June 21, 2007
A Guide for the Forensically Sound Examination of a Macintosh Computer
Part 2 of 2
Ryan R. Kubasiak, Investigator - New York State Police
Reprinted with the kind permission of the author.
(Apple Document 301533)
The information here comes from the best source, Apple Inc. The following information is directly from the Support website.
Mac OS X 10.4 Tiger features Spotlight, a lightning-fast search technology that instantly lets you find thingson your Mac. By default, Spotlight will index and search in the following locations:
All Home folders (local and network-based, as well as FileVault and non-FileVault). This
- The Documents, Movies, Music, and Pictures folders
- The Trash of all users and each mounted volume.
Spotlight also searches these non-Home folder locations by default:
Can Spotlight search anywhere else? Of course! Any new folder you create in your Home automatically getsindexed so that it's searchable. If you connect an external storage device, such as a USB or FireWire harddrive, Spotlight will index the stuff on it, too. (If you want to exclude certain areas from Spotlight searching,see the tip below.)
Note: If your computer has multiple user accounts, any files that reside at the top level of each user's Homefolder will also be indexed and searchable by Spotlight, even though they cannot be modified. However, all files and folders located within a user's Desktop, Documents, Library, Music, Movies, and Pictures folders will not be indexed nor can they be searched by other user accounts using Spotlight.
User Home Directory Structure
Finder - User Home Directory Structure
The home directory is the likely area to find all of the evidence for any case, barring system widelog and settings files. MacOS X is very good at containing a user's files and settings to this area. This trait allows FileVault to work as well as it does. When conducting a limited scope examination, directing your searches to this area first is a good idea.
A User's home directory will contain many standard folder's from a MacOS X installation, as well asapplication specific folders. The above window shows the user "Moof " home directory. Alwaysremember when using the Finder, the window will NOT show hidden files or directories with thetypical MacOS X settings. There is no easy way to change this from any menu, and is best accomplished with a third party application (Onyx, Tinkertool, etc.) or at the command line with a writeto the proper Plist file. A description of each entry in the window follows.
- Desktop - contains all of the items that are seen on the user's desktop.
- Documents - typically will contain user data files such as Pages, Keynote, MS Word, and othertypes of files.
- Incomplete - created by Limewire and will contain files that have not yet successfully downloadedto this user's account. 2 files, downloads.dat and downloads.bak will potentially contain incriminating evidence in the user's use of Limewire
- Library - This is a gold mine of information on the way a user utilizes the Macintosh. It will contain logs, preferences, browser history, recent files, etc. Many of these aspects will be discussed ingreater detail later.
- Limewire - This is created by the Limewire application. By default, shared files and downloadedfiles will be here. A user can change this location within the application itself.
- Magazines - used by the Zinio Reader application for electronic magazines
- Movies - typically will contain iDVD movie data, Quicktime files, and other digital video material
- Music - typically will contain a user's iTunes library and other digital music material such as MP3files.
- Pictures - typically will contains a user's digital photo collection such as the iPhoto library.
- Public - this is a "drop box" where other users have permissions to place files, read files, but not delete files.
- Sites - if a WWW server is active such as the built in Apache web server, a user can host their website from this directory. This may contain a user's internet published incriminating evidence.
User Library Folder - In Depth
The User Library folder will contain huge amount of information including user specific drivers,fonts, settings, system add-ons, etc. Not everything here will be meaningful to a case. On theother-hand, many items in here will be direct evidence of the crimes at hand. Browser history, wepage cache, email remnants, email attachments, and indexes are just a few examples of this. Mypersonal Library folder contains 45 folders. Some folders are from a standard MacOS X installation, whereas others are created by installing an application. Here are some of the folders and theinformation that can be gathered from them.
Application Support - Folders will be located in here that are created from Application installations. When a user removes the application from the system, the folder will remain in here. Amanual delete is required to remove this information. Although there may not be specific historyhere, it will be indicative of an application having been installed, and may show usage information.
Automator - User specific actions will be stored here. The actions are added by the user, and maycontain some very indicative information of file copying, server connections and other actions auser wants to automate.
Caches - This folder has the potential to be a gold mine of historical data for the examiner. Thecontents include information of application usage, web sites visited, buddy lists, downloaded files,etc. The best general advice that can be given regarding this directory is - explore. Look in thefolders here and see how the information may apply to your specific case. Keep in mind that manyfolders here will remain even after an application has been removed from the system!
