Home | Log In

Home :: White Papers :: Forensically Sound Examination of a Macintosh (Part 2)

larger image

Forensically Sound Examination of a Macintosh (Part 2)

June 21, 2007
Macintosh Forensics
A Guide for the Forensically Sound Examination of a Macintosh Computer
Part 2 of 2
Ryan R. Kubasiak, Investigator - New York State Police

Reprinted with the kind permission of the author.

Spotlight

(Apple Document 301533)

The information here comes from the best source, Apple Inc. The following information is directly from the Support website.

Mac OS X 10.4 Tiger features Spotlight, a lightning-fast search technology that instantly lets you find thingson your Mac. By default, Spotlight will index and search in the following locations:

All Home folders (local and network-based, as well as FileVault and non-FileVault). This includes:

The Documents, Movies, Music, and Pictures folders
The Trash of all users and each mounted volume.
~/Library/Metadata/
~/Library/Caches/Metadata/
~/Library/Mail/
~/Library/Caches/com.apple.AddressBook/Metadata/
~/Library/PreferencePanes/

Spotlight also searches these non-Home folder locations by default:

/Library/PreferencePanes/
/System/Library/PreferencePanes/
/Applications

Can Spotlight search anywhere else? Of course! Any new folder you create in your Home automatically getsindexed so that it's searchable. If you connect an external storage device, such as a USB or FireWire harddrive, Spotlight will index the stuff on it, too. (If you want to exclude certain areas from Spotlight searching,see the tip below.)

Note: If your computer has multiple user accounts, any files that reside at the top level of each user's Homefolder will also be indexed and searchable by Spotlight, even though they cannot be modified. However, all files and folders located within a user's Desktop, Documents, Library, Music, Movies, and Pictures folders will not be indexed nor can they be searched by other user accounts using Spotlight.

User Home Directory Structure

Finder - User Home Directory Structure

The home directory is the likely area to find all of the evidence for any case, barring system widelog and settings files. MacOS X is very good at containing a user's files and settings to this area. This trait allows FileVault to work as well as it does. When conducting a limited scope examination, directing your searches to this area first is a good idea.

A User's home directory will contain many standard folder's from a MacOS X installation, as well asapplication specific folders. The above window shows the user "Moof " home directory. Alwaysremember when using the Finder, the window will NOT show hidden files or directories with thetypical MacOS X settings. There is no easy way to change this from any menu, and is best accomplished with a third party application (Onyx, Tinkertool, etc.) or at the command line with a writeto the proper Plist file. A description of each entry in the window follows.

Desktop - contains all of the items that are seen on the user's desktop.
Documents - typically will contain user data files such as Pages, Keynote, MS Word, and othertypes of files.
Incomplete - created by Limewire and will contain files that have not yet successfully downloadedto this user's account. 2 files, downloads.dat and downloads.bak will potentially contain incriminating evidence in the user's use of Limewire
Library - This is a gold mine of information on the way a user utilizes the Macintosh. It will contain logs, preferences, browser history, recent files, etc. Many of these aspects will be discussed ingreater detail later.
Limewire - This is created by the Limewire application. By default, shared files and downloadedfiles will be here. A user can change this location within the application itself.
Magazines - used by the Zinio Reader application for electronic magazines
Movies - typically will contain iDVD movie data, Quicktime files, and other digital video material
Music - typically will contain a user's iTunes library and other digital music material such as MP3files.
Pictures - typically will contains a user's digital photo collection such as the iPhoto library.
Public - this is a "drop box" where other users have permissions to place files, read files, but not delete files.
Sites - if a WWW server is active such as the built in Apache web server, a user can host their website from this directory. This may contain a user's internet published incriminating evidence.

User Library Folder - In Depth

The User Library folder will contain huge amount of information including user specific drivers,fonts, settings, system add-ons, etc. Not everything here will be meaningful to a case. On theother-hand, many items in here will be direct evidence of the crimes at hand. Browser history, wepage cache, email remnants, email attachments, and indexes are just a few examples of this. Mypersonal Library folder contains 45 folders. Some folders are from a standard MacOS X installation, whereas others are created by installing an application. Here are some of the folders and theinformation that can be gathered from them.

