Home > Digital Forensics

User Accounts & Home Directory Artefacts

User accounts and home directories are central to macOS forensic investigations because they contain the majority of user-generated data, application artifacts, system preferences, logs, and activity traces. macOS stores user profiles in a structured way, separating system-level data from user-level artifacts, making the home directory the primary source for reconstructing user actions and identifying suspicious behavior.

This chapter explains how macOS user accounts work, where user data is stored, and what artifacts hold the highest forensic value.

Understanding User Accounts in macOS

macOS supports several account types:

1. Administrator

Has elevated privileges, can install software, manage users, and modify core settings.

2. Standard User

Limited permissions; cannot modify system files.

3. Guest User

Session resets after logout; limited forensic value.

4. System / Daemon Accounts

Used for system services, not human users.

5. iCloud Users

Sync data like messages, contacts, photos—high forensic relevance.

User account definitions are stored in:

/var/db/dslocal/nodes/default/users/

Each account has a .plist file containing:

  • Username

  • UUID

  • Home directory

  • Password hints

  • Group membership

  • Account creation/modification times

Home Directory Structure

Each user’s home directory is located at:

/Users/<username>/

or for the root user:

/var/root/`

The home directory contains the majority of user activity data, including logs, caches, application settings, and personal files.

Key Forensic Locations Inside the Home Directory

Below are the most important directories and files inside each user’s home directory.

1. Desktop, Documents, Downloads

Locations:

  • ~/Desktop/

  • ~/Documents/

  • ~/Downloads/

Forensic relevance:

  • Frequently accessed files

  • Data staging before exfiltration

  • Recently created or modified artifacts

  • Malware or unauthorized scripts often dropped here

2. ~/Library Directory (Critical Forensics)

The ~/Library folder contains application-specific and system-specific data unique to each user.

~/Library/Application Support/

Stores application data such as:

  • Browser profiles

  • Messaging databases

  • SQLite artifacts

  • Third-party app logs

  • Cloud storage sync metadata

Examples:

  • Chrome/Firefox profiles

  • Slack, Zoom, Discord data

  • Adobe/Microsoft Office metadata

~/Library/Preferences/

Contains .plist files storing user settings.

Forensic value:

  • Tracks app preferences

  • Reveals app usage

  • Stores timestamps and recent activity

~/Library/Logs/

Contains logs generated by:

  • Applications

  • Services running under the user

  • Crashes

  • Syncing agents

Forensic relevance:

  • Crash logs may contain paths or attacker scripts

  • App logs reveal recent interactions

~/Library/Caches/

Stores temporary data.

Useful for recovering:

  • Browsing remnants

  • Thumbnails

  • Hidden app activity

  • Deleted files

~/Library/Containers/

Sandboxed apps store data here (especially from the Mac App Store).

Examples:

  • Mail.app data

  • Safari caches

  • Notes storage

  • Message attachments

~/Library/Messages/

Stores iMessage/SMS artifacts:

  • chat.db (message database)

  • Attachments

  • Timestamps

  • Apple ID info

High forensic value—messages often contain incriminating evidence.

~/Library/Keychains/

Contains user keychains:

  • Saved passwords

  • Wi-Fi keys

  • Certificates

  • iCloud credentials

Keychains are encrypted but may be accessible if logged in or with the user password.

~/Library/Safari/

Safari browser artifacts:

  • History.db

  • LastSession.plist

  • Bookmarks

  • DownloadsPlist

  • Local storage

~/Library/CloudStorage/

Files synced through:

  • iCloud

  • Google Drive

  • Dropbox

  • OneDrive

Useful for tracking exfiltration or sync activity.

Login Items & Persistence

macOS stores login items and startup agents in multiple locations:

LaunchAgents (User-Level)

~/Library/LaunchAgents/

LaunchAgents (System-Level)

/Library/LaunchAgents/

LaunchDaemons

/Library/LaunchDaemons/

Attackers frequently use LaunchAgents for persistence.

Indicators of compromise:

  • New plist files with unusual names

  • Scripts in hidden directories /Users/<user>/.hidden/

  • References to remote URLs or base64 commands

Trash / Recently Deleted

Trash is located at:

~/.Trash/

Forensic value:

  • Contains deleted files prior to permanent removal

  • Timestamps reveal user behavior

  • Recoverable unless overwritten

Spotlight Metadata

Spotlight indexes metadata for fast search.

Database located at:

/Users/<username>/Library/Metadata/

Contains indexed content such as:

  • File keywords

  • Document titles

  • Recently opened files

  • Deleted file metadata

Spotlight is extremely valuable when files have been deleted.

Recent Items & Application Usage

Recent applications, documents, servers:

~/Library/Preferences/com.apple.recentitems.plist

Tracks:

  • Recently opened files

  • Recent apps

  • Network shares accessed

Shell Activity (zsh / bash)

macOS now uses zsh by default.

zsh history:

~/.zsh_history

bash history (older systems):

~/.bash_history

Forensic value:

  • Command-line usage

  • Attacker commands

  • Script execution

  • Data exfiltration commands

iCloud Sync Artifacts

If iCloud is enabled:

Artifacts stored under:

~/Library/Mobile Documents/

Contains:

  • Synced documents

  • Backups

  • App data synced with iOS devices

iCloud tokens may allow retrieval of remote data.

User Account Plists

Every user has a preference plist:

/Users/<username>/Library/Preferences/

Key plists:

  • Login window metadata

  • Touch ID logs

  • iCloud usage

  • Recently accessed folders

These files often contain timestamps and identifiers.

macOS TCC Database (Privacy Control)

Location:

~/Library/Application Support/com.apple.TCC/TCC.db

Tracks permissions granted to apps:

  • Camera access

  • Microphone access

  • Screen recording

  • Full disk access

Crucial for determining potential spy apps or malware.

Forensic Analysis Techniques

1. Compare file timestamps (MAC times)

Helps reconstruct user behavior.

2. Examine plist files for recent app and file usage

Stored in human-readable XML or binary format.

3. Parse iMessage databases

Using SQLite viewers.

4. Analyze browser artifacts

Safari, Chrome, Firefox.

5. Inspect LaunchAgents/Daemons for persistence

Attackers often hide scripts there.

6. Recover deleted files using snapshots or APFS metadata

APFS snapshots often preserve earlier states.

7. Cross-reference logs in:

/var/log/
~/Library/Logs/

Intel Dump

macOS user accounts and home directories contain the bulk of forensic evidence in macOS investigations. Key artifacts such as Library data, application logs, messages, keychains, snapshot data, LaunchAgents, browser files, and shell history provide detailed insight into user behavior, malware activity, and system compromise.

By understanding exactly where macOS stores user and system artifacts, investigators can reconstruct timelines, recover deleted data, uncover persistence, and identify malicious activity with high accuracy.

HOME COMMUNITY CAREERS DASHBOARD