Cookies - Used by Safari and other web browsers for the Cookies of various websites. A file named
"Cookies.plist" is likely in this folder.
- This folder contains favorites for the "Connect to Server" option in the Finder. It willshow other network resources that the User considered important enough to be able to easily return to.
Logs - This folder contains log files for many applications and usage information. Excellent evidentiary resource.
Mail and Mail Downloads
- These folders contain email and files that were attached to emails received under this account.
Phones - This folder contains cell phones that have been connected to this computer under thisaccount. Specific information about the phones can be found within the Info.plist file.
Recent Servers - This folder contains information on servers that have been recently connected toincluding AFP and FTP sites.
Safari - This folder contains the vital information on Safari usage including bookmarks, history, etc.
Each of these folders, and others, should be explored for evidence relating to the specific case athand. It would be impossible to write specific information for each of the folders and files that canpossibly be found here.
Address Book is the bundled application that allows users to store names, addresses, telephonenumbers, screen names, web page information and just about anything else related to a contact. Address Book is integrated into many applications, such as Mail, Safari, and .Mac. A user can export VCards from here as well.
iCal is the bundled calendar application. iCal is a simple program compared to many of the morerobust, enterprise type calendar systems. iCal is well used, and has the ability to synchronize with .Mac. A user can also publish a calendar to .Mac for public viewing.
Mail (or Mail.app as some will call it) is the bundled email application. Mail is integrated with theAddress Book, and also maintains a list of people emailed outside of the Address Book for autotyping. Mail offers Rules to be set and also has basic Junk Mail filtering. Multiple accounts can exist within one user's Mail configuration. It has POP3 and IMAP functionality and can retrieveHotmail, Gmail, and .Mac email.
.Mac and Related Evidence
.Mac is an internet resource available from Apple Inc. Features include email (5 possible addresses),
web site hosting, and iDisk storage of files. This service is subscribed to on a yearly basis. A usermay store files here, Backup files, Address Book entries, Safari bookmarks, Quicken data, etc. Any application that supports iDisk will be a potential area of evidence. Information can be automatically synced from a Macintosh to the iDisk, and multiple Macintosh can be configured to sync withthis iDisk. Below is a screen capture of the plist file showing Moof 's House is set to automaticallysync with the associated iDisk.
.Mac plist Window
Safari, and Other Web Browsers
Safari is the bundled web browser with all versions of MacOS X. The browser is the most predominantly used browser, but certainly not the only one. Safari offers excellent History and Cacheremnants in it's default configuration.
Other web browsers that may be installed include Mozilla, Netscape, Firefox, Opera, and InternetExplorer. There are others. Look in the Applications folder to see what has been installed andthen looked for the associated setup files, bookmarks, and history in the users' Library folder.
iChat, and Instant Messaging Applications
iChat is the bundled instant messaging client in MacOS X. As of version 10.3, iChat becameknown as iChat AV because of the added video capability. iChat uses .Mac accounts as well as AOLInstant Messenger screen names natively. iChat also will interface with any instant messagingtechnology that uses "Jabber". An added feature for .Mac members is the ability to encrypt theiChat conversations. This only occurs between two .Mac members.
Other chat applications include AOL Instant Messenger, Adium, Microsoft Messenger, Skype, andSMS based applications or widgets. Look in the Applications folder to see what has been installedand then looked for the associated setup files users' Library folder or Home folder.
Mac OS X Log Files
Mac OS X, like Linux and other UNIX variants, keeps many log files. Some of the files are verydetailed, yet of little use forensically. Other logs, seemingly innocuous, contain direct or indirectevidence to a users actions and intentions. Some log files will directly state exactly what a user wasdoing and the log entry itself would show the crime. Other entries will be indirect, yet help establish the circumstantial evidence of the crime committed. The Console utility, typically found in the/Applications/Utilities folder is where most logs can be read natively. Here are some, but certainlynot all of the log files than can help establish time-tables, actions, and configurations.
Application Usage History, information is written here when an applicationcrashes only.
