Forensic Artifact Library

Primary Windows security audit log capturing logon events (4624 success, 4625 failure), process creation (4688), privilege escalation, and object access.

Security Accounts Manager hive containing local user accounts, group memberships, password policy settings, and NTLM password hashes.

Remote Desktop Services event logs capturing RDP session lifecycle events. Event 1149 records successful network-level authentication with source IP and username. Events 21/22/23/24/25 track session logon, reconnect, and disconnect states.

Kerberos protocol events from domain controller Security logs: Event 4768 (TGT requested), Event 4769 (service ticket requested), Event 4771 (Kerberos pre-authentication failed), and Event 4770 (TGT renewed).

Detailed authentication logs recording every interactive and non-interactive sign-in including result status, MFA details, conditional access policy evaluation, device compliance state, IP address, location, and risk level.

Per-sign-in evaluation results of all Conditional Access policies showing which policies were applied, which were not matched, and whether the grant/session controls succeeded or failed.

Machine-learning-generated risk detections including anonymous IP usage, impossible travel, malware-linked IPs, password spray detection, leaked credential matches, token anomalies, and suspicious inbox manipulation rules.

Identity threat detection system monitoring on-premises Active Directory traffic via domain controller sensors. Detects credential-based attacks including Kerberoasting, DCSync, Pass-the-Hash, Pass-the-Ticket, Golden Ticket, and reconnaissance activities.

Authentication log recording all PAM-based authentication events including SSH logins, sudo usage, su escalation, user creation (useradd), password changes, and public key acceptance.

User account database (passwd) listing all local accounts with UID, GID, home directory, and login shell. Shadow file containing password hashes, last change date, and account expiration settings.

Linux Audit daemon logs capturing kernel-level audit events configured via audit rules. Records EXECVE (command execution with full arguments), SYSCALL events, file access (PATH), user authentication (USER_AUTH), and privilege changes.

Binary login record files tracking successful logins and logouts (wtmp), failed login attempts (btmp), and the most recent login per user (lastlog). Structured binary format parsed by last, lastb, and lastlog commands.

Group membership file defining which users belong to which groups (including sudo, wheel, docker, adm), and sudoers configuration files defining fine-grained privilege escalation rules per user or group.

VPN authentication and session logs recording user identity, source IP, connection duration, assigned internal IP, bytes transferred, and authentication method (certificate, MFA, password).

AAA (Authentication, Authorization, Accounting) protocol logs from RADIUS and TACACS+ servers recording every network device authentication attempt, authorization decision, and accounting record. TACACS+ additionally captures full command-line audit for network device administration.

Wireless infrastructure logs recording client association/disassociation events, authentication successes and failures, rogue AP detections, client roaming between access points, and RF anomaly alerts.

Network Access Control platform logs recording endpoint posture assessments, 802.1X authentication results, VLAN assignments, device profiling classifications, guest access grants, and quarantine actions for non-compliant devices.

macOS Keychain databases storing encrypted credentials including user passwords, Wi-Fi passwords, application tokens, certificates, private keys, and secure notes. The login keychain is unlocked when the user logs in and the System keychain stores system-wide credentials accessible to daemons and services.

macOS authorization and privilege escalation logs capturing sudo command usage, authorization plugin decisions, and authentication dialog events. sudo usage is logged to the Unified Log and optionally to /var/log/sudo.log. The authd subsystem records authorization rights evaluations for password prompts, installer authentication, and system preference changes.

macOS Basic Security Module (BSM) audit subsystem generating kernel-level audit records for system calls, file access, process execution, authentication events, and administrative actions. Audit trails are binary files in /var/audit/ that capture events based on the audit policy configured in /etc/security/audit_control. Each record contains event type, timestamp, process info, and operation-specific parameters.

Encrypted SQLite database storing the iOS Keychain containing saved passwords, authentication tokens, Wi-Fi network passwords, VPN credentials, certificate private keys, and application-specific secrets. Items are protected by different accessibility classes that determine when they can be decrypted, ranging from always available to only when the device is unlocked. The keychain is encrypted with keys derived from the device hardware UID and user passcode.

SQLite database implementing the Transparency, Consent, and Control framework that records privacy permission grants for each application. Tracks which apps have been authorized to access sensitive resources including Contacts, Photos, Camera, Microphone, Location Services, Calendars, Reminders, Bluetooth, Health data, and Motion & Fitness. Each record contains the app bundle ID, the service type, the authorization status, and a modification timestamp.

Directory containing metadata and blob files for the Android Keystore system, which provides hardware-backed (TEE or Strongbox) cryptographic key storage. Key entries include application-specific encryption keys, authentication-bound keys, biometric-bound keys, and VPN credential storage. Each key blob is associated with a UID identifying the owning application.

SQLite database storing the device lock screen configuration including the lock type (none, swipe, pattern, PIN, password), pattern/PIN/password hash, failed attempt count, lockout timestamps, Smart Lock trusted agents, and biometric enrollment status. The database also records whether the device is encryption-aware and the credential-encrypted storage state.

Microsoft Sysinternals System Monitor log capturing process creation with hashes (Event 1), network connections (Event 3), file creation (Event 11), registry modifications (Event 13), and DNS queries (Event 22).

PowerShell Operational log and Script Block Logging (Event 4104) capturing the full text of executed scripts, including those decoded at runtime from Base64 or obfuscation layers.

Application compatibility cache hive tracking program execution with SHA1 hashes, file paths, publisher metadata, and first-execution timestamps.

