As with Windows and Linux, Macintosh has a number of directories. Some are more important than others. You must know the ones in the following sections in order to do an effective forensic examination of a Macintosh machine.

This directory contains information about mounted devices. You will find data here regarding hard disks, external disks, CDs, DVDs, and even virtual machines. This is a very important directory in your forensic examination.

This directory contains all the user accounts and associated files. This is clearly critical to your investigation of a Macintosh machine.

This directory is where all applications are stored. Particularly in cases of malware, this is a critical directory to check.

This directory contains information about servers, network libraries, and network properties.

Just as in Linux, this is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system’s configuration. Sometimes this is done in order to facilitate the criminal’s return to the system later.

This file contains the network configuration data for each network card. This is important information to document before beginning your search for evidence.