Printer Connection Information
Printer Connection Information
Network Interface History
Samba (Windows based machine) connection information
Any logs in this area will be specific to the user of this Home directory. Application specific logs will be found here
Log of CD or DVD media burned using the Finder. This is specific to theuser of this Home directory.
Log of CD or DVD media burned using the Finder, mount and unmount history of ISO or DMG image files,
Permission Repair history. and hard diskpartition information.
Log files here contain information of past iChat connection attempts. Data such as username, IP address, and Date&Time of the attempt
Log files here will contain information on .Mac syncing, mobile devices suchas iPods and cell phones, and Date&Time of the activities
Mac OS X "plist" Files
Mac OS X, and all versions of the Macintosh operating systems, do not use a registry like MicrosoftWindows. User settings are "remembered" through the use of "plist" files. Plist stands for Property List Format file. There is a MAN page describing the file in detail. Here is an excerpt from the Description:
Property lists organize data into named values and lists of values using severalCore Foundation types: CFString, CFNumber, CFBoolean, CFDate, CFData, CFArray,and CFDictionary. These types give you the means to produce data that is meaningfully structured, transportable, storable, and accessible, but still as efficient as possible. The property list programming interface allows you to converthierarchically structured combinations of these basic types to and from standardXML. The XML data can be saved to disk and later used to reconstruct the original Core Foundation objects. Note that property lists should be used for datathat consists primarily of strings and numbers because they are very inefficientwhen used with large blocks of binary data.
This description shows us that the data is more complex than a simple "Cookie" and not easily readwith a standard text editor. A Utility from Apple called "Property List Editor" will reveal the datacontained within each of these files in a user friendly way. As implied by the title, it will also allowyou to edit the content, so be very careful! The utility is part of the Developer tools XCode, freelyavailable from Apple Inc. The following table lists some, but certainly not all of the valuable plistfiles. You will find application specific plist files created, and they will always be worth looking atfor forensic data.
In the event you haven't downloaded the XCode tools, it is still possible to look a plist file. Theplist file is likely stored in binary XML format. Opening this type of file in TextEdit will yield nothing useful. Fortunately, the Terminal command plutil converts plist file to XML format. The MAN entry for plutil is as follows:
|NAME||plutil -- property list utility|
|SYNOPSIS||plutil [command_option] [other_options] file|
|DESCRIPTION||plutil can be used to check the syntax of property list files, or convert a plist file from one format to another.
Be certain that your destination file is saved on YOUR drive and not a target drive.
The following list contains miscellaneous files, their location, and use.
Contains the current version of the installed operating system
Contains the date and time the operating system was first installed (completion time, not start time)
Contains defined IP addresses and the associated name
The following PLIST files can be found in the user home directory ~/Library/Preferences/
Contains the data this user has entered about him/her self
Contains devices that have connected via Bluetooth. It will show last connection date as well.
Contains information on installed Widgets for this user.
Contains information on applications available in the Dock
Contains information on items to be synced as well as how often the sync isdone
Contains information on Recently opened folders, last server connection from Finder and the last "Go to Folder" selection
Last directory a capture was saved.
AOL Instant Messenger information
Jabber account information
Information on Mail.app setup including account names and where the emailis stored locally
Information on network lookups such as Lookups, Whois, Ping and PortScans.
Recent Documents opened using Preview.app
Information on recently connected to printers
Recently viewed movie files
History from the web browser Safari, including Recent Search terms, Recentfolders utilized locally
Scheduled activities to run automatically such a .Mac sync or Software Update
Contains a History or Current and Past item that have shown up in the FinderWindows Sidebar.
It will show System assigned items as well as the items inthe Custom portion of the window.
Contains a list of the custom "menus" installed by the user. Useful in showingwhat runs on the machine when a user logs in.
Recent audio and video clips
Again, this table is by no means complete. Using the Property List Editor, view each and anyPLIST file that seems to be relevant. Many times, when software changes in version, a new PLISTfile is used.
Sleep and Safe Sleep
/private/var/vm/sleepimage - This file is on Intel Macintosh portable computers to save contents of RAM to the hard disk. Its use is to recover from a power outage during sleep mode or when thebattery is just about to run out of power during use. As of this writing, the file is written to disk, unencrypted, and yields many usual artifacts of user history, inclusive of passwords. All Macintoshes running OS X can go into sleep mode, but the computer must support "safe sleep" (sometimes referred to as Deep Sleep) to have this functionality. It is possible to turn off the safe sleepfunction from the command line, but not thru the System Preferences.