Application Support - Folders will be located in here that are created from Application installations. When a user removes the application from the system, the folder will remain in here. Amanual delete is required to remove this information. Although there may not be specific historyhere, it will be indicative of an application having been installed, and may show usage information.

Automator - User specific actions will be stored here. The actions are added by the user, and maycontain some very indicative information of file copying, server connections and other actions auser wants to automate.

Caches - This folder has the potential to be a gold mine of historical data for the examiner. Thecontents include information of application usage, web sites visited, buddy lists, downloaded files,etc. The best general advice that can be given regarding this directory is - explore. Look in thefolders here and see how the information may apply to your specific case. Keep in mind that manyfolders here will remain even after an application has been removed from the system!

Cookies - Used by Safari and other web browsers for the Cookies of various websites. A file named "Cookies.plist" is likely in this folder.

Favorites - This folder contains favorites for the "Connect to Server" option in the Finder. It willshow other network resources that the User considered important enough to be able to easily return to.

Logs - This folder contains log files for many applications and usage information. Excellent evidentiary resource.

Mail and Mail Downloads - These folders contain email and files that were attached to emails received under this account.

Phones - This folder contains cell phones that have been connected to this computer under thisaccount. Specific information about the phones can be found within the Info.plist file.

Recent Servers - This folder contains information on servers that have been recently connected toincluding AFP and FTP sites.

Safari - This folder contains the vital information on Safari usage including bookmarks, history, etc.

Each of these folders, and others, should be explored for evidence relating to the specific case athand. It would be impossible to write specific information for each of the folders and files that canpossibly be found here.

Applications

Address Book

Address Book is the bundled application that allows users to store names, addresses, telephonenumbers, screen names, web page information and just about anything else related to a contact. Address Book is integrated into many applications, such as Mail, Safari, and .Mac. A user can export VCards from here as well.

iCal

iCal is the bundled calendar application. iCal is a simple program compared to many of the morerobust, enterprise type calendar systems. iCal is well used, and has the ability to synchronize with .Mac. A user can also publish a calendar to .Mac for public viewing.

Mail

Mail (or Mail.app as some will call it) is the bundled email application. Mail is integrated with theAddress Book, and also maintains a list of people emailed outside of the Address Book for autotyping. Mail offers Rules to be set and also has basic Junk Mail filtering. Multiple accounts can exist within one user's Mail configuration. It has POP3 and IMAP functionality and can retrieveHotmail, Gmail, and .Mac email.

.Mac and Related Evidence

.Mac

.Mac is an internet resource available from Apple Inc. Features include email (5 possible addresses), web site hosting, and iDisk storage of files. This service is subscribed to on a yearly basis. A usermay store files here, Backup files, Address Book entries, Safari bookmarks, Quicken data, etc. Any application that supports iDisk will be a potential area of evidence. Information can be automatically synced from a Macintosh to the iDisk, and multiple Macintosh can be configured to sync withthis iDisk. Below is a screen capture of the plist file showing Moof 's House is set to automaticallysync with the associated iDisk.

.Mac plist Window

Safari, and Other Web Browsers

Safari

Safari is the bundled web browser with all versions of MacOS X. The browser is the most predominantly used browser, but certainly not the only one. Safari offers excellent History and Cacheremnants in it's default configuration.

Other web browsers that may be installed include Mozilla, Netscape, Firefox, Opera, and InternetExplorer. There are others. Look in the Applications folder to see what has been installed andthen looked for the associated setup files, bookmarks, and history in the users' Library folder.

iChat, and Instant Messaging Applications

iChat

iChat is the bundled instant messaging client in MacOS X. As of version 10.3, iChat becameknown as iChat AV because of the added video capability. iChat uses .Mac accounts as well as AOLInstant Messenger screen names natively. iChat also will interface with any instant messagingtechnology that uses "Jabber". An added feature for .Mac members is the ability to encrypt theiChat conversations. This only occurs between two .Mac members.

