Had a bit of time so decided to enter this weeks Sunday Funday. I didn’t win, but figured I would share it for reference. Congrats to Amy for winning!
I didn’t do a very comprehensive test, I just accessed a picture and video with native apps and then did a keyword search, so hits were uncovered that may not all indicate file access, and nothing was done to determine ‘when’ files were accessed.
I copied a picture and video to the Desktop of a new account and then hit preview on the video icon, accessed the files via quicklook, reviewed the files in the preview on the side of Finder for the Desktop folder, open the picture in preview, opened the mpeg in quicktime player and iTunes (native installs)
Specific To Video
com.apple.quicktimeplayerx.plist and com.apple.quicktimeplayerx.sfl2 showed access to the video
I didn’t get a hit in anything related to iTunes; I thought there was a history file of some sort. The video was copied into \music\itunes\itunes media\home videos\ however, so this could be an indication that it was opened with iTunes (unless maybe a scan for media option put it there?). I didn’t check the timestamps of the file but the “date added” field probably relates to when it was opened in iTunes (as opposed to the created date which is probably retained from the original)
Specific To Picture
com.apple.preview.sfl2 showed access to the picture
General File Access
com.apple.lssharedfilelist.recentdocuments.sfl2 showed access to the picture and video
Unknown If Relates To File Access
There was a reference to the picture and video in the ASL log for the day, potentially related to access
There was also a reference to the picture in the tracev3.log. Yogesh has written a parser for these.
Hits for both in com.apple.QuickLook.thumbnailcache/index.sqlite (although this is not necessarily that they were viewed, but rather that their icons were created as thumbnails). I did view both of the files with quicklook though; probably need to do a test of *just* viewing files in a way that shouldn’t leave a trace in the expected plists.
More information on Quicklook can be found here
- Quick Look Cache Parsing
- Arsenal Quick Look Cache Parsing
- Collecting Quick Look Data From a Live macOS System
ThinkDFIR 
[…] of file access on MacOS Mojave. The winning solution was submitted by Amy Francis, and I posted up my solution as well. Daily Blog #630: Sunday Funday […]
LikeLike