Windows Prefetch files recording application execution with the executable name, run count, last eight execution times, and all files/directories referenced during the first ten seconds of execution.

Application Compatibility Cache stored in the SYSTEM registry hive, recording file path, size, and last modification timestamp for executables the OS considered for compatibility shimming.

Windows Defender antivirus operational log recording threat detections (Event 1116), remediation actions (Event 1117), real-time protection state changes (Event 5001/5004), and exclusion modifications.

Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) registry keys recording executable paths with their last execution UTC timestamp, attributed to specific user SIDs.

System Resource Usage Monitor ESE database tracking per-application resource consumption over 30-60 days, including network bytes sent/received, CPU time, energy usage, and associated user SID.

Windows Defender quarantine directory containing encrypted copies of detected malware (ResourceData) and detection metadata (DetectionHistory) recording threat name, file path, detection time, user context, and remediation action taken.

Event Tracing for Windows (ETW) binary trace files (.etl) generated by AutoLogger sessions and diagnostic providers. Includes AutoLogger-DiagTrack-Listener.etl and various WDI trace files containing detailed system telemetry.

Endpoint detection and response platform providing Advanced Hunting tables including DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents, and DeviceImageLoadEvents with 30 days of queryable telemetry.

Audit events for Power Apps, Power Automate (Flow), Power BI, and Power Virtual Agents capturing flow creation/execution, app sharing, connector usage, data export operations, and admin configuration changes.

Per-user command history file recording shell commands entered in interactive Bash sessions. May also include .zsh_history, .ash_history, or .python_history depending on the shell and tools used.

HTTP server access logs recording every request with client IP, timestamp, HTTP method, URI path, query parameters, response code, bytes transferred, referrer, and user agent. Error logs capture application errors, CGI failures, and module warnings.

Docker daemon artifacts including container configurations (config.v2.json), image layers and manifests, overlay2 filesystem diffs showing container modifications, volume mounts, network settings, and container execution logs.

System installation log recording all software installations performed through the macOS Installer framework (.pkg files). Captures the package identifier, version, installation path, installer process, and the user or process that initiated the installation with detailed timestamps.

Per-user shell command history files recording commands entered in interactive terminal sessions. Since macOS Catalina, Zsh is the default shell and history is stored in ~/.zsh_history. The ~/.zsh_sessions/ directory contains per-session history files with additional metadata. Extended history format includes timestamps for each command.

macOS crash report files (.ips and legacy .crash format) generated when applications or system processes crash. Each report contains the process name, bundle identifier, exception type, thread backtraces with symbolicated function names, loaded libraries, and the complete register state at the time of the crash.

iOS Unified Logging system capturing structured log messages from the kernel, system daemons, frameworks, and applications in compressed tracev3 binary format. Sysdiagnose is a comprehensive diagnostic archive that bundles unified logs, process listings, network state, power logs, and other system information into a single tar.gz archive. Sysdiagnose can be triggered via Settings or key combinations and is the primary method for extracting unified logs from iOS devices.

Property list file containing records of all Bluetooth devices that have been paired with the iOS device. Each entry is keyed by the Bluetooth MAC address and contains the device name, device type, manufacturer, last connection timestamp, and pairing metadata. Covers both Bluetooth Classic and Bluetooth Low Energy (BLE) devices.

Binary statistics file and system service data maintained by the Android BatteryStatsService, tracking detailed per-application battery consumption metrics. Records include wakelock acquisitions and durations, CPU time per UID, network bytes sent and received per app, sensor usage (GPS, accelerometer), camera and flashlight usage, Bluetooth scan counts, Wi-Fi scan counts, and foreground/background process time, all correlated with battery charge and discharge cycles.

SQLite databases maintained by the Gmail application for offline email caching. The primary database files (named by account email hash) contain cached email messages with subject lines, sender and recipient addresses, timestamps, message body snippets, label assignments, attachment metadata, and conversation thread groupings. Separate databases may exist for each configured Google account.

Background Intelligent Transfer Service database tracking all BITS jobs including download URL, destination path, creation time, and job owner SID.

XML-based scheduled task definitions containing the trigger schedule, action command line, run-as account, creation timestamp, and author.

WMI repository containing permanent event subscriptions (EventFilter, EventConsumer, FilterToConsumerBinding) that execute arbitrary commands or scripts in response to system events.

System event log capturing Event ID 7045 for new service installations, recording the service name, binary path, service type, and start type. Also captures Event 7034 (crash) and 7040 (start type change).

Task Scheduler operational log capturing task lifecycle events: Event 106 (task registered), Event 140 (task updated), Event 141 (task deleted), Event 200/201 (task execution started/completed).

Background Intelligent Transfer Service client log capturing Event 59 (transfer initiated with full URL) and Event 60 (transfer completed with byte count). Supplements the qmgr.db database with timestamped event records.

WMI Activity operational log capturing Event 5861 (new permanent WMI event subscription created) and Event 5857-5860 (provider loading and query execution errors).

Registry Run and RunOnce keys that specify programs to execute at user logon (NTUSER.DAT) or system startup (SOFTWARE hive). RunOnce entries are deleted after execution. Both per-user and machine-wide variants exist.

Registry keys that allow specifying a debugger to attach to any executable at launch. Attackers abuse the Debugger value to redirect accessibility tool execution (sethc.exe, utilman.exe, narrator.exe) to backdoor commands.