Other chat applications include AOL Instant Messenger, Adium, Microsoft Messenger, Skype, andSMS based applications or widgets. Look in the Applications folder to see what has been installedand then looked for the associated setup files users' Library folder or Home folder.

Mac OS X Log Files

Mac OS X, like Linux and other UNIX variants, keeps many log files. Some of the files are verydetailed, yet of little use forensically. Other logs, seemingly innocuous, contain direct or indirectevidence to a users actions and intentions. Some log files will directly state exactly what a user wasdoing and the log entry itself would show the crime. Other entries will be indirect, yet help establish the circumstantial evidence of the crime committed. The Console utility, typically found in the/Applications/Utilities folder is where most logs can be read natively. Here are some, but certainlynot all of the log files than can help establish time-tables, actions, and configurations.

Log File	Uses
/var/log/crashreporter.log	Application Usage History, information is written here when an applicationcrashes only.
/var/log/cups/access_log	Printer Connection Information
/var/log/cups/error_log	Printer Connection Information
/var/log/daily.out	Network Interface History
/var/log/samba/log.nmbd	Samba (Windows based machine) connection information
~/Library/Logs	Any logs in this area will be specific to the user of this Home directory. Application specific logs will be found here
~/Library/Logs/DiscRecording.log	Log of CD or DVD media burned using the Finder. This is specific to theuser of this Home directory.
~/Library/Logs/DiskUtility.log	Log of CD or DVD media burned using the Finder, mount and unmount history of ISO or DMG image files, Permission Repair history. and hard diskpartition information.
~/Library/Logs/iChatConnectionErrors	Log files here contain information of past iChat connection attempts. Data such as username, IP address, and Date&Time of the attempt
~/Library/Logs/Sync	Log files here will contain information on .Mac syncing, mobile devices suchas iPods and cell phones, and Date&Time of the activities

Mac OS X "plist" Files

Mac OS X, and all versions of the Macintosh operating systems, do not use a registry like MicrosoftWindows. User settings are "remembered" through the use of "plist" files. Plist stands for Property List Format file. There is a MAN page describing the file in detail. Here is an excerpt from the Description:

Property lists organize data into named values and lists of values using severalCore Foundation types: CFString, CFNumber, CFBoolean, CFDate, CFData, CFArray,and CFDictionary. These types give you the means to produce data that is meaningfully structured, transportable, storable, and accessible, but still as efficient as possible. The property list programming interface allows you to converthierarchically structured combinations of these basic types to and from standardXML. The XML data can be saved to disk and later used to reconstruct the original Core Foundation objects. Note that property lists should be used for datathat consists primarily of strings and numbers because they are very inefficientwhen used with large blocks of binary data.

This description shows us that the data is more complex than a simple "Cookie" and not easily readwith a standard text editor. A Utility from Apple called "Property List Editor" will reveal the datacontained within each of these files in a user friendly way. As implied by the title, it will also allowyou to edit the content, so be very careful! The utility is part of the Developer tools XCode, freelyavailable from Apple Inc. The following table lists some, but certainly not all of the valuable plistfiles. You will find application specific plist files created, and they will always be worth looking atfor forensic data.

In the event you haven't downloaded the XCode tools, it is still possible to look a plist file. Theplist file is likely stored in binary XML format. Opening this type of file in TextEdit will yield nothing useful. Fortunately, the Terminal command plutil converts plist file to XML format. The MAN entry for plutil is as follows:

NAME	plutil -- property list utility
SYNOPSIS	plutil [command_option] [other_options] file
DESCRIPTION	plutil can be used to check the syntax of property list files, or convert a plist file from one format to another.

Be certain that your destination file is saved on YOUR drive and not a target drive.

The following list contains miscellaneous files, their location, and use.

