My favorites | Sign in
Project Home Wiki Issues Source
READ-ONLY: This project has been archived. For more information see this post.
Search
for
ALL_THE_TIPS  
All my tips are here.
Updated Nov 27, 2014 by sgan...@gmail.com

Note : if $ xxx => command xxx to launch, else => file or directory to dump.

 FORENSICS - SYSTEM INFO AND LEAK INFO 

 PROOF OF CONCEPT

 SYSTEM INFO

General information

$ System_profiler

Owner (name, address, tel, etc.)

/Users/<USERNAME>/Library/Preferences/AddressBookMe.plist
/Library/Preferences/AddressBookMe.plist
/private/var/db/.AppleSetupDone

Kernel Version and state

/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
$ sysctl -A

OS version

/System/Library/PreferencePanes/Ink.prefPane/Contents/Info.plist
/System/Library/CoreServices/SystemVersion.plist
/System/Library/CoreServices/ServerVersion.plist (if server)
$ uname -an

Timezone

/Library/Preferences/.GlobalPreferences.plist
/etc/localtime

 AUTHENTICATION DATA

Usernames and password hashes

/Users/<USERNAME>
[10.6]/var/db/shadow/hash/
[10.7]/private/var/db/dslocal/nodes/Default/users/<USERNAME>.plist
[10.8]/private/var/db/dslocal/nodes/Default/users/<USERNAME>.plist

Administrators

/var/db/dslocal/nodes/Default/groups/admin.plist

Autologin password (XOR)

/private/etc/kcpassword

Last connected user

/Library/Preferences/com.apple.loginwindow.plist

Last Login Info + Hint master password + autologin user

/Library/Preferences/com.apple.loginwindow.plist

Deleted Users

/Library/Preferences/com.apple.preferences.accounts.plist

User Keychain (contains a lot of passwords :))

/Users/<USERNAME>/Library/Keychains/login.keychain

System Keychain

/Library/Keychains/FileVaultMaster.keychain => contains the FileVault Recovery Key to use master password
/Library/Keychains/System.keychain
/Library/Keychains/applepushserviced.keychain
/var/db/SystemKey => contains key to decrpyt System.Keychain

 ALL LOGS

/var/log/system.log*
/var/log/windowserver.log*
/var/log/secure.log*
/var/log/kernel.log*
/private/var/log/install.log*
/private/var/log/appfirewall.log*
/var/audit/*

 PERSISTENCE

XPC Services

$ find /Applications/ -name XPCServices -exec ls -lsct {} \;

Launched XPC System

/System/Library/XPCServices/

Launched Agents System

/System/Library/LaunchAgents/

Launched Agents Library

/Library/LaunchAgents/

Launched Daemons System

/System/Library/LaunchDaemons/

Launched Daemons Library

/Library/LaunchDaemons/

Launched LoginItems User

/Users/<USERNAME>/Library/Preferences/com.apple.loginitems.plist

Launched LoginItems Application

$ find /Applications/ -name LoginItems -exec ls -lsct {} \;

Launched ScriptingAdditions

/System/Library/ScriptingAdditions/
/Library/ScriptingAdditions/

Launchd DB

/private/var/db/launchd.db/
$ find /private/var/db/launchd.db/ -name com.apple.launchd.peruser.* -exec ls -lsct {} \;/com.apple.launchd.peruser.*

Loaded_Drivers

$ kexstat

All Extensions

/System/Library/Extensions/

Extra Extensions

/Extra/Extensions/

Crontab

$ crontab -u root -l , crontab -u <USERNAME> -l

 APPLICATIONS

Installation History

/Library/Receipts/InstallHistory.plist

Uninstallation History

sudo egrep --colour=auto -Ri 'uninstalld|removing Application' /var/log/*
sample : 
/var/log/commerce.log:Nov 26 15:42:35 amalard-3.mrc.cossi.internet storeassetd[413]: SoftwareMapSpotlightSource: removing Application <CKSoftwareProduct: 0x7ff538f2fda0>: (com.tastycocoabytes.CocoaPacketAnalyzer.mas, 1.31, 418357707:660823895 VPP:NO source:Spotlight /Applications/CocoaPacketAnalyzer.app) 
/var/log/system.log:Nov 26 15:42:30 amalard-3.mrc.cossi.internet uninstalld[2105]: Could not get Info.plist for /Applications/CocoaPacketAnalyzer.app