Per-user and all-users startup folders containing shortcuts, scripts, or executables that run automatically at user logon. Items can be LNK files, batch scripts, VBS scripts, or direct executables.

Scheduled task definitions across system-wide crontab, the cron.d drop-in directory, and per-user crontabs. Each entry specifies a schedule, user context, and command to execute.

Systemd unit files defining services, their ExecStart commands, restart policies, dependencies, and user contexts. Custom units can be placed in /etc/systemd/system/ to override or extend defaults.

Per-user files listing public keys authorized for SSH key-based authentication. Each entry contains the key type, public key material, and an optional comment field.

Dynamic linker configuration files controlling shared library loading order. /etc/ld.so.preload forces a library to load before all others in every dynamically-linked process. LD_PRELOAD environment variable achieves the same per-process.

One-time scheduled execution via at command (jobs stored in /var/spool/at/) and periodic task scheduling via anacron for systems that are not continuously running. at jobs execute once at a specified time and are deleted after execution.

Legacy System V init scripts and the rc.local file that execute commands at system boot. While systemd has largely replaced SysVinit, rc.local compatibility is maintained on many distributions and init.d scripts remain functional.

Property list files defining agents that launchd loads when a user logs in. Each plist specifies the executable or script to run, arguments, environment variables, run conditions (KeepAlive, StartInterval, WatchPaths), and the label identifier. Per-user agents run in the user context; system-wide agents run for all users.

Property list files defining daemons that launchd loads at system boot, running as root regardless of whether a user is logged in. LaunchDaemons provide higher-privilege persistence than LaunchAgents and execute earlier in the boot process. Each plist defines the program, arguments, run conditions, and optional socket listeners.

macOS login items registered through the BackgroundTaskManagement framework (macOS 13+) or the legacy LSSharedFileList mechanism. These items launch automatically when a user logs in and include applications, helper tools, and scripts. The backgrounditems.btm database tracks all registered background tasks and login items in a single location.

macOS supports both traditional cron job scheduling via crontab and the periodic system that runs maintenance scripts at daily, weekly, and monthly intervals via launchd. User crontabs are stored in /usr/lib/cron/tabs/ and system-wide tasks in /etc/crontab. The periodic directories contain shell scripts executed by the com.apple.periodic-* LaunchDaemons.

NTFS Master File Table containing a record for every file and directory on the volume, including timestamps (created, modified, accessed, entry-modified), file size, parent directory reference, and resident data for small files.

NTFS Update Sequence Number journal logging every file system change including creates, deletes, renames, data overwrites, and security descriptor changes.

Registry keys recording USB mass storage device connections. USBSTOR stores device vendor, product, serial number, and connection timestamps. MountPoints2 records user-specific drive letter mappings for mounted devices.

Windows Recycle Bin containing $I files (metadata with original path, deletion timestamp, and file size) and $R files (actual deleted file content). Each user SID has a separate subfolder providing user attribution.

NTFS transaction log recording redo and undo operations for filesystem metadata changes. Provides more granular detail than $UsnJrnl for recent operations including incomplete and rolled-back transactions.

Point-in-time volume snapshots created by Windows Volume Shadow Copy Service for System Restore, backup, and application use. Contains complete copies of files and registry hives as they existed at snapshot creation time.

NTFS alternate data stream automatically applied to files downloaded from the internet or received via email. Contains the ZoneId (3 = Internet, 4 = Restricted), ReferrerUrl, and HostUrl identifying the download source.

World-writable temporary directories commonly used by attackers to stage tools, write exploit payloads, and store exfiltration archives. /dev/shm is a RAM-backed tmpfs that does not persist across reboots.

EXT4 filesystem journal recording metadata transactions for crash recovery, and inode timestamps including crtime (creation/birth time), mtime (modification), atime (access), and ctime (metadata change) with nanosecond precision.

macOS filesystem event logging mechanism that records every file and directory creation, modification, deletion, and rename operation on each APFS or HFS+ volume. Events are written in compressed binary log files within the hidden /.fseventsd/ directory and include the full path, event flags, and a monotonically increasing event ID.

macOS Spotlight search index containing rich metadata for every indexed file on the volume including file name, content type, creation and modification dates, author, file size, and for supported file types, extracted text content. The index is stored in a proprietary database format within the hidden .Spotlight-V100 directory at the root of each volume.

APFS local snapshots created automatically by Time Machine and the macOS update process. These point-in-time snapshots of the entire filesystem volume are space-efficient copy-on-write snapshots that capture the complete state of every file at creation time. Snapshots can be listed with tmutil and mounted for browsing.

Time Machine backup metadata and backup store containing incremental snapshots of the entire filesystem taken at hourly, daily, and weekly intervals. The backup store uses hard links for unchanged files and contains full copies of modified files, preserving historical versions of every file on the system.

Binary log files recording filesystem events on the iOS APFS volume, similar to the macOS FSEvents mechanism. Records file and directory creation, modification, deletion, and rename operations with the full path and event flags. Events are written in compressed binary format within the hidden .fseventsd directory at the volume root.

Directory containing .ips (JSON) and .crash (plain text) crash report files generated when applications or system processes crash. Each report includes the process name, bundle identifier, exception type, faulting thread backtrace, loaded binary images with UUIDs, and the device state at the time of the crash including memory usage and thermal state.

Circular log buffers maintained by the Android logging daemon (logd) capturing system events, application debug messages, kernel messages, radio/telephony events, and crash reports. The main, system, events, radio, and crash buffers each capture different categories of log messages with timestamps, process IDs, log level (verbose, debug, info, warn, error), tag names, and message content.