Detailed Macintosh Techniques
First off, the Macintosh has many, many key combinations that cause different actions right fromthe initial power on. Not every key combo works on every Macintosh. Most work on most Macs. That is the best that can be said. Document which ones you try for the specific case at hand, and also for future reference.
Apple Boot Key Combos
Bypass startup drive and boot from CMD-OPT-SHIFT-DELETE external (or CD) Boot from CD
Boot from a specific SCSI ID #
Eject Floppy Disk
Hold down Mouse button
Select Volume to start from
Start in Target Disk Mode
OS X Verbose Boot
OS X Single User Mode
Create a Brute Force Dictionary File
The MacOS X Terminal makes it rather easy to create a brute force dictionary for attacking variousencoded files. It certainly isn't a guarantee, but it offers hope. Creating this dictionary is usefulwhen the source is not encrypted. For instance, if you try to make a dictionary file from a sparseimage file, you will get nothing useful. However, making a dictionary from the entire device mayyield the password to a user's login, a website, their keychain, and so-on.
The terminal command "strings" can create a text file with the useful words contained in a file orraw device. The MAN entry for "strings" is as follows:
strings - find the printable strings in a object, or other binary, file.
We can use this against a device file such as /dev/disk0 or against an unencrypted DMG file such as/Evidence/sample.dmg and have a text file created with the useful strings.
The command wouldlook like this:
Moofs-House:~ moof$ strings /Evidence/UnencryptedDMG.dmg > /Evidence/strings.txt
This command will output a text file that contains all of the useful strings contained in the DMGfile. You can now use this file as a "dictionary" in a brute force attack on passwords. It might befurther useful to take the repeated strings out of this file.
Useful Artifacts and Commands
As with any operating system or file system, there are numerous places to look for evidence. TheMacintosh is no exception. The following tables begin to list areas of interest.
Table 1 - Artifacts
Safari = /Users//Libary/Safari/History.plist (dates are in AbsoluteDate Format)
Note: if the file /Users//Library/Preferences/com.Apple.Safari.plistcontains the value "WebKitPrivateBrowsingEnabled" set to TRUE, no browsing history will be kept.
Internet Explorer =/Users//Library/Preferences/Explorer/History.html
Perform a search for files with the following extensions: .mbx, .mbox, .emlx,
.imapmbox, .eml, .msf
Microsoft Entourage uses a file named "database".
Perform a search for the file "com.Apple.iPod.plist". It will contain information such as serial number of the iPod, last connect time, use count, etc.
limewire.props contains last used forward facing IP address
|IP Address Info||
IP Address info may be found in any of the following locations:
I also suggest looking at other logs kept in this directory!
Table II - Terminal Window Commands
ls -al | more
|"ls" is the command to list the directory contents (Present Working Directory). Adding the "-al" switch will give all entries including hidden files andshow "long" entries. "Long" entries simply means you will see the associatedinformation for each entry, rather than just the name. The "| more" is thepipe command to send the output to the "more" command. "more" is acommand that will list the screen output one page at a time, pausing every 24lines. This causes the directory listing to pause, rather than just go flying by. Some people prefer the "less" command. Read the MAN pages and choose for yourself.
|(Present Working Directory)
This will simply out the path of your current directory. Sitting at a "$"prompt isn't always the most useful and its easy to get lost when navigatingthe disk hierarchy.
find / -name "*.jpg" -print
|This command will list all files, path included, that match the expression *.jpgstarting from the root of the file structure. This is an example of crudesearching for possible image files. Change the starting location for the searchby changing the "/" to the path of choice. An example might be /Users/
where is a valid home directory.
|Displays the current system date and time in GMT|
Information in this document has been gathered from years of education, training, and work experience. I would also be remiss if I did not mention training, websites and mailing lists that I readoften, with great respect.
Many thanks go to the resources of:
- Apple Inc. including the Support and Developer websites. The information on these websites is an Examiner's greatest tool to understanding any analysis.
- Blackbag Technologies training courses
- Derrick Donnelly's email list "email@example.com"
- Apple Inc. Forensic email Listserv (Government email participants only at this time)
- Guidance Software discussion forums and their technical support personnel
Recommended Utilities and Applications
- Property List Editor
Weird Kid Software Products
BlackBag Technologies Inc.
