/

Messing with the Terminal app isn’t an elegant method , but it allows you to access Library folder to remove a preference file, or delete an Application Support folder.

Beginning with Mac OS X 10.8 Mountain Lion forward, Apple has introduced a quick and  easy way to access the Library folder.

In the Finder window, hold down the Option key while accessing the Go menu on the top menu bar, and select Library, the Library folder will open, allowing you to access its contents.

Unhide Library Option

The technique will not change the Library folder to permanently visible. Once you close the Library folder, it will no longer show up in the Home folder. To access the Library folder again, you will have to perform the same procedure of selecting option-Go-Library.

If you need to access the Library folder frequently, You can still employed the Terminal method described above to unhide the Library, which will be turned visible until you tell Terminal to hide it with the command

sudo chflags hidden ~/Library/

Under macOS 10.12 Sierra, the Option-Go-Library method no longer works. Instead, you will need to do the following*:

From the Go menu, select the home folder.

Select Go to Home Folder

Your Home folder will open and with the visible folders displayed.

Home Directory with No Llibrary

To reveal the Library folder, Select Show View options and click on the check box for Show Library Folder.

Show View Option

Checking it will allow the Library to stay visible, even after a restart.

Home Folder with Library Displayed

*The procedure also works on Mac OS X 10.11.

Posted on

Knowing Where to Look for Evidence

If you’re learning to become as a computer forensic investigator or e-discovery analyst, knowing where to look for evidence is crucial. Aside from the obvious Documents folder, Pictures folder, Movies folder, Desktop folder, and Download folder, you will also need to gather information by extracting bits and pieces from other places for analysis.

SubRosaSoft’s distributor in China, CFLabs, has been one of the pioneers on Mac Forensics in China for many years, and has published numerous articles on computer forensics. Of the many entries in CFLabs’ training forum, the following table on where to search for evidence has helped us immensely when we were developing Cache Detective. And with the permission of the author, Sprite Guo, we will be translating many of the useful Mac OS X forensics articles.

Please note the information is relevant to Mac OS X 10.11; we have noticed some locations may have been changed in Mac OS X 10.12.

 

 

Location Related Records
private\var\log\system.log USB Disk usage record, System Log
\Users\UserName\Library\Calendars Calendar schedules, appointments, and etc…
\private\var\root\Library\Preferences\com.apple.dock.plist Dock display content
\Users\UserName\Library\Preferences\com.apple.dock.plist Dock display content
\private\var\root\Library\Preferences\com.apple.sidebarlists.plist Finder Sidebar
\Users\UserName\Library\Preferences\com.apple.sidebarlists.plist Finder Sidebar
\private\var\root\Library\Application Support\AddressBook\Metadata\ Contacts
\Users\UserName\Library\Application Support\AddressBook\Metadata\ Contacts
\Users\UserName\Library\Application Support\AddressBook\Sources\ Contacts
\Users\UserName\Library\Containers\com.apple.Notes\Data\Library\Notes\ Notes
\Users\UserName\Library\Containers\com.apple.Maps\Data\Library\Maps\ Maps
\private\var\root\Library\Logs\DiskUtility.log Disk Utility
\Users\UserName\Library\Logs\DiskUtility.log Disk Utility
\private\var\root\Library\Preferences\ Disk Utility Preferences
\Users\UserName\Library\Preferences\ Disk Utility Preferences
\.Trashes\ USB Disk usage record
\Users\UserName\.Trash\Recovered files USB Disk usage record
\Users\UserName\.Trash\ System Log
\Users\UserName\.bash_history Bash History
\Users\UserName\百度云同步盘\ Baidu Cloud
\Users\UserName\Dropbox\ DropBox
\Users\UserName\Library\Mobile Documents\com~apple~CloudDocs\ iCloud
\Users\UserName\Music\iTunes\iTunes Music Library.xml iTunes
\Users\UserName\VirtualBox VMs\ Virtual Box
\Applications\VMware Fusion.app\Contents\Resources\ Vmware
\Users\UserName\Documents\Virtual Machines.localized\ Vmware
\Users\UserName\Library\Application Support\VMware Fusion\Virtual Machines\ Contacts
\Users\UserName\Documents\Parallels\ Parallels
\Library\Printers\ Installed Printers
\Users\UserName\Library\Containers\com.feinno.macfetion\Data\Library\Application Support\Fetion\Cache\ Fetion
\Users\UserName\Library\Application Support\UC4Mac\ Sina Universal Communication
Users\UserName\Library\Containers\com.tencent.qq\Data\Library\Application Support\QQ\ QQ
\Users\UserName\Library\Application Support\Skype\ Skype
\Users\UserName\Library\Containers\com.taobao.aliwangwang\Data\Library\Application Support\AliWangwang\v3\profiles\ AliWangwang
\Users\UserName\Library\Containers\com.yy.macyy\Data\Library\Caches\com.yy.macyy\ YY Social Network
\Users\UserName\Library\Containers\jp.naver.line\Data\ Line
\Users\UserName\Library\Messages\ Messages
\Users\UserName\Library\Application Support\Firefox\Profiles\ Firefox
\System\Library\Tcl\8.4\tclx8.4\help\tcl\status\history Google
\Users\UserName\Library\Application Support\Chromium\Default\History Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\History Google
\usr\share\zsh\5.0.5\help\history Google
\Users\UserName\Library\Application Support\Chromium\Default\Cookies Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\Cookies Google
\usr\share\emacs\22.1\etc\COOKIES Google
\System\Library\Spotlight\Bookmarks.mdimporter\Contents\MacOS\Bookmarks Google
\System\Library\SyncServices\Schemas\Bookmarks.syncschema\Contents\MacOS\Bookmarks Google
\Users\UserName\Library\Application Support\Google\ Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\Application Cache\Cache\data_1 Google
\Users\UserName\Library\Application Support\Google\Chrome\Default\GPUCache\data_1 Google
\Users\UserName\Library\Caches\Chromium\Default\Cache\data_1 Google
\Users\UserName\Library\Caches\Google\Chrome\Default\Cache\data_1 Google
\Users\UserName\Library\Safari\ Safari
\Users\UserName\Library\Application Support\com.operasoftware.Opera\ Opera
\Users\UserName\Library\Application Support\QQBrowser2\Default\History QQBrowser
\Users\UserName\Library\Application Support\QQBrowser2\Default\Bookmarks QQBrowser
\Users\UserName\Library\Application Support\Maxthon\Default\History Maxthon
\Users\UserName\Library\Group Containers\UBF8T346G9.Office\Outlook\Outlook 15 Profiles\Main Profile\Data\Message Sources OutLook
\Library\Preferences\SystemConfiguration\ Network Interface
\Library\Preferences\ Network Configuration, Bluetooth connectivity record, Wifi, Filezilla download
\Users\UserName\Library\Application Support\Thunder\ Thunder Download
\Users\UserName\Library\Preferences\FrostWire5\libtorrent\ Frostwire Download
\Users\UserName\Library\Application Support\uTorrent\ uTorrent Download
\Users\UserName\Library\Application Support\BitTorrent\ BitTorrent Download

A few of the applications listed above are extremely popular in China and Greater China Region. Products like Baidu Cloud, QQ, AliWangWang, and Thunder have huge installed bases and are supported by Cache Detective.