CHFI (312-49) Digital Forensics Simulation

Learn how to identify and analyze macOS artifacts for recent user file activity. This simulation builds your ability to trace file execution, access, and modification timelines on Apple file systems.

Investigation Scenario

A corporate espionage investigation has been initiated in Miami, Florida. An engineering executive is suspected of accessing, copying, and exfiltrating sensitive proprietary CAD files shortly before resigning.

The suspect's corporate-issued MacBook Pro (running macOS, APFS formatted) has been seized. The Digital Forensics team is tasked with establishing a precise timeline of the user's interaction with the suspected CAD files. The primary objective is to prove that the suspect specifically targeted and interacted with these documents prior to the unauthorized external drive connection.

Evidence Collected

Disk Image: MacBookPro_JS_Image.E01 (SHA-256 Verified)
Target Partition: APFS Data Volume
Target User Profile: /Users/jsmith/
Key Preserved Paths: ~/Library/Preferences/, /.fseventsd/, /.Spotlight-V100/

Question

During a forensic examination of a macOS computer in Miami, Florida, an analyst is looking for evidence of a user's recent file activity. Which artifact on the macOS file system provides a list of recently accessed files and folders?

Forensic Hint: macOS tracks file activity across multiple native subsystems. Think about the user interface (Apple menu), the system-wide search mechanism, and the underlying file system event logging daemon. Is there only one source of truth?

Expert Analysis

1. What the Evidence Shows

The investigation demands proof of file interaction (which files were opened, modified, or created) by the user `jsmith` to build a timeline of malicious activity prior to the alleged exfiltration.

2. Forensic Stage

Examination & Analysis: Extracting specific artifacts from the acquired APFS file system image, parsing proprietary databases/lists, and correlating timestamps to reconstruct user activity.

3. Why the Correct Answer is Correct

(D) All of the above: A thorough forensic examination of a macOS system requires correlating multiple artifacts to confirm recent file activity. All three listed options are primary sources for this data:

1. Recent Items (plist): Property List files (like `com.apple.sharedfilelist.RecentDocuments.plist` or `com.apple.recentitems.plist`) store the history of recently opened documents, applications, and servers as seen in the Apple Menu.
2. Spotlight index: The `.Spotlight-V100` directory contains the metadata databases used by macOS for fast searching. It tracks extensive metadata about files, including last accessed, created, and modified dates.
3. FSEvents: The `.fseventsd` directory contains gzip-compressed logs of file system events. It tracks granular changes (creation, modification, deletion) down to the specific file path, providing a highly detailed historical timeline.

4. Why Others Are Wrong (Individually)

While A, B, and C are all valid sources, selecting only one would indicate an incomplete forensic investigation. Relying solely on the Recent Items plist, for instance, might miss files modified in the background or accessed via terminal, which FSEvents would capture. An investigator must leverage "All of the above" for corroboration.

5. Real-World Forensic Action

An investigator will mount the E01 image and navigate to the target user's Library. They will use a plist parsing tool (like `plistutil` or an automated forensic suite) to extract the Recent Documents list. Simultaneously, they will parse the `.fseventsd` directory using a tool like `FSEventsParser` to build a granular timeline, and finally cross-reference these findings with the MACB (Modified, Accessed, Created, Birth) timestamps stored within the Spotlight metadata database (`store.db`).

6. MINI LESSON: macOS Artifact Correlation

In digital forensics, a single artifact is a clue; correlated artifacts become irrefutable evidence. If a suspect claims they never opened a specific CAD file, the investigator can prove otherwise if the file appears in the Recent Items `plist` (proving UI interaction), is logged as accessed in the `Spotlight` metadata, and has an associated read/modify event recorded in the `FSEvents` logs. This redundancy built into modern operating systems is the forensic analyst's greatest advantage when defeating anti-forensic claims.

Master Digital Forensics

Ready to tackle more realistic CHFI scenarios?

Explore more CHFI simulations