Many, MANY others as your cases develop. Use your favorite search engine, or try:
MacOS X 10.4 Command Line Utilities and Daemons
|apropos||search the whatis database for strings|
|arp||address resolution display and control|
|asr||Apple Software Restore; copy volumes (e.g. from disk images)|
|atlookup||looks up network-visible entities (NVEs) registered on the AppleTalk network system|
|autodiskmount||disk support tool|
|automount||automatic server mount / unmount daemon|
|awk||pattern-directed scanning and processing language|
|basename, dirname||return filename or directory portion of pathname|
|bash||GNU Bourne-Again Shell|
|bless||set volume bootability and startup disk options|
|blued||The Mac OS X bluetooth daemon|
|bootparamd||boot parameter server|
|bzcmp, bzdiff||compare bzip2 compressed files|
|bzgrep, bzfgrep, bzegrep||search possibly bzip2 compressed files for a regular expression|
|bzip2, bunzip2||a block-sorting file compressor, v1.0.2|
|bzcat||decompresses files to stdout.|
|bzip2recover||recovers data from damaged bzip2 files|
|cal||displays a calendar|
|cat||concatenate and print files|
|chflags||change file flags|
|chmod||change file modes or Access Control Lists|
|chown||change file owner and group|
|chpass, chfn, chsh||add or change user database information|
|chroot||change root directory|
|cksum, sum||display file checksums and block counts|
|cksum(n)||calculate a cksum(1) compatible checksum|
|clear||clear the terminal screen|
|cmp||compare two files byte by byte|
|compress, uncompress||compress and expand data|
|configd||System Configuration Daemon|
|cron||daemon to execute scheduled commands (Vixie Cron)|
|crontab||maintain crontab files for individual users (V3)|
|cupsd||common unix printing system daemon|
|cvs||Concurrent Versions System|
|date||display or set date and time|
|dd||convert and copy a file|
|defaults||access the Mac OS X user defaults system|
|df||display free disk space|
|diff||compare files line by line|
|diff3||compare three files line by line|
|diffpp||pretty-print diff outputs with GNU enscript|
|diffstat||make histogram from diff-output|
|dig||DNS lookup utility|
|disable, enable||stop/start printers and classes|
|diskarbitrationd||disk arbitration daemon|
|disklabel||manipulate and query an Apple Label disk label|
|disktool||disk support tool|
|diskutil||Modify, verify and repair local disks|
|ditto||copy files and directories to a destination directory|
|dmesg||display the system message buffer|
|domainname||set or print the name of the current NIS domain|
|drutil||interact with CD/DVD burners|
|dscl||Directory Service command line utility|
|du||display disk usage statistics|
|dumpfs||dump file system information|
|dynamic_pager||dynamic pager external storage manager|
|echo||write arguments to the standard output|
|emacs||GNU project Emacs|
|enscript||convert text files to PostScript|
|env||set and print environment|
|expand, unexpand||expand tabs to spaces, and vice versa|
|fdisk||DOS partition maintenance program|
|fibreconfig||Tool for configuring settings for Fibre Channel controllers and targets|
|file||determine file type|
|find||walk a file hierarchy|
|fsck||filesystem consistency check and interactive repair|
|fsck_hfs||HFS file system consistency check|
|fsck_msdos||DOS/Windows (FAT) file system consistency check|
|ftp||Internet file transfer program|
|getconf||retrieve standard configuration variables|
|gpt||GUID partition table maintenance utility|
|grep, egrep, fgrep||print lines matching a pattern|
|groups||show group memberships|
|gzexe||compress executable files in place|
|gzip, gunzip, zcat||compress or expand files|
|hdik||lightweight in-kernel disk image mounting tool|
|hdiutil||manipulate disk images (attach, verify, burn, etc)|
|head||display first lines of a file|
|heap||List all the malloc-allocated buffers in the process's heap|
|hexdump, hd||ASCII, decimal, hexadecimal, octal dump|
|host||DNS lookup utility|
|hostname||set or print name of current host system|
|ifconfig||configure network interface parameters|
|info||read Info documents|
|installer||system software and package installer tool|
|ioreg||show I/O Kit registry|
|iostat||report I/O statistics|
|ip6||Enable or disable IPv6 on active interfaces|
|ip6config||Configure IPv6 and 6to4 IPv6 tunnelling|
|ip6fw||controlling utility for IPv6 firewall|
|ipconfig||view and control IP configuration state|
|ipfw||IP firewall and traffic shaper control program|
|jar||Java archive tool|
|kadmin||Kerberos V5 database administration program|
|kadmind||KADM5 administration server|
|kdb5_util||Kerberos database maintainance utility|
|kextload||loads, validates, and generates symbols for a kernel extension (kext)|
|kextstat||display status of dynamically loaded kernel extensions|
|kextunload||terminates and unloads kernel extensions|
|kill||terminate or signal a process|
|killall||kill processes by name|
|ktrace||enable kernel process tracing|
|last||indicate last logins of users and ttys|
|lastcomm||show last commands executed in reverse order|
|launchctl||Interfaces with launchd|
|launchd||System wide and per-user daemon/agent manager|
|ldapsearch||LDAP search tool|
|ldapwhoami||LDAP who am i? tool|
|less||opposite of more|
|lessecho||expand metacharacters, such as * and ?, in filenames on Unix systems|
|ln, link||make links|
|locale||display locale settings|
|login||log into the computer|
|logname||display user's login name|
|logresolve||resolve hostnames for IP-adresses in Apache logfiles|
|look||display lines beginning with a given string|
|lookupd||directory information and cache daemon|
|ls||list directory contents|
|lsbom||list contents of a bom file|
|lsof||list open files|
|lsvfs||list known virtual file systems|
|machine||print machine type|
|man||format and display the on-line manual pages|
|md5||calculate a message-digest fingerprint (checksum) for a file|
|mdfind||finds files matching a given query|
|megaraid||Command Line Utility for MegaRAID management|
|merge||three-way file merge|
|mesg||display (do not display) messages from other users|
|mnthome||mount an AFP (AppleShare) home directory with the correct privileges|
|mount||mount file systems|
|mount.cifs||mount using the Common Internet File System (CIFS)|
|mount_afp||mount an afp (AppleShare) filesystem|
|mount_cd9660||mount an ISO-9660 filesystem|
|mount_cddafs||mount an Audio CD|
|mount_fdesc||mount the file-descriptor file system|
|mount_ftp||mount a FTP filesystem|
|mount_hfs||mount an HFS/HFS+ file system|
|mount_msdos||mount an MS-DOS file system|
|mount_nfs||mount NFS file systems|
|mount_ntfs||mount an NTFS file system|
|mount_smbfs||mount a shared resource from an SMB file server|
|mount_udf||mount a UDF filesystem|
|mount_webdav||mount a WebDAV filesystem|
|mountd||service remote NFS mount requests|
|msgs||system messages and junk mail program|
|mtree||map a directory hierarchy|
|named||Internet domain name server|
|nano||Nano's ANOther editor, an enhanced free Pico clone|
|natd||Network Address Translation daemon|
|net||Tool for administration of Samba and remote CIFS servers|
|netstat||show network status|
|newfs||construct a new file system|
|newfs_hfs||construct a new HFS Plus file system|
|newfs_msdos||construct a new MS-DOS (FAT) file system|
|nfsd||remote NFS server|
|nice||execute a utility with an altered scheduling priority|
|nologin||politely refuse a login|
|ntpd||Network Time Protocol (NTP) daemon|
|ntpdate||set the date and time via NTP|
|ntptrace||trace a chain of NTP servers back to the primary source|
|nvram||manipulate Open Firmware NVRAM variables|
|open||open files and directories|
|open-x11||run X11 programs|
|pagesize||print system page size|
|passwd||modify a user's password|
|paste||merge corresponding or subsequent lines of files|
|patch||apply a diff file to an original|
|pbcopy, pbpaste||provide copying and pasting to the pasteboard (the Clipboard) from command line|
|pcscd||PC/SC Smartcard Daemon|
|pdisk||Apple partition table editor|
|ping||send ICMP ECHO_REQUEST packets to network hosts|
|ping6||send ICMPv6 ECHO_REQUEST packets to network hosts|
|pl||converts between ASCII and binary plist formats|
|plutil||property list utility|
|pmset||modify power management settings|
|portmap||RPC program,version to DARPA port mapper|
|printenv||print out the environment|
|pwd||return working directory name|
|quot||display total block usage per user for a file system|
|quota||display disk usage and limits|