Compressed archive file generated by the Android dumpstate service (triggered via developer options or ADB bugreport command) containing a comprehensive snapshot of the device state. The archive includes system properties, running processes, memory usage, battery statistics, network configuration, installed packages, logcat output, kernel messages, dumpsys output for all system services, and ANR (Application Not Responding) traces.

Per-user registry hive containing user-specific settings including recently opened files (RecentDocs), typed URLs, Run/RunOnce persistence keys, UserAssist encoded program execution records, and shell bags.

SQLite databases for Chrome, Edge, and Firefox storing visited URLs with timestamps, download records with source URL and target path, search queries, and form autofill data.

Application-specific Jump List files (.automaticDestinations-ms) recording recently and frequently accessed files per application, with timestamps and full file paths including network shares.

Per-user registry hive containing ShellBag entries that record folder view preferences for every folder a user browsed in Windows Explorer, including network shares, ZIP archives, removable media, and deleted folders.

Per-user registry keys recording the hostname or IP address of every RDP server the user connected to from this machine, along with the username hint used for each connection.

Windows shortcut files (.lnk) created automatically when a user opens a file or manually for desktop shortcuts. Each LNK file contains rich metadata including target path, MAC timestamps, volume serial number, volume name, machine MAC address, and network share path.

Per-user thumbnail cache databases storing preview images of files that were displayed in Windows Explorer. Multiple databases exist for different thumbnail sizes (32, 96, 256, 1024, etc.).

Cached 64x64 pixel bitmap tiles from Remote Desktop Protocol sessions stored locally on the RDP client machine. These tiles represent fragments of the remote desktop display that can be reconstructed into partial screenshots.

SQLite database powering Windows Timeline (Win10 1803+) tracking application usage, file access with full paths, URLs visited, and clipboard content history with base64-encoded payloads retained for approximately 12 hours.

Windows Search indexing database containing metadata and partial content of indexed files, emails, and browser history. The ESE database (Windows.edb) or SQLite database (Windows.db) contains file properties, text excerpts, and path information.

Teams-specific audit events capturing channel creation/deletion, membership changes, meeting recordings, file sharing in Teams, guest user additions, app installations, and messaging policy changes.

SSH client-side artifacts including known_hosts (recording host keys of every SSH server the user connected to), client config files (defining connection aliases, proxy commands, and identity files), and potentially SSH agent socket paths.

FreeDesktop trash directory containing deleted files (files/) and their metadata (info/ with .trashinfo files recording original path and deletion timestamp). Recently-used.xbel is an XML file tracking recently accessed files with timestamps and MIME types.

Core Duet SQLite database tracking detailed user activity including application usage with focus duration, device lock/unlock events, Safari browsing activity, media playback, Siri interactions, and battery state. Each event includes precise start and end timestamps and is attributed to specific bundle identifiers.

SQLite database maintained by the macOS quarantine system that records every file downloaded through quarantine-aware applications including Safari, Chrome, Mail, AirDrop, and curl. Each entry contains the download URL, source application bundle ID, download timestamp, and the quarantine agent name.

Safari browser artifacts including the History.db SQLite database tracking visited URLs with timestamps, Downloads.plist recording downloaded files with source URLs and destination paths, cached web content, and installed browser extensions with their permissions and code.

SQLite database storing all user notifications delivered by macOS Notification Center. Contains the notification title, subtitle, body text, delivering application bundle identifier, delivery timestamp, and whether the user interacted with the notification.

Property list files tracking recently accessed applications, documents, servers, and volumes through the macOS Shared File List mechanism. SFL2 files are serialized binary plists containing bookmark data for recently used items across Finder and applications, including network volumes and remote servers.

Per-user property list storing the Dock configuration including pinned applications, recent applications, minimized windows, persistent and recent document stacks, and the arrangement order. Each entry contains a file-data bookmark referencing the application or file path.

CoreDuet SQLite database that serves as the central knowledge store for iOS, recording a wide range of user activity events including app usage with foreground/background state, device lock/unlock events, media playback, Safari browsing, device plug-in state, and Siri interactions. Each event record contains start and end timestamps, the source bundle ID, and structured metadata specific to the event type.

Binary segmented protobuf files that replaced portions of the knowledgeC.db system starting in iOS 16. Biome streams record granular user activity data across multiple stream types including app intents, app usage, device backlight state, media playback, location activity, Safari browsing, and notification interactions. Each stream is stored as a separate segb file with protobuf-encoded event records.

SQLite database containing metadata for all photos and videos in the device photo library. Stores EXIF data including GPS coordinates, camera settings, creation and modification timestamps, face recognition data, scene classification labels, and iCloud Photos sync status. The ZASSET table contains one record per media item with extensive metadata columns.

SQLite database storing all Apple Notes content including note text (in compressed protobuf format), creation and modification timestamps, folder organization, checklist items, embedded images and attachments, and iCloud sync status. Locked notes are encrypted with a separate key derived from the user passcode or password.

SQLite database containing all calendar events, reminders, and associated metadata. Each event record includes the title, start and end times, location, attendees, recurrence rules, alert settings, and the calendar account source (local, iCloud, Exchange, Google). The CalendarItem table stores event details while related tables track attendees and alarms.

XML-based usage statistics collected by the Android UsageStatsManager service, recording application usage events including foreground activity changes, configuration changes, and interactive state transitions. Data is organized into daily, weekly, monthly, and yearly rollup files, each containing package names with first and last timestamps and total time in foreground.

XML task description files and JPEG screenshot snapshots stored by the Android ActivityManager for the recent apps switcher. Each task file contains the package name, root activity component, creation timestamp, last active timestamp, and user ID. Associated snapshot images capture the visual state of the application at the time it was backgrounded.

The Android MediaStore content provider database (external.db) indexes all media files on the device including photos, videos, and audio recordings. DCIM contains camera-captured images and videos. The .thumbnails directory stores automatically generated preview images for gallery display. The database records file paths, EXIF metadata, dimensions, duration, date taken, date added, and bucket (folder) associations.

SQLite database maintained by the Android DownloadManager system service, recording all file downloads initiated through the system download framework. Each record contains the source URL, destination file path, MIME type, file size, download status, last modification timestamp, requesting application package name, and any notification metadata.

SQLite database used by the Google Search app (Google Quick Search Box) to store user activity events for the Google Now feed and Discover features. Contains protobuf-encoded event records capturing app usage events, Google Search queries, Google Assistant interactions, web page visits, and contextual suggestions presented to the user.

SYSTEM hive storing hardware configuration, service entries, network interface settings, mounted devices, and the boot key needed to decrypt SAM hashes.

Machine-wide SOFTWARE hive recording installed applications, OS version, network profiles, Windows Defender exclusions, and Group Policy settings.

Windows Firewall event log capturing Events 5156/5157 (allowed/blocked connections) with process ID, application path, source/destination IP and port. Also includes pfirewall.log text file when logging is enabled.

Intune device management logs capturing device compliance state, configuration profile deployment results, app installation status, device enrollment events, remote action execution (wipe, lock, retire), and discovered application inventory.

General-purpose system log aggregating kernel messages, service start/stop events, application logs, hardware events, and daemon output via rsyslog or systemd-journald.

Kernel ring buffer messages logged to disk capturing hardware events, kernel module loading/unloading, memory errors, device attachment, and security subsystem messages from SELinux/AppArmor.

Package management system logs recording all software installation, removal, and upgrade operations with timestamps, package names, versions, and the action performed.

Log file capturing messages from system daemons and background services including cron execution, DHCP client events, network daemon messages, and miscellaneous service output not routed to dedicated log files.

Mandatory Access Control (MAC) framework logs from SELinux (AVC denial messages in audit.log) or AppArmor (DENIED messages in kern.log/syslog). Record policy violations where processes attempted operations beyond their confined permissions.

Systemd binary journal files aggregating log output from all systemd services, kernel messages, and stdout/stderr of managed processes. Supports structured fields, forward-secure sealing (FSS), and indexed querying via journalctl.

Host-based firewall rulesets defining allowed and blocked network traffic. iptables (legacy) and nftables (modern replacement) rules control inbound and outbound connections, NAT, and packet manipulation at the kernel level.

Network Time Protocol server and client logs recording time synchronization events, stratum changes, peer status, clock drift corrections, and authentication failures between NTP clients and servers.

Network device management messages sent via syslog (configuration changes, interface state changes, authentication events) and SNMP traps (threshold alerts, hardware failures, environmental warnings) from routers, switches, and appliances.

macOS Unified Logging system introduced in macOS 10.12 Sierra, replacing the legacy ASL and syslog systems. Captures log messages from the kernel, system services, and applications in compressed tracev3 binary format. Queried using the log show and log stream commands with predicate-based filtering by subsystem, category, process, and log level.

SQLite database controlling macOS privacy permissions including Full Disk Access, Screen Recording, Accessibility, Camera, Microphone, and Automation access. Each record contains the requesting application bundle ID, the service being accessed, the authorization decision, and a timestamp of when access was granted or denied.

Legacy text-based system log still generated on macOS alongside the Unified Logging system. Captures a subset of system daemon messages, kernel events, and application output in a familiar syslog format with timestamps, process names, and PIDs.

Gatekeeper enforces code signing and notarization requirements for launched applications, recording assessments in the SystemPolicy SQLite database. XProtect provides signature-based malware detection using YARA rules that are automatically updated by Apple. XProtect Remediator actively scans for and removes known malware families.

Malware Removal Tool (MRT) and XProtect Remediator are Apple built-in malware scanning and removal tools. MRT runs periodically and after signature updates to scan for known malware families. XProtect Remediator performs regular background scans targeting specific malware threats with individual scan modules for each malware family.

SQLite database maintained by SpringBoard recording the state of all installed applications on the device. Contains application bundle identifiers, display names, installation status, badge counts, snapshot timestamps, and compatibility information. The application_identifier_tab table maps numeric keys to bundle IDs used across other system databases.

SQLite database maintained by the batterystats daemon logging detailed power consumption data per application and system component. Records app usage durations, screen-on time, CPU usage per process, network data transfer volumes, GPS usage, audio playback, and camera usage, all timestamped at regular intervals. The database contains multiple tables organized by power consumer type.

Property list file containing Wi-Fi configuration preferences including auto-join settings, hotspot configuration, network service ordering, and historical connection metadata. This file works in conjunction with the known-networks plist to manage wireless network behavior and stores additional connection preference data not present in the known-networks database.

Property list file containing cellular carrier configuration information including the carrier name, MCC (Mobile Country Code), MNC (Mobile Network Code), carrier bundle version, SIM ICCID, and supported network features. On dual-SIM devices, separate carrier configurations exist for each SIM slot.

XML file maintained by the Android PackageManager that serves as the authoritative registry of all installed applications. Each package entry contains the application name, version code, version name, installation timestamp (ft and lt attributes in hex epoch), installer package name, requested permissions, granted permissions, signing certificate hash, shared user ID, and data directory path.

SQLite database and XML files storing Android system settings across three namespaces: system (user-facing settings like screen brightness and volume), secure (security-related settings like lock screen timeout, accessibility services, and device admin components), and global (device-wide settings like ADB debugging, install from unknown sources, and airplane mode).

SQLite database maintained by the Android AccountManager service, storing all user accounts registered on the device. Each entry includes the account name (typically an email address or username), account type (Google, Samsung, Exchange, WhatsApp, etc.), and associated authentication tokens. The database is credential-encrypted (CE) and requires the device to be unlocked for access.

SQLite database within Google Play Services that stores device integrity attestation records and SafetyNet/Play Integrity API response data. Contains cached attestation results including device model, build fingerprint, CTS profile match status, basic integrity verdict, and timestamps of attestation checks performed by applications.

Complete physical memory image of the running system capturing all active processes, kernel structures, network connections, loaded DLLs, injected code, and decrypted data.

Pagefile.sys contains memory pages swapped to disk by the Windows memory manager. Hiberfil.sys contains a compressed copy of all physical memory written during hibernation or Fast Startup shutdown, effectively serving as a full memory snapshot.

Virtual filesystem exposing live kernel and process state including command-line arguments, executable path symlink, open file descriptors, memory maps, environment variables, and network connection tables.

Live network socket state from the kernel including all established TCP connections, listening ports, UDP sockets, and UNIX domain sockets with owning process information.

Complete physical memory capture of a running Linux system including all process memory, kernel structures, network connection state, loaded kernel modules, and filesystem cache contents.

Loaded kernel module listing from /proc/modules or lsmod, kernel module files on disk, and the kernel ring buffer (dmesg) recording module load/unload events, hardware events, and kernel messages since last boot.

Process memory dumps written when a process crashes due to a signal (SIGSEGV, SIGABRT). Contains the complete process address space at crash time including stack, heap, mapped libraries, and register state.

Complete physical memory capture of a running macOS system including all active process address spaces, kernel structures, Mach port tables, network connection state, loaded kernel extensions (kexts), and cached filesystem data. macOS memory acquisition requires bypassing SIP or using specialized tools that work within SIP constraints.

Per-mailbox audit records capturing owner, delegate, and admin actions on mailbox items including MessageBind (read), SendAs, SendOnBehalf, MoveToDeletedItems, SoftDelete, HardDelete, and UpdateInboxRules.

Email transport logs recording sender, recipient, subject, message ID, delivery status, and connector details for all messages processed by Exchange Online in the last 90 days.

Audit events specifically tracking creation and modification of Exchange Online inbox rules, including server-side forwarding (Set-Mailbox -ForwardingSmtpAddress) and client-side rules that move, delete, or redirect messages.

Email security appliance logs recording message routing decisions, spam/phishing verdicts, malware sandbox analysis results, URL click tracking, DMARC/DKIM/SPF authentication results, and DLP policy matches for all inbound and outbound email.

Centralized audit log aggregating events across Exchange Online, SharePoint, OneDrive, Teams, Azure AD, Power Platform, and other M365 services. Records user and admin activity with timestamps, IP addresses, user agents, and operation details.

Directory change logs recording modifications to users, groups, roles, applications, policies, and service principals including the initiating actor, target resource, and changed properties.

Cloud Access Security Broker (CASB) logging OAuth app activity, shadow IT discovery via cloud app usage, impossible travel alerts, mass download detections, suspicious inbox manipulation, and governance actions across connected cloud services.

SIEM platform aggregating logs from all Microsoft and third-party sources with built-in analytics rules generating security incidents, entity mapping to users/hosts/IPs, investigation graphs, and automated response playbooks.

Audit trail for service principal and application registration changes including new app registrations, secret/certificate additions, API permission grants, redirect URI changes, and owner modifications.

Subscription-level logs recording control-plane operations against Azure resources including resource creation/deletion, role assignments, policy changes, and deployment operations with caller identity and IP address.

Data-plane logs for individual Azure resources (Key Vault access, Storage Blob read/write, SQL audit, App Service HTTP logs) when diagnostic settings are configured to route to Log Analytics, Storage, or Event Hub.

Key Vault diagnostic logs capturing every operation on secrets, keys, and certificates including Get, Set, Delete, Backup, Restore, and access policy changes with caller identity, IP address, and result status.

File-level audit events for SharePoint Online and OneDrive for Business including FileAccessed, FileDownloaded, FileUploaded, FileDeleted, SharingSet, SharingInvitationCreated, and AnonymousLinkCreated.

Preserved and exported search results from Microsoft Purview eDiscovery spanning Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams conversations, enabling keyword-based or date-range-based evidence collection.

Storage account access logs recording every read, write, delete, and list operation on blobs, files, tables, and queues with authenticated identity, source IP, request URL, and response status.

Data Loss Prevention policy match logs recording when sensitive data types (SSN, credit cards, health records, custom patterns) are detected in emails, files, Teams messages, or endpoint activities. Insider Risk Management correlates multiple signals into risk scores and cases.

Network Security Group flow logs recording allowed and denied network flows through Azure NSGs. Version 2 logs include byte counts, packet counts, and flow state (begin/continue/end) in addition to the 5-tuple connection data.

Full packet capture files containing complete network traffic including headers and payloads for every packet traversing the monitored network segment.

Network flow metadata records summarizing each connection with source/destination IP, ports, protocol, byte count, packet count, TCP flags, and duration without full payload content.

Structured network metadata logs generated by Zeek including conn.log (connection summaries), http.log (HTTP transactions), dns.log (DNS queries), ssl.log (TLS handshakes), files.log (file transfers with hashes), and x509.log (certificate details).

Layer 4/7 load balancer logs recording client IP, request URL, backend server selected, response time, HTTP status code, TLS version, and health check results. Includes X-Forwarded-For headers preserving original client IPs.

Border Gateway Protocol route announcement and withdrawal logs recording prefix announcements, AS path changes, origin AS modifications, and route flapping events from BGP speakers and public route collector projects.

Layer 2 address resolution data mapping IP addresses to MAC addresses (ARP tables) and MAC addresses to physical switch ports (CAM/MAC address tables). Provides physical network topology mapping at the data-link layer.

System-level network configuration plists containing active network interface settings, DNS configuration, proxy settings, VPN profiles, and Wi-Fi connection history. The airport preferences plist records every Wi-Fi network the system has connected to with timestamps and security type.

Wi-Fi subsystem logs capturing wireless network association and disassociation events, SSID and BSSID information, signal strength, authentication type, and connection state changes. On modern macOS versions, Wi-Fi events are primarily recorded in the Unified Log under the com.apple.wifi subsystem, while legacy systems used the /var/log/wifi.log text file.

Bluetooth daemon and AirDrop subsystem logs capturing device pairing events, connection history, file transfer activity, and nearby device discovery. AirDrop sharing events are logged under the com.apple.sharing subsystem in the Unified Log. Bluetooth device connections record the device name, MAC address, and connection timestamps.

SQLite database tracking cellular and Wi-Fi data usage on a per-application basis. The ZPROCESS table maps process names and bundle identifiers to usage records, while the ZLIVEUSAGE table contains timestamped data transfer measurements including bytes sent (ZWIFIBYTESSENT, ZWWANBYTESSENT) and bytes received for both Wi-Fi and cellular connections.

SQLite database maintained by the networkd daemon tracking network route and interface usage statistics. Records data transfer volumes per network route, connection timestamps, network interface types (Wi-Fi, cellular, VPN), and associated process identifiers. Provides lower-level network usage tracking than DataUsage.sqlite with route-specific detail.

XML file containing all saved Wi-Fi network configurations on the device. Each network entry includes the SSID, BSSID (if pinned), security type (WPA2, WPA3, OWE, Open), pre-shared key (in plaintext on older Android versions), priority, hidden network flag, static IP configuration, proxy settings, MAC randomization preference, and creation/update timestamps.

Configuration file storing Bluetooth adapter settings and a record of all paired devices. Each paired device entry includes the device Bluetooth MAC address, device name, device class (indicating device type such as phone, headset, computer, or car), pairing timestamp, link key, and supported Bluetooth profiles (A2DP, HFP, HID, etc.).

Perimeter and internal firewall logs recording every permitted and denied connection attempt with source/destination IP, port, protocol, rule name, action, and byte count.

HTTP/HTTPS proxy logs recording the full URL requested, HTTP method, response code, content type, bytes transferred, user identity (if authenticated), user agent string, and category classification.

Signature-based and anomaly-based intrusion detection alerts with rule SID, severity, source/destination IP and port, protocol, alert message, and reference to the triggering packet.

DHCP lease transaction logs recording IP address assignments with MAC address, hostname, lease duration, and timestamps for DISCOVER, OFFER, REQUEST, and ACK messages.

Web Application Firewall logs recording HTTP request inspection results including blocked and monitored requests, matched attack signatures (SQLi, XSS, RCE, LFI), request headers, payloads, GeoIP data, and bot classification.

Logs from SSL/TLS inspection appliances performing man-in-the-middle decryption of encrypted traffic. Records certificate details, cipher suites negotiated, decryption success/failure, and policy decisions for encrypted sessions.

DNS resolution logs recording the querying client IP, requested domain name, query type (A, AAAA, MX, TXT, CNAME), response code, and resolved IP addresses.

Logs from DNS sinkholes or Response Policy Zones (RPZ) recording queries that were intercepted and redirected to a sinkhole IP instead of the actual malicious destination.

Public append-only logs recording all TLS/SSL certificates issued by participating Certificate Authorities. Searchable by domain name, providing a complete issuance history for any domain with certificate details, validity period, and issuing CA.

Core SQLite database storing all SMS, MMS, and iMessage conversations on the device. Contains the message table with full message text, timestamps (date, date_read, date_delivered), sender/recipient handles, group chat associations, and message type indicators distinguishing between SMS and iMessage. Attachments are referenced by filename and stored separately in the SMS/Attachments/ directory.

SQLite database recording all incoming, outgoing, and missed phone calls, FaceTime audio calls, and FaceTime video calls. Each record in the ZCALLRECORD table includes the remote phone number or Apple ID, call duration, call type (incoming/outgoing/missed), timestamp, and the service provider (cellular, FaceTime Audio, FaceTime Video).

