Network Preferences & Configuration

macosNetwork TrafficDisk Image

Location

/Library/Preferences/SystemConfiguration/ (preferences.plist, NetworkInterfaces.plist, com.apple.airport.preferences.plist)

Description

System-level network configuration plists containing active network interface settings, DNS configuration, proxy settings, VPN profiles, and Wi-Fi connection history. The airport preferences plist records every Wi-Fi network the system has connected to with timestamps and security type.

Forensic Value

The com.apple.airport.preferences.plist file contains a history of all Wi-Fi networks the system has joined, including the SSID, BSSID, security type, and last connection timestamp. This establishes the physical locations where the device was used and detects connections to suspicious or rogue access points. VPN profiles in network preferences reveal configured tunnels that may have been used for data exfiltration. Proxy configuration changes can indicate attacker interception of network traffic. DNS server modifications point to potential DNS hijacking for command and control.

Tools Required

plutildefaults readmac_aptplistutilCrowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical