samedi 23 mai 2015

Artefacts and tricks for Mac OS X

Note : if "$ xxx" => command xxx to launch, else => file or directory to dump.

 FORENSICS - SYSTEM INFO AND LEAK INFO 

 PROOF OF CONCEPT

 SYSTEM INFO

General information
$ system_profiler
Owner (name, address, tel, etc.)
/Users/USERNAME/Library/Preferences/com.apple.AddressBook.plist
/Users/USERNAME/Library/Preferences/AddressBookMe.plist
/Library/Preferences/AddressBookMe.plist
/private/var/db/.AppleSetupDone
Kernel Version and state
/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
$ sysctl -A
OS version
/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
/System/Library/CoreServices/SystemVersion.plist
/System/Library/CoreServices/ServerVersion.plist (if server)
$ uname -an
Timezone
/Library/Preferences/.GlobalPreferences.plist/etc/localtime

 AUTHENTICATION DATA

Usernames and password hashes
/Users/USERNAME
[10.6]/var/db/shadow/hash/
[10.7]/private/var/db/dslocal/nodes/Default/users/USERNAME.plist
[10.8]/private/var/db/dslocal/nodes/Default/users/USERNAME.plist
Administrators
/var/db/dslocal/nodes/Default/groups/admin.plist
Autologin password (XOR)
/private/etc/kcpassword
Last connected user
/Library/Preferences/com.apple.loginwindow.plist
Last Login Info + Hint master password + autologin user
/Library/Preferences/com.apple.loginwindow.plist
Deleted Users
/Library/Preferences/com.apple.preferences.accounts.plist
User Keychain (contains a lot of passwords :))
/Users/USERNAME/Library/Keychains/login.keychain
System Keychain
/Library/Keychains/FileVaultMaster.keychain => contains the FileVault Recovery Key to use master password
/Library/Keychains/System.keychain
/Library/Keychains/applepushserviced.keychain
/var/db/SystemKey => contains key to decrpyt System.Keychain

 ALL LOGS

/var/log/system.log*
/var/log/windowserver.log*
/var/log/secure.log*
/var/log/kernel.log*
/private/var/log/install.log*
/private/var/log/appfirewall.log*
/var/audit/
/.fseventsd/* => FSEventsParser (tool to parse)

 PERSISTENCE

XPC Services
$ find /Applications/ -name XPCServices -exec ls -lsct {} \;
Launched XPC System
/System/Library/XPCServices/
Launched Agents System
/System/Library/LaunchAgents/
Launched Agents Library
/Library/LaunchAgents/
/Users/USERNAME/Library/LaunchAgents/
Launched Daemons System
/System/Library/LaunchDaemons/
Launched Daemons Library
/Library/LaunchDaemons/
Launched LoginItems > User
/Users/USERNAME/Library/Preferences/com.apple.loginitems.plist
Launched LoginItems > Application
$ find /Applications/ -name LoginItems -exec ls -lsct {} \;
Launched ScriptingAdditions
/System/Library/ScriptingAdditions/
/Library/ScriptingAdditions/
Launchd DB
/private/var/db/launchd.db/
$ find /private/var/db/launchd.db/ -name com.apple.launchd.peruser.* -exec ls -lsct {} \;/com.apple.launchd.peruser.*
Loaded_Drivers
$ kextstat
All Extensions
/System/Library/Extensions/
Extra Extensions
/Extra/Extensions/
Crontab
$ crontab -u root -l , crontab -u USERNAME -l
Kernel Cache installed Extensions 
/System/Library/Extensions/Extensions.kexstat/
/System/Library/Extensions/Extensions.mkext
Rc.common
/etc/rc.common
Login hook
/Users/USERNAME/Library/Preferences/com.apple.loginwindow.plist
Startup Items
/System/Library/StartupItems/
/Library/StartupItems/
Launchd.conf
/etc/launchd.conf

Re-Open Application (when shutdown)
/Users/USERNAME/Library/Preferences/ByHost/com.apple.loginwindow..plist
Spotlight Importation
/Library/Spotlight/

Plugins
/Library/Security/SecurityAgentPlugins/
/Library/Internet\ Plug-Ins/
/Users/USERNAME/Library/Safari/Extensions/Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/External Extensions/
/Users/USERNAME/Library/Application Support/Google/Chrome/Default/Extensions/
/Users/USERNAME/Library/Application Support/Mozilla/Extensions/

 APPLICATIONS

Installation History
/Library/Receipts/InstallHistory.plist
Uninstallation History
sudo egrep --colour=auto -Ri 'uninstalld|removing Application' /var/log/*
sample : 
/var/log/commerce.log:Nov 26 15:42:35 amalard-3.mrc.cossi.internet storeassetd[413]: SoftwareMapSpotlightSource: removing Application : (com.tastycocoabytes.CocoaPacketAnalyzer.mas, 1.31, 418357707:660823895 VPP:NO source:Spotlight /Applications/CocoaPacketAnalyzer.app) 
/var/log/system.log:Nov 26 15:42:30 amalard-3.mrc.cossi.internet uninstalld[2105]: Could not get Info.plist for /Applications/CocoaPacketAnalyzer.app
Updates History
/Library/Preferences/com.apple.SoftwareUpdate.plist
Last launched applications
ls -lshtr /Library/Caches
ls -lshtr /Users/USERNAME/Library/Caches
All installed Application and association files
#All bundle .app, mounted volume(containing .app) and association files (recorded by Launch Service)
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep --after-context 5 "^volume"
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep --after-context 40 --before-context 1 "^bundle"

Sandboxed Applications
/Users/USERNAME/Library/Containers/

Crash et Logs Applications
/Users/USERNAME/Library/Application Support/CrashReporter/
/Users/USERNAME/Library/Logs/
/var/log/install.log

Environment Variables
/Users/USERNAME/.MacOSX/environment.plist
/etc/launchd.conf
/Users/USERNAME/Library/LaunchAgents/

 USER ARTEFACTS

Recent searches, Trash setting, view settings, recent folders
/Users/USERNAME/Library/Preferences/com.apple.finder.plist
Applications in the Dock
/Users/USERNAME/Library/Preferences/com.apple.dock.plist
folders and network shares in the Dock
/Users/USERNAME/Library/Preferences/com.apple.dock.plist
Desktop picture
/Users/USERNAME/Library/Preferences/com.apple.desktop.plist
recent documents, applications, and network connections
/Users/USERNAME/Library/Preferences/com.apple.recentitems.plist 
Preview files
/Users/USERNAME/Library/Preferences/com.apple.Preview.LSSharedFileList.plist

 USER SYSTEM HISTORY

Concole Search History
/Users/USERNAME/Library/Preferences/com.apple.Console.plist
SQLite History
/Users/USERNAME/.sqlite_history
BASH History
/Users/USERNAME/.bash_history
SH History
/Users/USERNAME/.sh_history
Last logged users
$ last
Connected media history
/Users/USERNAME/Library/Preferences/com.apple.sidebarlists.plist

 TOOL EVERYDAY INFO

Address Book
/Users/USERNAME/Library/Application Support/AddressBook/MailRecents-v4.abcdmr
Calendar (through Spotlight)
/Users/USERNAME/Library/Calendars/Calendar\ Cache
User emails, only text (through Spotlight)
/Users/USERNAME/Library/Mail/V2/MailData/Envelope\ Index
User emails, full (through mBox files)
/Users/USERNAME/Library/Mail/V2/IMAP-username@mail.test.com/xxxx.mbox
Office documents restored by AutoRecovery? service
/Users/USERNAME/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery
Recent printed documents
var/spool/cups/
[http://sud0man.blogspot.fr http://sud0man.blogspot.fr/2013/01/american-series-are-usefull-in.html]
Text notes taken with Stickies Widget (Widget available natively)
/Users/USERNAME/Library/Preferences/widget-com.apple.widget.stickies.plist
/Users/USERNAME/Library/StickiesDatabase
/Users/USERNAME/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV1.storedata-wal 
Evernotes text notes
/Users/USERNAME/Library/Application Support/Evernote/accounts/Evernote/xxxxxxxx/content/

 CHAT

Skype messages history (stores conversations)
/Users/USERNAME/Library/Application\ Support/Skype/xxxxxxxx/main.db
Message history or new iChat (stores conversations)
/Users/USERNAME/Library/Messages/
iChat history (stores conversations)
/Users/USERNAME/Documents/iChats/
Adium history (stores conversations)
/Users/USERNAME/Library/Application\ Support/Adium\ 2.0/Users/Default/Logs/

 iDEVICES

iDevice SMS (through iTunes backup)
/Users/USERNAME/Library/Application\ Support/MobileSync/Backup/<UUID>/3d0d7e5fb2ce288813306e4d4636395e047a3d28
iDevice Calendar (through iTunes backup)
/Users/USERNAME/Library/Application\ Support/MobileSync/Backup/<UUID>/2041457d5fe04d39d0ab481178355df6781e6858
iDevice Call history (through iTunes backup)
/Users/USERNAME/Library/Application Support/MobileSync/Backup/<UUID>/ff1324e6b949111b2fb449ecddb50c89c3699a78
iDevice SMS (through iTunes backup)
/Users/USERNAME/Library/Application Support/MobileSync/Backup/<UUID>/31bb7ba8914766d4ba40d6dfb6113c8b614be442

 WEB BROWSING

Safari Browsing
[HISTORY]/Users/USERNAME/Library/Safari/History.plist]
[COOKIES]/Users/USERNAME/Library/Cookies/Cookies.plist
[COOKIES]/users/USERNAME/Library/Cookies/Cookies.binarycookies
[DOWNLOADS]/Users/USERNAME/Library/Safari/Downloads.plist
Safari Webpage Preview (stored Screenshot of your navigation):
/Users/USERNAME/Library/Caches/com.apple.Safari/Webpage Previews/
Firefox Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/places.sqlite
[COOKIES]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/cookies.sqlite
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/downloads.sqlite
Chrome Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/History
[COOKIES]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/Cookies
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/Google/Chrome/Default/History
Opera Browsing
[HISTORY]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/History
[HISTORY]/Users/USERNAME/Library/Opera/global_history.dat
[COOKIES]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/Cookies
[COOKIES]/Users/USERNAME/Library/Opera/cookies4.dat
[DOWNLOADS]/Users/USERNAME/Library/Application\ Support/com.operasoftware.Opera/History
[DOWNLOADS]/Users/USERNAME/Library/Opera/download.dat
QuarantineEventsV (can contain Browser history and iChat)
/Users/USERNAME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*

 DELETED/RECOVERED DATA

Trashes
/Users/USERNAME/.Trash
/.Trashes
Recovery Office Files
/Users/USERNAME/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery

 NETWORK HISTORY

Bluetooth History
/Library/Preferences/com.apple.Bluetooth.plist
Network History
/Library/Preferences/SystemConfiguration/com.apple.network.identification.plist
WiFI AP History
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences|sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3
Remote Desktop History
/Library/Preferences/com.apple.RemoteDesktop.plist

 NETWORK CONFIGURATION

Firewall
/Library/Preferences/com.apple.alf.plist
Wireless
/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
NAT
/Library/Preferences/SystemConfiguration/com.apple.nat.plist
SMB Server
/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
Interfaces (10.8)
/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
Interfaces
/Library/Preferences/SystemConfiguration/com.apple.NetworkInterfaces.plist
/Library/Preferences/SystemConfiguration/com.apple.preferences.plist
/Library/Preferences/SystemConfiguration/preferences.plist

 MEMORY

Hibernate file
/private/var/vm/sleepimage
Swap file
/private/var/vm/swapfile0

 FORENSICS - EVENTS 

 PROOF OF CONCEPT

 STARTUP ACTIVITIES

Startup dates/hours on July 8

[On Lion and Mountain Lion] $sudo grep -i 'BOOT_TIME' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'BOOT_TIME' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'

Stopping dates/hours on July 8

[On Lion and Mountain Lion] $sudo grep -i 'SHUTDOWN_TIME' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'SHUTDOWN_TIME' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'

Hibernation dates/hours on July 8

[On Mountain Lion] $sudo grep -i 'hibernate_setup(0) took' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'hibernate_setup(0) took' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
[On Lion] $sudo grep -i 'PMScheduleWakeEventChooseBest' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'PMScheduleWakeEventChooseBest' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'

Out of hibernation dates/hours on July 8

[On Mountain Lion] $sudo grep -i 'Wake reason' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'Wake reason' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
[On Lion] $sudo syslog -T utc+2 -F raw -f /var/log/asl/2013.07.08.*|grep 'Message Wake'|grep -i 'Jul  8'|cut -d ] -f 2|sed -e 's/\ \[Time/g'

 SESSION ACTIVITIES

Locked session dates/hours on July 8

[On Mountain Lion] $sudo grep -i 'Application App:"loginwindow"' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'Application App:"loginwindow"' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
[On Lion] $sudo grep -i 'loginwindow' /var/log/windowserver.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'

Attempt to unlocked session without success on July 8

[On Mountain Lion] $sudo grep -i -B 9 'The authtok is incorrect.' /var/log/system.log|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
$sudo bzgrep -i -B 9 'The authtok is incorrect.' /var/log/system.log.*|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
[On Lion] $sudo grep -i -B 9 'The authtok is incorrect.' /var/log/secure.log|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
$sudo bzgrep -i -B 9 'The authtok is incorrect.' /var/log/secure.log.*|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'

Unlocked session with success on July 8

[On Mountain Lion] $sudo grep -i -A 1 'Establishing credentials' /var/log/system.log|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
$sudo bzgrep -i -A 1 'Establishing credentials' /var/log/system.log.*|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
[On Lion] $sudo grep -i -A 1 'Establishing credentials' /var/log/secure.log|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
$sudo bzgrep -i -A 1 'Establishing credentials' /var/log/secure.log.*|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'}}}

 PHYSICAL CONNECTION ACTIVITIES

USB connections (last loading dates of USB extensions) on July 8

[On Mountain Lion and Lion] $sudo stat -f '%Sa %N' /System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul  8'|external_bin/grep_gnu_lion 2013|egrep -i 'IOUSBFamily.kext|IOUSBMassStorageClass.kext'
$sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'IOUSBFamily.kext|IOUSBMassStorageClass.kext'| awk '{print $7,$6,$8,$9}'

USB plugged devices on July 8

[On Mountain Lion] $sudo grep -i 'USBMSC' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'
$sudo bzgrep -i 'USBMSC' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'

[On Lion] $sudo grep -i 'USBMSC' /var/log/kernel.log|grep -i 'Jul  8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'
$sudo bzgrep -i 'USBMSC' /var/log/kernel.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'

File system events(USB, mounting, etc.) on July 8

[On Lion and Mountain Lion] $sudo grep -i 'fsevents' /var/log/system.log|grep -i 'Jul  8'
$sudo bzgrep -i 'fsevents' /var/log/system.log.*|grep -i 'Jul  8'

Firewire connections with an other machine or storage media (last loading dates of Firewire extensions)

[On Lion and Mountain Lion] $sudo stat -f '%Sa %N' /System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul  8'|external_bin/grep_gnu_lion 2013|egrep -i 'IOFireWireFamily.kext|IOFireWireIP.kext'
$sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'IOFireWireFamily.kext|IOFireWireIP.kext'| awk '{print $7,$6,$8,$9}'

Firewire connections with an other machine or storage media (activation of 'fw' interface)

[On Lion and Mountain Lion] $sudo grep -i 'fw' /var/log/system.log|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'fw' /var/log/system.log.*|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'

Firewire connections to dump RAM (last loading dates of extensions IOFireWireSBP2/iPodDriver) just a supposition

[On Lion and Mountain Lion] $sudo stat -f '%Sa %N' /System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul  8'|external_bin/grep_gnu_lion 2013|egrep -i 'iPodDriver.kext|IOFireWireSBP2.kext'
$sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'iPodDriver.kext|IOFireWireSBP2.kext'| awk '{print $7,$6,$8,$9}'

 ESCALATION PRIVILEGES ACTIVITIES

Opened/Closed TTY terminals on July 8

[On Lion and Mountain Lion] $sudo grep -i 'ttys' /var/log/system.log|grep -i 'Jul  8'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g' |sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}'
$sudo bzgrep -i 'ttys' /var/log/system.log.*|grep -i 'Jul  8'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g' |sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}'

ROOT commands executed with success on July 8

[On Mountain Lion] $sudo grep -i 'sudo\[' /var/log/system.log|grep -i 'Jul  8'
$sudo grep -i 'sudo\[' /var/log/system.log.*|grep -i 'Jul  8'
[On Lion] $sudo grep -i 'sudo\[' /var/log/secure.log|grep -i 'Jul  8'
$sudo grep -i 'sudo\[' /var/log/secure.log.*|grep -i 'Jul  8'

Attempt to execute commands with SUDO without success on July 8

[On Mountain Lion] $sudo grep -i 'incorrect password attempts' /var/log/system.log|grep -i 'Jul  8'
$sudo bzgrep -i 'incorrect password attempts' /var/log/system.log.*|grep -i 'Jul  8'
[On Lion] $sudo grep -i 'incorrect password attempts' /var/log/secure.log|grep -i 'Jul  8'
$sudo bzgrep -i 'incorrect password attempts' /var/log/secure.log.*|grep -i 'Jul  8'

User, password modification and creation on July 8

[On Lion and Mountain Lion] $sudo praudit -xn /var/audit/current|egrep 'create user|modify password|delete user' -A 3|grep -i 'Jul  8' -A 3|sed 's/\&apos\;/"/g'

 APPLICATIONS ACTIVITIES

Opened applications (last access dates) on July 8

[On Lion and Mountain Lion] 
$ls -lshtr /Users/USERNAME/Library/Caches | grep 'Jul 8'
$sudo find /Applications -maxdepth 3 -type f -exec ls -lu {} \; |grep Info.plist |grep  -i '8 Jul'|grep -v root|awk '{$7=""}1'
$sudo stat -f '%Sa %N' /Applications/*/*/* |external_bin/grep_gnu_lion -i 'Jul  8'
$sudo find /Applications/ -name "Info.plist" -type f -exec stat -f '%Sa %N' {} \;|grep 'Jul  8'

 FILES ACTIVITIES

Modified files (like autorun App, LaunchAgents? or LaunchDaemons?) on July 8

[On Lion and Mountain Lion] $sudo find /path_to_file -type f -exec stat -f '%Sm %N' '{}' + |grep -i 'Jul  8'|grep 2013
for example, path_to_file=["/System/Library/XPCServices/","/System/Library/LaunchAgents/","/Library/LaunchAgents/","/Users//Library/LaunchAgents/","/System/Library/LaunchDaemons/","/Library/LaunchDaemons/"]

Added files (like trojan or malware App) on July 8

[On Lion and Mountain Lion] $sudo find /path_to_directory -type f -exec stat -f '%SB %N' '{}' + |grep -i 'Jul  8'|grep 2013
for example, path_to_directory=["/Users//Library/Preferences/com.apple.loginitems.plist","/etc/passwd"]

Accessed files (like your secret files) on July 8

[On Lion and Mountain Lion] $sudo find /path_to_directory -type f  -exec stat -f '%Sa %N' '{}' + |grep -i 'Jul  8'|grep 2013
for example, path_to_directory=["/Users/","/Volume/Supersecret"]

Accessed Mails (last access dates) on July 8

[On Lion and Mountain Lion] grep /Users/<USERNAME>/Library/Mail/V2/IMAP-YYYY\@mail.XXXX.fr/INBOX.mbox/ -type f -name *.emlx -exec stat -f '%Sa %N' '{}' + |grep -i 'Jul  8'|grep 2013

 NETWORK ACTIVITIES

Network connections (based on DNS queries) on July 8

[On Mountain Lion] $sudo grep -i 'DNS+' /var/log/system.log|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'DNS+' /var/log/system.log.*|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'

Network disconnections (based on DNS queries) on July 8

[On Mountain Lion] $sudo grep -i 'DNS-' /var/log/system.log|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'DNS-' /var/log/system.log.*|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'

Ethernet/WiFI connections (activation of 'enX' interface) on July 8

[On Mountain Lion] $sudo grep -i 'en' /var/log/system.log|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'en' /var/log/system.log.*|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
[On Lion] $sudo egrep -i 'frequent transitions|network configuration changed' /var/log/system.log|grep -i 'Jul  8'
$sudo bzegrep -i 'frequent transitions|network configuration changed' /var/log/system.log.*|grep -i 'Jul  8'

WiFI access points (last connection dates) / warning to the time zone on July 8

[On Lion and Mountain Lion] $sudo defaults read /Volumes/Macintosh\ HD/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3 |grep -A 3 2013-07-08

 WIFI 

 My WiFI Scripts

 WiFI tricks

How to display available WiFI networks:
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -s

                 FreeWifi_secure 16:10:18:47:f2:4d -83  5       Y  -- WPA(802.1x/AES/AES) 
                    Livebox-eaXX 00:1d:6a:45:06:eb -79  6       Y  FR WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP) 
                  Freebox-4862XX f4:ca:e5:e1:ec:ac -88  8       Y  -- WPA(PSK/AES/AES) 
                        FreeWifi 22:48:94:aa:8d:e2 -84  11      Y  -- NONE
                        FreeWifi f4:ca:e5:8b:46:91 -85  11      Y  -- NONE
           Réseau Wi-Fi de toto 5c:96:9d:69:36:92 -85  60,+1   Y  FR WPA2(PSK/AES/AES) 
           Réseau Wi-Fi de toto 5c:96:9d:69:36:91 -66  11      Y  FR WPA2(PSK/AES/AES) 
                        FreeWifi f4:ca:e5:e1:ec:ad -86  8       Y  -- NONE
                 FreeWifi_secure 00:24:d4:ca:02:5e -85  7       Y  -- WPA2(802.1x/AES,TKIP/TKIP) 
 2 IBSS networks found:
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                        HP01C65B f6:3f:43:f9:3f:92 -85  1       N  EU NONE
                        HP0142F9 02:2d:8d:e6:9f:e0 -65  10      N  EU NONE
How to join WiFI networks (or test pre-shared key) :
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword8888" => good pre-shared key (no error message)
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword12345" Failed to join network yellowstay => bad pre-shared key (error message)
How to disassociate you of a WiFI network :
$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -z
WiFI history (last connection, date, SSID, etc.):
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3

 MISC 

How to take a screenshot every second and store images (during 30s in this example):
for i in $(seq 1 30);  do sleep 1 && /usr/sbin/screencapture /tmp/screen$i.png;done > /dev/null 2&>1