A question that sometimes comes up in an investigation is: What is the computer system is doing “on its own?”  In other words, are there any programs set to start when the Mac is booted?  If so, are they relevant to the case?

On a Windows system this information is tucked away in several locations but on a Mac OS 10.7+ this information is neatly packaged into one Plist:


Access this Plist using Xcode which is a free add-on to your OS X system that you may get through the App Store.

In the example below you can see where the “Name” value shows three applications: iTunesHelper.app, VMWare Fusion Helper.app and OpenVPN Connect.app.

Each of these is set to run upon login.  From here it is a matter of finding out what each of these applications do and determining relevance to your case.

This is an easy location to check to answer the question at hand and I recommend it be part of Mac forensic analysis.

Article by Mike Leclair, creator of the Surviving Digital Forensic Series and part of the SUMURI RECON Team.