macOS - AboutDFIR - The Definitive Compendium Project

For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table.

Artifact or Process	Resource
APFS File Timestamps	File Timestamps for Apple APFS
APOLLO	Exploring macOS with APOLLO
APOLLO	New Webinar: Analyzing macOS with BlackLight's APOLLO Plugin
APOLLO	APOLLO github - Sarah Edwards
Apple Unified Logs	Analysis of Apple Unified Logs: Quarantine Edition [Entry 8] – Man! What a process!?
Apple Unified Logs	Analysis of Apple Unified Logs: Quarantine Edition [Entry 9] – We all know you're binging Netflix! Now Playing on your Apple Devices!
Apple Unified Logs	Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module
Bookmarks	Bookmarks, a type of Alias: their access and use
Discord	Finding Discord chats in OS X
fseventd parser	macos_fseventsd parser github - puffyCid
iOS Apps on M1	Taking a gander at iOS apps on an M1 Mac
Logs	How to find it in the log: 1 An introduction - hoakley and Part 2
Logs - Unified Log Rolling	Rolling logs and anti-malware scans - The Eclectic Light Company
mac_apt	mac_apt github - Yogesh Khatari
macOS	Apple Computer and MacOS Basics
macOS - AirDrop	AirDrop Forensics 2
macOS - Big Sur	Big Sur, Big Changes
macOS - Catalina	Catalina: A Voyage Through Apple’s New Artifacts
macOS - Daily Logs	Mac OS Daily Logs
macOS - Extended Attributes	There’s more to files than data: Extended Attributes
macOS - InteractionC.DB	Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules
macOS - Sonoma	Sonoma’s log gets briefer and more secretive
macOS - Sysdiagnose	sysdiag-who?
macOS - T2 Imaging	Magnet Virtual Summit // MacOS Forensics: The Next Level - Taming the T2 Chip and More
Microsoft Teams	Part of a Sunday Funday Answer - Microsoft Teams
Microsoft Teams	Microsoft Teams and Skype Logging Privacy Issue
Mounty	File Timestamps for NTFS on macOS using Mounty
Safari	macOS - Safari Preferences and Privacy
Safari	iOS / macOS - Tracking Downloads from Safari Without Downloads
Safari	Analysing Safari browser history - Foxton Forensics
Screentime Notifications	Screentime Notifications in Catalina (10.15)
Signal	Pulling encrypted Signal messages off of desktop OS’ for forensics
Skype	Microsoft Teams and Skype Logging Privacy Issue
Tool List	Open Source Tools & Mac Forensics - Sumuri
tvOS	APOLLO and tvOS – It Just Works! (...and judges me for binging TV)
Unified Logs	Reviewing macOS Unified Logs - Mandiant
Universal Serial Bus (USB)	USB Forensics
Universal Serial Bus (USB)	USB 101
Velociraptor	Velociraptor - Dig Deeper