Updates History

/Library/Preferences/com.apple.SoftwareUpdate.plist

Last launched applications

ls -lshtr /Library/Caches
ls -lshtr /Users/<USERNAME>/Library/Caches

All installed Application and association files

$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump | grep --after-context 1 "^bundle" | grep --only-matching "/.*\.app"$
$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump -seed -all u,s,n,l

 USER ARTEFACTS

Recent searches, Trash setting, view settings, recent folders

/Users/<USERNAME>/Library/Preferences/com.apple.finder.plist

Applications in the Dock

/Users/<USERNAME>/Library/Preferences/com.apple.dock.plist

folders and network shares in the Dock

/Users/<USERNAME>/Library/Preferences/com.apple.dock.plist

Desktop picture

/Users/<USERNAME>/Library/Preferences/com.apple.desktop.plist

recent documents, applications, and network connections

/Users/<USERNAME>/Library/Preferences/com.apple.recentitems.plist 

Preview files

/Users/<USERNAME>/Library/Preferences/com.apple.Preview.LSSharedFileList.plist

 USER SYSTEM HISTORY

Concole Search History

/Users/<USERNAME>/Library/Preferences/com.apple.Console.plist

SQLite History

/Users/<USERNAME>/.sqlite_history

BASH History

/Users/<USERNAME>/.bash_history

SH History

/Users/<USERNAME>/.sh_history

Last logged users

$ last

Connected media history

/Users/<USERNAME>/Library/Preferences/com.apple.sidebarlists.plist

 TOOL EVERYDAY INFO

Address Book

/Users/<USERNAME>/Library/Application Support/AddressBook/MailRecents-v4.abcdmr

Calendar (through Spotlight)

/Users/<USERNAME>/Library/Calendars/Calendar\ Cache

User emails, only text (through Spotlight)

/Users/<USERNAME>/Library/Mail/V2/MailData/Envelope\ Index

User emails, full (through mBox files)

/Users/<USERNAME>/Library/Mail/V2/IMAP-username@mail.test.com/xxxx.mbox

Office documents restored by AutoRecovery service

/Users/<USERNAME>/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery

Recent printed documents

var/spool/cups/
[http://sud0man.blogspot.fr http://sud0man.blogspot.fr/2013/01/american-series-are-usefull-in.html]

Text notes taken with Stickies Widget (Widget available natively)

/Users/<USERNAME>/Library/Preferences/widget-com.apple.widget.stickies.plist
/Users/<USERNAME>/Library/StickiesDatabase
/Users/<USERNAME>/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV1.storedata-wal 

Evernotes text notes

/Users/<USERNAME>/Library/Application Support/Evernote/accounts/Evernote/xxxxxxxx/content/

 CHAT

Skype messages history (stores conversations)

/Users/<USERNAME>/Library/Application\ Support/Skype/xxxxxxxx/main.db

Message history or new iChat (stores conversations)

/Users/<USERNAME>/Library/Messages/

iChat history (stores conversations)

/Users/<USERNAME>/Documents/iChats/

Adium history (stores conversations)

/Users/<USERNAME>/Library/Application\ Support/Adium\ 2.0/Users/Default/Logs/

 iDEVICES

iDevice SMS (through iTunes backup)

/Users/<USERNAME>/Library/Application\ Support/MobileSync/Backup/<UUID>/3d0d7e5fb2ce288813306e4d4636395e047a3d28

iDevice Calendar (through iTunes backup)