File	Uses
/System/Library/CoreServices/SystemVersion.plist	Contains the current version of the installed operating system
/private/var/log/OSInstall.custom	Contains the date and time the operating system was first installed (completion time, not start time)
/private/etc/hosts	Contains defined IP addresses and the associated name

The following PLIST files can be found in the user home directory ~/Library/Preferences/

File	Uses
AddressBookMe.plist	Contains the data this user has entered about him/her self
com.apple.Bluetooth.plist	Contains devices that have connected via Bluetooth. It will show last connection date as well.
com.apple.dashboard.plist	Contains information on installed Widgets for this user.
com.apple.dock.plist	Contains information on applications available in the Dock
com.apple.DotMacSync.plist	Contains information on items to be synced as well as how often the sync isdone
com.apple.finder.plist	Contains information on Recently opened folders, last server connection from Finder and the last "Go to Folder" selection
com.apple.Grab.plist	Last directory a capture was saved.
com.apple.iChat.AIM.plist	AOL Instant Messenger information
com.apple.iChat.Jabber.plist	Jabber account information
com.apple.mail.plist	Information on Mail.app setup including account names and where the emailis stored locally
com.apple.NetworkUtility.plist	Information on network lookups such as Lookups, Whois, Ping and PortScans.
com.apple.Preview.bookmarks.plist	Recent Documents opened using Preview.app
com.apple.print.PrintCenter.plist	Information on recently connected to printers
com.apple.quicktimeplayer.plist	Recently viewed movie files
com.apple.Safari.plist	History from the web browser Safari, including Recent Search terms, Recentfolders utilized locally
com.scheduler.plist	Scheduled activities to run automatically such a .Mac sync or Software Update
com.apple.sidebarlists.plist	Contains a History or Current and Past item that have shown up in the FinderWindows Sidebar. It will show System assigned items as well as the items inthe Custom portion of the window.
com.apple.systemuiserver.plist	Contains a list of the custom "menus" installed by the user. Useful in showingwhat runs on the machine when a user logs in.
com.RealNetworks.RealPlayer.plist	Recent audio and video clips

Again, this table is by no means complete. Using the Property List Editor, view each and anyPLIST file that seems to be relevant. Many times, when software changes in version, a new PLISTfile is used.

Sleep and Safe Sleep

/private/var/vm/sleepimage - This file is on Intel Macintosh portable computers to save contents of RAM to the hard disk. Its use is to recover from a power outage during sleep mode or when thebattery is just about to run out of power during use. As of this writing, the file is written to disk, unencrypted, and yields many usual artifacts of user history, inclusive of passwords. All Macintoshes running OS X can go into sleep mode, but the computer must support "safe sleep" (sometimes referred to as Deep Sleep) to have this functionality. It is possible to turn off the safe sleepfunction from the command line, but not thru the System Preferences.

Detailed Macintosh Techniques

First off, the Macintosh has many, many key combinations that cause different actions right fromthe initial power on. Not every key combo works on every Macintosh. Most work on most Macs. That is the best that can be said. Document which ones you try for the specific case at hand, and also for future reference.

Apple Boot Key Combos

Function	Key Combination
Bypass startup drive and boot from CMD-OPT-SHIFT-DELETE external (or CD) Boot from CD	C
Boot from a specific SCSI ID #	CMD-OPT-SHIFT-DELETE-#
Eject Floppy Disk	Hold down Mouse button
Select Volume to start from	OPT
Start in Target Disk Mode	T
OS X Verbose Boot	CMD-V
OS X Single User Mode	CMD-S
Open Firmware	CMD-OPT-O-F

Create a Brute Force Dictionary File

The MacOS X Terminal makes it rather easy to create a brute force dictionary for attacking variousencoded files. It certainly isn't a guarantee, but it offers hope. Creating this dictionary is usefulwhen the source is not encrypted. For instance, if you try to make a dictionary file from a sparseimage file, you will get nothing useful. However, making a dictionary from the entire device mayyield the password to a user's login, a website, their keychain, and so-on.

