What to Look for and How to Look for It
Exactly what to look for during an investigation will depend on what you are investigating. You will want to investigate the entire file structure of the disk or image, including files, logs, user preferences files, and Mac OS X’s configuration files. You should look at both visible and hidden files. For many cases of acceptable use policy violations, you’ll most likely find evidence in a user’s home folder. For security breaches, you’ll want to examine the startup items, cron tabs, and various Unix configuration files and logs very closely—if possible, comparing them to a known good state of what the system should look like.
You should also search for data in the unallocated space of the drive. Unless the Secure Empty Trash feature is used, when files are deleted the sectors containing them are simply marked as unallocated space, and those files continue to exist and many forensic tools can search and reveal/recover them. In most cases, however, evidence is found in the active files.
You can use various search techniques with most forensic tools to help locate files if you are looking for specific types of data: images, history and temp, and cache files; as well as executable code. Keep in mind that changing the name or extension of a file is one of the easiest ways to imply that it is something other than what it appears, so you will need to be very thorough when searching for evidence.
If this sounds like a tedious process, that’s because a thorough forensic investigation is tedious, especially when you document every step of that investigation. But in the event that there is either a legal outcome of your investigation or even an internal question of your results, that effort may prove to be extremely important.