/Users/<USERNAME>/Library/Application\ Support/MobileSync/Backup/<UUID>/2041457d5fe04d39d0ab481178355df6781e6858

iDevice Call history (through iTunes backup)

/Users/<USERNAME>/Library/Application Support/MobileSync/Backup/<UUID>/ff1324e6b949111b2fb449ecddb50c89c3699a78

iDevice SMS (through iTunes backup)

/Users/<USERNAME>/Library/Application Support/MobileSync/Backup/<UUID>/31bb7ba8914766d4ba40d6dfb6113c8b614be442

 WEB BROWSING

Safari Browsing

[HISTORY]/Users/<USERNAME>/Library/Safari/History.plist]
[COOKIES]/Users/<USERNAME>/Library/Cookies/Cookies.plist
[COOKIES]/users/<USERNAME>/Library/Cookies/Cookies.binarycookies
[DOWNLOADS]/Users/<USERNAME>/Library/Safari/Downloads.plist

Safari Webpage Preview (stored Screenshot of your navigation):

/Users/<USERNAME>/Library/Caches/com.apple.Safari/Webpage Previews/

Firefox Browsing

[HISTORY]/Users/<USERNAME>/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/places.sqlite
[COOKIES]/Users/<USERNAME>/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/cookies.sqlite
[DOWNLOADS]/Users/<USERNAME>/Library/Application\ Support/Firefox/Profiles/xxxxxxxx.default/downloads.sqlite

Chrome Browsing

[HISTORY]/Users/<USERNAME>/Library/Application\ Support/Google/Chrome/Default/History
[COOKIES]/Users/<USERNAME>/Library/Application\ Support/Google/Chrome/Default/Cookies
[DOWNLOADS]/Users/<USERNAME>/Library/Application\ Support/Google/Chrome/Default/History

Opera Browsing

[HISTORY]/Users/<USERNAME>/Library/Application\ Support/com.operasoftware.Opera/History
[HISTORY]/Users/<USERNAME>/Library/Opera/global_history.dat
[COOKIES]/Users/<USERNAME>/Library/Application\ Support/com.operasoftware.Opera/Cookies
[COOKIES]/Users/<USERNAME>/Library/Opera/cookies4.dat
[DOWNLOADS]/Users/<USERNAME>/Library/Application\ Support/com.operasoftware.Opera/History
[DOWNLOADS]/Users/<USERNAME>/Library/Opera/download.dat

QuarantineEventsV (can contain Browser history and iChat)

/Users/<USERNAME>/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*

 DELETED/RECOVERED DATA

Trashes

/Users/<USERNAME>/.Trash
/.Trashes

Recovery Office Files

/Users/<USERNAME>/Library/Application Support/Microsoft/Office/Office 2011 AutoRecovery

 NETWORK HISTORY

Bluetooth History

/Library/Preferences/com.apple.Bluetooth.plist

Network History

/Library/Preferences/SystemConfiguration/com.apple.network.identification.plist

WiFI AP History

$ defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences|sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3

Remote Desktop History

/Library/Preferences/com.apple.RemoteDesktop.plist

 NETWORK CONFIGURATION

Firewall

/Library/Preferences/com.apple.alf.plist

Wireless

/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist

NAT

/Library/Preferences/SystemConfiguration/com.apple.nat.plist

SMB Server

/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist

Interfaces (10.8)

/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist

Interfaces

/Library/Preferences/SystemConfiguration/com.apple.NetworkInterfaces.plist
/Library/Preferences/SystemConfiguration/com.apple.preferences.plist
/Library/Preferences/SystemConfiguration/preferences.plist

 MEMORY

Hibernate file

/private/var/vm/sleepimage

Swap file

/private/var/vm/swapfile0



 FORENSICS - EVENTS 

 PROOF OF CONCEPT

 STARTUP ACTIVITIES

Startup dates/hours on July 8

[On Lion and Mountain Lion] $sudo grep -i 'BOOT_TIME' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'BOOT_TIME' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'

Stopping dates/hours on July 8

[On Lion and Mountain Lion] $sudo grep -i 'SHUTDOWN_TIME' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'SHUTDOWN_TIME' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'

Hibernation dates/hours on July 8

[On Mountain Lion] $sudo grep -i 'hibernate_setup(0) took' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'hibernate_setup(0) took' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
[On Lion] $sudo grep -i 'PMScheduleWakeEventChooseBest' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'PMScheduleWakeEventChooseBest' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'

Out of hibernation dates/hours on July 8

[On Mountain Lion] $sudo grep -i 'Wake reason' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'Wake reason' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
[On Lion] $sudo syslog -T utc+2 -F raw -f /var/log/asl/2013.07.08.*|grep 'Message Wake'|grep -i 'Jul  8'|cut -d ] -f 2|sed -e 's/\ \[Time/g'

 SESSION ACTIVITIES

Locked session dates/hours on July 8

[On Mountain Lion] $sudo grep -i 'Application App:"loginwindow"' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'Application App:"loginwindow"' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3}'
[On Lion] $sudo grep -i 'loginwindow' /var/log/windowserver.log|grep -i 'Jul  8'|awk '{print$1,$2,$3}'

Attempt to unlocked session without success on July 8

[On Mountain Lion] $sudo grep -i -B 9 'The authtok is incorrect.' /var/log/system.log|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
$sudo bzgrep -i -B 9 'The authtok is incorrect.' /var/log/system.log.*|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
[On Lion] $sudo grep -i -B 9 'The authtok is incorrect.' /var/log/secure.log|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
$sudo bzgrep -i -B 9 'The authtok is incorrect.' /var/log/secure.log.*|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'

Unlocked session with success on July 8

[On Mountain Lion] $sudo grep -i -A 1 'Establishing credentials' /var/log/system.log|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
$sudo bzgrep -i -A 1 'Establishing credentials' /var/log/system.log.*|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
[On Lion] $sudo grep -i -A 1 'Establishing credentials' /var/log/secure.log|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'
$sudo bzgrep -i -A 1 'Establishing credentials' /var/log/secure.log.*|grep -i 'Jul  8'|grep 'Got user'|awk '{print$1,$2,$3,$9,$10}'}}}

 PHYSICAL CONNECTION ACTIVITIES

USB connections (last loading dates of USB extensions) on July 8

[On Mountain Lion and Lion] $sudo stat -f '%Sa %N' /System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul  8'|external_bin/grep_gnu_lion 2013|egrep -i 'IOUSBFamily.kext|IOUSBMassStorageClass.kext'
$sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'IOUSBFamily.kext|IOUSBMassStorageClass.kext'| awk '{print $7,$6,$8,$9}'

USB plugged devices on July 8

[On Mountain Lion] $sudo grep -i 'USBMSC' /var/log/system.log|grep -i 'Jul  8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'
$sudo bzgrep -i 'USBMSC' /var/log/system.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'
[On Lion] $sudo grep -i 'USBMSC' /var/log/kernel.log|grep -i 'Jul  8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'
$sudo bzgrep -i 'USBMSC' /var/log/kernel.log.*|grep -i 'Jul  8'|awk '{print$1,$2,$3" => New plugged USB Device - USBMSC Identifier: "$10"(vendor)",$11"(Device) - To identify the plugged device : http:/www.linux-usb.org/usb.ids"}'

File system events(USB, mounting, etc.) on July 8

[On Lion and Mountain Lion] $sudo grep -i 'fsevents' /var/log/system.log|grep -i 'Jul  8'
$sudo bzgrep -i 'fsevents' /var/log/system.log.*|grep -i 'Jul  8'

Firewire connections with an other machine or storage media (last loading dates of Firewire extensions)