|quotacheck||filesystem quota consistency checker|
|quotaon, quotaoff||turn filesystem quotas on and off|
|rarpd||Reverse ARP Daemon|
|rcp||remote file copy|
|reboot, halt||stopping and restarting the system|
|renice||alter priority of running processes|
|repquota||summarize quotas for a file system|
|restore||restore files or file systems from backups made with dump|
|rev||reverse lines of a file|
|rm, unlink||remove directory entries|
|routed||network RIP and router discovery routing daemon|
|rwho||who is logged in on local machines|
|rwhod||system status server|
|say||Convert text to audible speech|
|scp||secure copy (remote file copy program)|
|screencapture||capture and manipulate clipboard contents|
|sftp||secure file transfer program|
|sftp-server||SFTP server subsystem|
|showmount||show remote nfs mounts on host|
|shutdown||close down the system at a given time|
|sleep||suspend execution for an interval of time|
|smbclient||ftp-like client to access SMB/CIFS resources on servers|
|smbd||server to provide SMB/CIFS services to clients|
|smbstatus||report on current Samba connections|
|snmpd||daemon to respond to SNMP request packets|
|snmptable||retrieve an SNMP table and display it in tabular form|
|snmptrapd||Receive and log SNMP trap messages|
|sort||sort lines of text files|
|split||split a file into pieces|
|spray||send many packets to host|
|srm||securely remove files or directories|
|ssh||OpenSSH SSH client (remote login program)|
|sshd||OpenSSH SSH daemon|
|stat, readlink||display file status|
|strings||find the printable strings in a object, or other binary, file|
|su||substitute user identity|
|sudo, sudoedit||execute a command as another user|
|sum(n)||calculate a sum(1) compatible checksum|
|sw_vers||print Mac OS X operating system version information|
|sync||force completion of pending disk writes (flush cache)|
|syslog||Apple System Log utility|
|syslog.conf(5)||syslogd(8) configuration file|
|syslogd||Apple System Log server|
|system_profiler||reports system hardware and software configuration|
|tail||display the last part of a file|
|talk||talk to another user|
|tar||tape archiver; manipulate "tar" archive files|
|tcpdump||dump traffic on a network|
|tcsh||C shell with file name completion and command line editing|
|telnet||user interface to the TELNET protocol|
|tftp||trivial file transfer program|
|time||time command execution|
|timed||time server daemon|
|timutil||authetication server utility|
|top||display and update sorted information about processes|
|touch||change file access and modification times|
|traceroute||print the route packets take to network host|
|traceroute6||print the route IPv6 packets will take to the destination|
|tty||return user's terminal name|
|uname||Print operating system name|
|uniq||report or filter out repeated lines in a file|
|unzip||list, test and extract compressed files in a ZIP archive|
|update||flush internal filesystem caches to disk frequently|
|update_prebinding||Update prebinding information when new system libraries or frameworks are installed|
|uptime||show how long system has been running|
|users||list current users|
|uuencode, uudecode||encode/decode a binary file|
|vers_string||produce version identification string|
|vim||Vi IMproved, a programmers text editor|
|vipw||edit the password file|
|visudo||edit the sudoers file|
|vpnd||Mac OS X VPN service daemon|
|w||display who is logged in and what they are doing|
|wc||word, line, character, and byte count|
|whatis||search the whatis database for complete words|
|which||locate a program file in the user's path|
|who||display who is on the system|
|whoami||display effective user id|
|whois||Internet domain name and network number directory service|
|winbindd||Name Service Switch daemon for resolving names from NT servers|
|write||send a message to another user|
|xgrid||submit and monitor xgrid jobs|
|xinetd||the extended Internet services daemon|
|zcmp, zdiff||compare compressed files|
|zgrep||search possibly compressed files for a regular expression|
|zip, zipcloak, zipnote, zipsplit||package and compress (archive) files|
|zipgrep||search files in a ZIP archive for lines matching a pattern|
|zipinfo||list detailed information about a ZIP archive|
|zsh||the Z shell|