SQLite database containing all contacts stored on the device, including names, phone numbers, email addresses, physical addresses, organizations, and associated social media accounts. The database uses a multi-table structure with ABPerson for contact records and ABMultiValue for associated phone numbers, emails, and other multi-value properties.

CoreDuet SQLite database that tracks user interactions with contacts across multiple communication channels including Messages, Phone, FaceTime, Mail, and third-party apps. Records interaction type, contact identifier, bundle ID of the app used, timestamp, and interaction direction (incoming/outgoing).

SQLite database indexing visual voicemail messages received on the device. Each record contains the caller number, voicemail duration, receipt timestamp, playback status (read/unread), and a reference to the associated AMR audio file stored in the Voicemail/ directory. Transcription text from iOS voicemail-to-text is also stored when available.

SQLite database storing all SMS and MMS messages on the device. Each record contains the sender and recipient phone numbers, message body, timestamp (date column in epoch milliseconds), read status, and thread ID grouping conversations. MMS entries include references to associated media parts stored in the same provider directory.

SQLite database recording all incoming, outgoing, and missed phone calls. Each record includes the phone number, contact name (if matched), call type (incoming/outgoing/missed/rejected/blocked), duration in seconds, date in epoch milliseconds, and the phone account used for the call.

SQLite database containing all locally stored contacts with phone numbers, email addresses, organization names, physical addresses, notes, and associated account metadata. The database uses a normalized schema with raw_contacts, data, and contacts tables linked by contact IDs, supporting multiple accounts (Google, Exchange, local) merged into unified contact entries.

SQLite database used by the Google Messages application, which serves as the default SMS/RCS client on most modern Android devices. Contains conversation threads, individual message parts, participant information, and RCS (Rich Communication Services) chat features including read receipts, typing indicators, and high-resolution media sharing metadata.

SQLite database containing words manually added by the user to the keyboard dictionary, as well as words learned through predictive text input. Each entry includes the word, its frequency or weight, locale setting, and an optional shortcut for text expansion.

SQLite database maintained by the routined daemon containing significant locations visited by the device owner, learned location patterns, and place visit records. Stores latitude, longitude, altitude, horizontal accuracy, visit entry and exit timestamps, and place labels derived from reverse geocoding. This database powers the Significant Locations feature in iOS Settings.

Property list file maintained by the locationd daemon recording which applications have requested and received location data. For each app bundle identifier, it stores the authorization status (always, when in use, denied), the timestamp of the last location request, the number of location requests made, and the distance filter and accuracy settings used.

Property list file containing records of all Wi-Fi networks the device has previously connected to. Each network entry includes the SSID, BSSID (access point MAC address), security type (WPA2, WPA3, Open), first joined timestamp, last joined timestamp, and network usage data. Enterprise network entries may include additional EAP configuration details.

Encrypted SQLite database storing Apple Health data including workout route GPS coordinates, step count timestamps, heart rate readings with location context, and activity data from the Health app and connected fitness devices. Workout routes contain detailed GPS tracks with latitude, longitude, altitude, speed, and timestamps recorded at frequent intervals during exercise activities.

SQLite databases used by the Google Maps application to cache location-related data including searched addresses, navigation destinations, recently viewed places, saved locations, and local business search results. The gmm_storage.db file contains protobuf-encoded location data including latitude/longitude pairs with associated timestamps.

Binary cache files maintained by the Google Location Services provider containing recent cell tower and Wi-Fi access point observations used for network-based location determination. The cache.cell file stores cell tower IDs (MCC, MNC, LAC, CID) with associated GPS coordinates and timestamps. The cache.wifi file stores Wi-Fi BSSIDs (MAC addresses) with their estimated geographic positions.

SQLite databases within the Google Play Services (GMS) data directory that store location history, geofence events, and location request logs. Multiple database files may contain location data including herrevad.db, gservices.db, and phenotype.db, with precise GPS coordinates, accuracy estimates, altitude, speed, and bearing information.

Location data derived from Wi-Fi network connections and scans, distributed across multiple system databases. Includes records of Wi-Fi networks detected during location scans, connection timestamps associated with specific access points, and Wi-Fi RTT (Round-Trip Time) ranging data on supported devices for precise indoor positioning.

SQLite database containing the complete Safari browsing history including visited URLs, page titles, visit counts, and timestamps for each visit. The history_items table stores unique URLs while the history_visits table records individual visits with precise timestamps and redirect source references enabling reconstruction of navigation chains.

SQLite database maintaining the state of all open Safari tabs, tab groups, and recently closed tabs. Records the URL, page title, tab ordering, last viewed timestamp, and tab group associations. This database reflects the real-time browsing state at the time of device acquisition.

SQLite database and associated blob storage containing cached web page resources including HTML content, images, JavaScript files, CSS stylesheets, and API responses from websites visited in Safari. Cache entries include the request URL, response headers, content type, and the cached resource data.

SQLite database containing Chrome browser history including URLs visited, page titles, visit timestamps (in WebKit epoch format), visit duration, transition type (typed, link, redirect), and visit count. The database also includes keyword_search_terms table linking searches to their corresponding URL visits.

SQLite database storing Chrome autofill form data including names, email addresses, phone numbers, physical addresses, and custom form field entries that the user saved or allowed Chrome to remember. The autofill table contains field name-value pairs with usage counts and timestamps of first and last use.

SQLite database storing browser cookies set by websites visited in Chrome. Each record contains the host domain, cookie name and value, creation timestamp, last access timestamp, expiration date, and flags for secure, httponly, and same-site attributes.