The terminal command "strings" can create a text file with the useful words contained in a file orraw device. The MAN entry for "strings" is as follows:
strings - find the printable strings in a object, or other binary, file.

We can use this against a device file such as /dev/disk0 or against an unencrypted DMG file such as/Evidence/sample.dmg and have a text file created with the useful strings.

The command wouldlook like this:

Moofs-House:~ moof$ strings /Evidence/UnencryptedDMG.dmg > /Evidence/strings.txt

This command will output a text file that contains all of the useful strings contained in the DMGfile. You can now use this file as a "dictionary" in a brute force attack on passwords. It might befurther useful to take the repeated strings out of this file.

Useful Artifacts and Commands

As with any operating system or file system, there are numerous places to look for evidence. TheMacintosh is no exception. The following tables begin to list areas of interest.

Table 1 - Artifacts

Artifact	Location
Internet History	Safari = /Users//Libary/Safari/History.plist (dates are in AbsoluteDate Format) Note: if the file /Users//Library/Preferences/com.Apple.Safari.plistcontains the value "WebKitPrivateBrowsingEnabled" set to TRUE, no browsing history will be kept. Internet Explorer =/Users//Library/Preferences/Explorer/History.html
Email	Perform a search for files with the following extensions: .mbx, .mbox, .emlx, .imapmbox, .eml, .msf Microsoft Entourage uses a file named "database".
iPod	Perform a search for the file "com.Apple.iPod.plist". It will contain information such as serial number of the iPod, last connect time, use count, etc.
Limewire	limewire.props contains last used forward facing IP address
IP Address Info	IP Address info may be found in any of the following locations: /var/log/ipfw /var/log/secure /var/log/system I also suggest looking at other logs kept in this directory!

Table II - Terminal Window Commands

Command Line	Function
`ls -al \| more`	"ls" is the command to list the directory contents (Present Working Directory). Adding the "-al" switch will give all entries including hidden files andshow "long" entries. "Long" entries simply means you will see the associatedinformation for each entry, rather than just the name. The "\| more" is thepipe command to send the output to the "more" command. "more" is acommand that will list the screen output one page at a time, pausing every 24lines. This causes the directory listing to pause, rather than just go flying by. Some people prefer the "less" command. Read the MAN pages and choose for yourself.
`pwd`	(Present Working Directory) This will simply out the path of your current directory. Sitting at a "$"prompt isn't always the most useful and its easy to get lost when navigatingthe disk hierarchy.
`find / -name "*.jpg" -print`	This command will list all files, path included, that match the expression *.jpgstarting from the root of the file structure. This is an example of crudesearching for possible image files. Change the starting location for the searchby changing the "/" to the path of choice. An example might be /Users/ where is a valid home directory.
`date -u`	Displays the current system date and time in GMT

References

Information in this document has been gathered from years of education, training, and work experience. I would also be remiss if I did not mention training, websites and mailing lists that I readoften, with great respect.

Many thanks go to the resources of:

Apple Inc. including the Support and Developer websites. The information on these websites is an Examiner's greatest tool to understanding any analysis.
Blackbag Technologies training courses
Derrick Donnelly's email list "macos_forensics@yahoogroups.com"
Apple Inc. Forensic email Listserv (Government email participants only at this time)
Guidance Software discussion forums and their technical support personnel

Websites

http://www.macintouch.com
http://www.macfixit.com
http://www.apple.com/support
http://developer.apple.com
http://www.macnn.com/headlines
http://guide.apple.com
http://www.blackbagtech.com
http://www.macforensicslab.com
http://www.macosxhints.com
http://www.ifixit.com/Guide/
http://www.guidancesoftware.com
http://www.accessdata.com

Recommended Utilities and Applications

Apple Inc.

XCode
Property List Editor

Weird Kid Software Products

Emailchemy

SubRosaSoft.com Inc.

MacForensicLab
DasBoot

BlackBag Technologies Inc.

