A Closer Look at the Root Directory
In Part 1 of this series, we looked at the Root level of an OS X installation. In Part 2, we will look at the significance of several other directories located at this same level.
Referring back to our original article, we see the Root level directory structure.
Directories (and files) are hidden from display in the Finder GUI interface thru the use of either a “.” (period) as the first character of the name, or the use of the visibility extended attribute. Part 4 will further discuss directories that are specifically hidden from view thru coding.
At the Root level of any volume that is or has been connected to an OS X system (HFS+ or FAT32), one should expect to find a combination of the following items:
- .DS_Store - file that contains information about the setup and view of the directory, used by the Finder. Each directory (folder) will have this file when the Finder has accessed the particular directory (it is generated upon access). The unique .DS_Store is found in the User’s “Trash”. This .DS_Store will also contain the “Put Back” information.
- .SpotLight-V100 - this directory is generated by OS X versions that have Spotlight technology. Inside of this directory is the Spotlight index.
- .Trashes - volume level “Trash” used for file deletion by the Finder of files on volumes outside of the boot volume.
- .VolumeIcon.icns - custom icon set for the volume instead of the OS X default
On an OS X installation, the following locations can contain vital system-wide information for digital forensics and analysis:
- bin and sbin - binaries installed by Apple, but also can contain binaries installed by the user. Binaries are command-line executables.
- user/bin and user/sbin - binaries installed by Apple, but also will contain most of the installations of command-line binaries by users.
- opt - not part of the standard OS X installation, but will be created by many UNIX “port” installers for system binaries
The “private” directory has a vast amount of sub-directories that are useful for many analysis. Here are just a few of the reasons why an analysis will likely also include this specific directory.
- /private/var/log - system-wide log files are stored here
- /private/var/spool/cups - CUPS print spool past job information (files starting with c are completed and files starting with d are full PDF files of incomplete jobs)
- /private/var/db/dslocal/nodes/Default - users and groups are defined here in respective directories. With OS X 10.7, each user’s PLIST file also contains the Salted-SHA512 hash of the password
- /private/var/folders - caches for each user created on the system. Caches are not deleted when a user is removed so many folders can exist in this location. The “zz” folder is for the root user.
- /private/var/root - Home folder for the root user. If the root user has been enabled and used, folders will exist here as seen with other users. Even with the user disabled (whether never enabled or just currently disabled) , shell history can be located here.
- /private/var/vm - OS X sleepimage and swapfile saved here
- /private/etc - many configuration files are located here. Apple has organized the “etc” folder with some of its own services as well as changed the function of other configuration files often seen in this folder with Linux and UNIX variants.
In Part 3 of this series, we will begin to look at the layout of the User’s Home folder from both the Finder GUI and the Terminal.
In Part 4, we will return to the top level of the file system and show data that is not seen from either the Finder or the Terminal, but will be seen during a digital analysis of a Mac system.