macOS - AboutDFIR - The Definitive Compendium Project

For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table.

Artifact or Process	Resource	Description
APOLLO	Exploring macOS with APOLLO
APOLLO	New Webinar: Analyzing macOS with BlackLight's APOLLO Plugin
Apple Unified Logs	Analysis of Apple Unified Logs: Quarantine Edition [Entry 8] – Man! What a process!?
Apple Unified Logs	Analysis of Apple Unified Logs: Quarantine Edition [Entry 9] – We all know you're binging Netflix! Now Playing on your Apple Devices!
Apple Unified Logs	Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module
Bookmarks	Bookmarks, a type of Alias: their access and use
Discord	Finding Discord chats in OS X
iOS Apps on M1	Taking a gander at iOS apps on an M1 Mac
Logs	How to find it in the log: 1 An introduction - hoakley and Part 2
Logs - Unified Log Rolling	Rolling logs and anti-malware scans - The Eclectic Light Company
macOS	Apple Computer and MacOS Basics
macOS - AirDrop	AirDrop Forensics 2
macOS - Big Sur	Big Sur, Big Changes
macOS - Catalina	Catalina: A Voyage Through Apple’s New Artifacts	YouTube video by BlackBag Technologies
macOS - Daily Logs	Mac OS Daily Logs
macOS - Extended Attributes	There’s more to files than data: Extended Attributes
macOS - InteractionC.DB	Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules
macOS - Sysdiagnose	sysdiag-who?
macOS - T2 Imaging	Magnet Virtual Summit // MacOS Forensics: The Next Level - Taming the T2 Chip and More	Youtube presentation about how to image T2 macs with only built-in mac tools, and then process with mac_apt framework
Microsoft Teams	Part of a Sunday Funday Answer - Microsoft Teams
Microsoft Teams	Microsoft Teams and Skype Logging Privacy Issue
Safari	macOS - Safari Preferences and Privacy
Safari	iOS / macOS - Tracking Downloads from Safari Without Downloads
Safari	Analysing Safari browser history - Foxton Forensics
Screentime Notifications	Screentime Notifications in Catalina (10.15)
Signal	Pulling encrypted Signal messages off of desktop OS’ for forensics	Hands-on lab detailing a new open-source (AGPL) platform to perform surgical forensic evidence collection and incident response across a distributed computer network
Skype	Microsoft Teams and Skype Logging Privacy Issue
tvOS	APOLLO and tvOS – It Just Works! (...and judges me for binging TV)
Unified Logs	Reviewing macOS Unified Logs - Mandiant
Universal Serial Bus (USB)	USB Forensics
Universal Serial Bus (USB)	USB 101
Velociraptor	Velociraptor - Dig Deeper