Forensic Suite

Ian Page

MacTracker (www.mactracker.ca)

Many, MANY others as your cases develop. Use your favorite search engine, or try:
http://www.macupdate.com
http://www.versiontracker.com/macosx

MacOS X 10.4 Command Line Utilities and Daemons

Command	Uses
apropos	search the whatis database for strings
arp	address resolution display and control
asr	Apple Software Restore; copy volumes (e.g. from disk images)
atlookup	looks up network-visible entities (NVEs) registered on the AppleTalk network system
autodiskmount	disk support tool
automount	automatic server mount / unmount daemon
awk	pattern-directed scanning and processing language
basename, dirname	return filename or directory portion of pathname
bash	GNU Bourne-Again Shell
bless	set volume bootability and startup disk options
blued	The Mac OS X bluetooth daemon
bootparamd	boot parameter server
bzcmp, bzdiff	compare bzip2 compressed files
bzgrep, bzfgrep, bzegrep	search possibly bzip2 compressed files for a regular expression
bzip2, bunzip2	a block-sorting file compressor, v1.0.2
bzcat	decompresses files to stdout.
bzip2recover	recovers data from damaged bzip2 files
cal	displays a calendar
calendar	reminder service
cat	concatenate and print files
chflags	change file flags
chgrp	change group
chmod	change file modes or Access Control Lists
chown	change file owner and group
chpass, chfn, chsh	add or change user database information
chroot	change root directory
cksum, sum	display file checksums and block counts
cksum(n)	calculate a cksum(1) compatible checksum
clear	clear the terminal screen
cmp	compare two files byte by byte
compress, uncompress	compress and expand data
configd	System Configuration Daemon
cp	copy files
cron	daemon to execute scheduled commands (Vixie Cron)
crontab	maintain crontab files for individual users (V3)
cupsd	common unix printing system daemon
cvs	Concurrent Versions System
date	display or set date and time
dd	convert and copy a file
defaults	access the Mac OS X user defaults system
df	display free disk space
diff	compare files line by line
diff3	compare three files line by line
diffpp	pretty-print diff outputs with GNU enscript
diffstat	make histogram from diff-output
dig	DNS lookup utility
disable, enable	stop/start printers and classes
diskarbitrationd	disk arbitration daemon
disklabel	manipulate and query an Apple Label disk label
disktool	disk support tool
diskutil	Modify, verify and repair local disks
ditto	copy files and directories to a destination directory
dmesg	display the system message buffer
domainname	set or print the name of the current NIS domain
drutil	interact with CD/DVD burners
dscl	Directory Service command line utility
du	display disk usage statistics
dump	filesystem backup
dumpfs	dump file system information
dynamic_pager	dynamic pager external storage manager
echo	write arguments to the standard output
ed	text editor
emacs	GNU project Emacs
enscript	convert text files to PostScript
env	set and print environment
expand, unexpand	expand tabs to spaces, and vice versa
expr	evaluate expression
fdisk	DOS partition maintenance program
fibreconfig	Tool for configuring settings for Fibre Channel controllers and targets
file	determine file type
find	walk a file hierarchy
fsck	filesystem consistency check and interactive repair
fsck_hfs	HFS file system consistency check
fsck_msdos	DOS/Windows (FAT) file system consistency check
ftp	Internet file transfer program
getconf	retrieve standard configuration variables
gpt	GUID partition table maintenance utility
grep, egrep, fgrep	print lines matching a pattern
groups	show group memberships
gzexe	compress executable files in place
gzip, gunzip, zcat	compress or expand files
hdik	lightweight in-kernel disk image mounting tool
hdiutil	manipulate disk images (attach, verify, burn, etc)
head	display first lines of a file
heap	List all the malloc-allocated buffers in the process's heap
hexdump, hd	ASCII, decimal, hexadecimal, octal dump
host	DNS lookup utility
hostname	set or print name of current host system
ifconfig	configure network interface parameters
info	read Info documents
installer	system software and package installer tool
ioreg	show I/O Kit registry
iostat	report I/O statistics
