New Features

Exploring macOS Rebuilt Desktops in Magnet AXIOM

In Magnet AXIOM 4.6, we’re happy to bring a new refined result to the table: “Rebuilt Desktops”, similar to the one we introduced earlier for Windows operating system but this time for macOS!

Rebuilt desktop results

This hit can be found under the REFINED RESULTS artifact category at the top of the navigation pane within the artifact explorer in AXIOM. Each record will reflect the desktops for each user of the macOS computer. Once a record is selected, it will display information in two sections in the content pane.

First, the details card will display the user account, the path to the wallpaper file, and the display resolution. This card will also contain the standard source, location, and evidence information which will help users see where the desktop information is recovered from.

A PREVIEW card will also be generated that will show a recreation of the user’s desktop to the best of AXIOM’s ability using the information available from the source files.

Image preview

In the figure above, you can see that AXIOM will rebuild the desktop with the following pieces:

  • The desktop wallpaper (if there is one)
  • The dock
  • The menu bar
  • Any files on the desktop

Reminder: this image does not actually exist on the drive! It is a recreation of the user’s desktop by combining information from several source files across the drive.

The desktop wallpaper is recovered from the “desktoppicture.db” file, which will point the user to where the actual wallpaper lives on the system. If this file is present, it will be represented in the preview card.

To rebuild the dock, the “com.apple.dock.plist” file is used to figure out what icons appear in the doc in the persistent applications, recent applications, and persistent other sections. These icons are then recovered from the disk if available and rendered within the graphic. This gives the user a great visual representation of the “Dock Items” artifact found under the OPERATING SYSTEM category.

Dock Items
Results

The menu bar is rebuilt in the same way from the com.apple.systemuiserver.plist file and can visualize the records represented in the Menu Bar Apps artifact.

Any files located on the Desktop will also be represented within the generated graphic; however, the order and position of the files will not be preserved. All files will be represented with a generic graphic unless the file is a picture, then it will be presented as a thumbnail of that image.

Desktop

We hope that this artifact will give users a better visual representation of what the user has configured their desktop to look like as well as help reveal information about the user’s behavior. It’s one thing to say that a file is in the Desktop folder, but another completely to show that file as well as any wallpaper they could have set. As they say, a picture is worth a thousand words!

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top