Network Preferences & Configuration
Location
/Library/Preferences/SystemConfiguration/ (preferences.plist, NetworkInterfaces.plist, com.apple.airport.preferences.plist)Description
System-level network configuration plists containing active network interface settings, DNS configuration, proxy settings, VPN profiles, and Wi-Fi connection history. The airport preferences plist records every Wi-Fi network the system has connected to with timestamps and security type.
Forensic Value
The com.apple.airport.preferences.plist file contains a history of all Wi-Fi networks the system has joined, including the SSID, BSSID, security type, and last connection timestamp. This establishes the physical locations where the device was used and detects connections to suspicious or rogue access points. VPN profiles in network preferences reveal configured tunnels that may have been used for data exfiltration. Proxy configuration changes can indicate attacker interception of network traffic. DNS server modifications point to potential DNS hijacking for command and control.
Tools Required
Collection Commands
plutil
plutil -p /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist > /forensics/wifi_history.txt
defaults
defaults read /Library/Preferences/SystemConfiguration/preferences.plist > /forensics/network_prefs.txt
plutil
plutil -p /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist > /forensics/network_interfaces.txt
cp
sudo cp /Library/Preferences/SystemConfiguration/*.plist /forensics/network_config/
Collection Constraints
- •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.