ip6	Enable or disable IPv6 on active interfaces
ip6config	Configure IPv6 and 6to4 IPv6 tunnelling
ip6fw	controlling utility for IPv6 firewall
ipconfig	view and control IP configuration state
ipfw	IP firewall and traffic shaper control program
jar	Java archive tool
java	Java interpreter
kadmin	Kerberos V5 database administration program
kadmind	KADM5 administration server
kdb5_util	Kerberos database maintainance utility
kextload	loads, validates, and generates symbols for a kernel extension (kext)
kextstat	display status of dynamically loaded kernel extensions
kextunload	terminates and unloads kernel extensions
kill	terminate or signal a process
killall	kill processes by name
ktrace	enable kernel process tracing
last	indicate last logins of users and ttys
lastcomm	show last commands executed in reverse order
launchctl	Interfaces with launchd
launchd	System wide and per-user daemon/agent manager
ldapsearch	LDAP search tool
ldapwhoami	LDAP who am i? tool
less	opposite of more
lessecho	expand metacharacters, such as * and ?, in filenames on Unix systems
ln, link	make links
locale	display locale settings
locate	find files
login	log into the computer
logname	display user's login name
logresolve	resolve hostnames for IP-adresses in Apache logfiles
look	display lines beginning with a given string
lookupd	directory information and cache daemon
ls	list directory contents
lsbom	list contents of a bom file
lsof	list open files
lsvfs	list known virtual file systems
machine	print machine type
man	format and display the on-line manual pages
md5	calculate a message-digest fingerprint (checksum) for a file
mdfind	finds files matching a given query
megaraid	Command Line Utility for MegaRAID management
merge	three-way file merge
mesg	display (do not display) messages from other users
mkdir	make directories
mnthome	mount an AFP (AppleShare) home directory with the correct privileges
mount	mount file systems
mount.cifs	mount using the Common Internet File System (CIFS)
mount_afp	mount an afp (AppleShare) filesystem
mount_cd9660	mount an ISO-9660 filesystem
mount_cddafs	mount an Audio CD
mount_fdesc	mount the file-descriptor file system
mount_ftp	mount a FTP filesystem
mount_hfs	mount an HFS/HFS+ file system
mount_msdos	mount an MS-DOS file system
mount_nfs	mount NFS file systems
mount_ntfs	mount an NTFS file system
mount_smbfs	mount a shared resource from an SMB file server
mount_udf	mount a UDF filesystem
mount_webdav	mount a WebDAV filesystem
mountd	service remote NFS mount requests
msgs	system messages and junk mail program
mtree	map a directory hierarchy
mv	move files
named	Internet domain name server
nano	Nano's ANOther editor, an enhanced free Pico clone
natd	Network Address Translation daemon
net	Tool for administration of Samba and remote CIFS servers
netinfod	NetInfo daemon
netstat	show network status
newfs	construct a new file system
newfs_hfs	construct a new HFS Plus file system
newfs_msdos	construct a new MS-DOS (FAT) file system
nfsd	remote NFS server
nice	execute a utility with an altered scheduling priority
nologin	politely refuse a login
notifyd	notification server
ntpd	Network Time Protocol (NTP) daemon
ntpdate	set the date and time via NTP
ntptrace	trace a chain of NTP servers back to the primary source
nvram	manipulate Open Firmware NVRAM variables
open	open files and directories
open-x11	run X11 programs
pagesize	print system page size
passwd	modify a user's password
paste	merge corresponding or subsequent lines of files
patch	apply a diff file to an original
pbcopy, pbpaste	provide copying and pasting to the pasteboard (the Clipboard) from command line
pcscd	PC/SC Smartcard Daemon
pdisk	Apple partition table editor
ping	send ICMP ECHO_REQUEST packets to network hosts
ping6	send ICMPv6 ECHO_REQUEST packets to network hosts
pl	converts between ASCII and binary plist formats
plutil	property list utility
pmset	modify power management settings
portmap	RPC program,version to DARPA port mapper
pr	print files
printenv	print out the environment
printf	formatted output
ps	process status
pwd	return working directory name
quot	display total block usage per user for a file system
quota	display disk usage and limits
quotacheck	filesystem quota consistency checker
quotaon, quotaoff	turn filesystem quotas on and off
rarpd	Reverse ARP Daemon
rcp	remote file copy
reboot, halt	stopping and restarting the system
renice	alter priority of running processes
repquota	summarize quotas for a file system
restore	restore files or file systems from backups made with dump
rev	reverse lines of a file
rlogin	remote login
rm, unlink	remove directory entries
rmdir	remove directories
routed	network RIP and router discovery routing daemon
rsh	remote shell
rwho	who is logged in on local machines
rwhod	system status server
say	Convert text to audible speech
scp	secure copy (remote file copy program)
screencapture	capture and manipulate clipboard contents
screenreaderd	VoiceOver daemon
sftp	secure file transfer program
sftp-server	SFTP server subsystem
showmount	show remote nfs mounts on host
shutdown	close down the system at a given time
sleep	suspend execution for an interval of time
smbclient	ftp-like client to access SMB/CIFS resources on servers
smbd	server to provide SMB/CIFS services to clients
smbstatus	report on current Samba connections
snmpd	daemon to respond to SNMP request packets
snmptable	retrieve an SNMP table and display it in tabular form
snmptrapd	Receive and log SNMP trap messages
sort	sort lines of text files
split	split a file into pieces
spray	send many packets to host
srm	securely remove files or directories
ssh	OpenSSH SSH client (remote login program)
sshd	OpenSSH SSH daemon
stat, readlink	display file status
strings	find the printable strings in a object, or other binary, file
strip	remove symbols
su	substitute user identity
sudo, sudoedit	execute a command as another user
sum(n)	calculate a sum(1) compatible checksum
sw_vers	print Mac OS X operating system version information
sync	force completion of pending disk writes (flush cache)
syslog	Apple System Log utility
syslog.conf(5)	syslogd(8) configuration file
syslogd	Apple System Log server
system_profiler	reports system hardware and software configuration
tail	display the last part of a file
talk	talk to another user
tar	tape archiver; manipulate "tar" archive files
tcpdump	dump traffic on a network
tcsh	C shell with file name completion and command line editing
telnet	user interface to the TELNET protocol
tftp	trivial file transfer program
tim	authetication server
time	time command execution
timed	time server daemon
timutil	authetication server utility
top	display and update sorted information about processes
touch	change file access and modification times
traceroute	print the route packets take to network host
traceroute6	print the route IPv6 packets will take to the destination
tty	return user's terminal name
umount	unmount filesystems
uname	Print operating system name
uniq	report or filter out repeated lines in a file
unzip	list, test and extract compressed files in a ZIP archive
update	flush internal filesystem caches to disk frequently
update_prebinding	Update prebinding information when new system libraries or frameworks are installed
uptime	show how long system has been running
users	list current users
uuencode, uudecode	encode/decode a binary file
vers_string	produce version identification string
vim	Vi IMproved, a programmers text editor
vipw	edit the password file
visudo	edit the sudoers file
vpnd	Mac OS X VPN service daemon
w	display who is logged in and what they are doing
wc	word, line, character, and byte count
whatis	search the whatis database for complete words
whereis	locate programs
which	locate a program file in the user's path
who	display who is on the system
whoami	display effective user id
whois	Internet domain name and network number directory service
winbindd	Name Service Switch daemon for resolving names from NT servers
write	send a message to another user
xgrid	submit and monitor xgrid jobs
xinetd	the extended Internet services daemon
zcmp, zdiff	compare compressed files
zgrep	search possibly compressed files for a regular expression
zip, zipcloak, zipnote, zipsplit	package and compress (archive) files
zipgrep	search files in a ZIP archive for lines matching a pattern
zipinfo	list detailed information about a ZIP archive
zsh	the Z shell