[On Lion and Mountain Lion] $sudo stat -f '%Sa %N' /System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul  8'|external_bin/grep_gnu_lion 2013|egrep -i 'IOFireWireFamily.kext|IOFireWireIP.kext'
$sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'IOFireWireFamily.kext|IOFireWireIP.kext'| awk '{print $7,$6,$8,$9}'

Firewire connections with an other machine or storage media (activation of 'fw' interface)

[On Lion and Mountain Lion] $sudo grep -i 'fw' /var/log/system.log|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'fw' /var/log/system.log.*|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'

Firewire connections to dump RAM (last loading dates of extensions IOFireWireSBP2/iPodDriver) just a supposition

[On Lion and Mountain Lion] $sudo stat -f '%Sa %N' /System/Library/Extensions/*|external_bin/grep_gnu_lion -i 'Jul  8'|external_bin/grep_gnu_lion 2013|egrep -i 'iPodDriver.kext|IOFireWireSBP2.kext'
$sudo ls -lu /System/Library/Extensions/|grep -i '8 Jul'|egrep 'iPodDriver.kext|IOFireWireSBP2.kext'| awk '{print $7,$6,$8,$9}'

 ESCALATION PRIVILEGES ACTIVITIES

Opened/Closed TTY terminals on July 8

[On Lion and Mountain Lion] $sudo grep -i 'ttys' /var/log/system.log|grep -i 'Jul  8'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g' |sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}'
$sudo bzgrep -i 'ttys' /var/log/system.log.*|grep -i 'Jul  8'| egrep 'USER_PROCESS|DEAD_PROCESS'|sed -e 's/USER_PROCESS/OPENING TERMINAL/g' |sed -e 's/DEAD_PROCESS/CLOSING TERMINAL/g'| awk '{print $1,$2,$3,$6,$7,$9}'

ROOT commands executed with success on July 8

[On Mountain Lion] $sudo grep -i 'sudo\[' /var/log/system.log|grep -i 'Jul  8'
$sudo grep -i 'sudo\[' /var/log/system.log.*|grep -i 'Jul  8'
[On Lion] $sudo grep -i 'sudo\[' /var/log/secure.log|grep -i 'Jul  8'
$sudo grep -i 'sudo\[' /var/log/secure.log.*|grep -i 'Jul  8'

Attempt to execute commands with SUDO without success on July 8

[On Mountain Lion] $sudo grep -i 'incorrect password attempts' /var/log/system.log|grep -i 'Jul  8'
$sudo bzgrep -i 'incorrect password attempts' /var/log/system.log.*|grep -i 'Jul  8'
[On Lion] $sudo grep -i 'incorrect password attempts' /var/log/secure.log|grep -i 'Jul  8'
$sudo bzgrep -i 'incorrect password attempts' /var/log/secure.log.*|grep -i 'Jul  8'

User, password modification and creation on July 8

[On Lion and Mountain Lion] $sudo praudit -xn /var/audit/current|egrep 'create user|modify password|delete user' -A 3|grep -i 'Jul  8' -A 3|sed 's/\&apos\;/"/g'

 APPLICATIONS ACTIVITIES

Opened applications (last access dates) on July 8

[On Lion and Mountain Lion] 
$ls -lshtr /Users/<USER>/Library/Caches | grep 'Jul 8'
$sudo find /Applications -maxdepth 3 -type f -exec ls -lu {} \; |grep Info.plist |grep  -i '8 Jul'|grep -v root|awk '{$7=""}1'
$sudo stat -f '%Sa %N' /Applications/*/*/* |external_bin/grep_gnu_lion -i 'Jul  8'
$sudo find /Applications/ -name "Info.plist" -type f -exec stat -f '%Sa %N' {} \;|grep 'Jul  8'

 FILES ACTIVITIES

Modified files (like autorun App, LaunchAgents or LaunchDaemons) on July 8

[On Lion and Mountain Lion] $sudo find /path_to_file -type f -exec stat -f '%Sm %N' '{}' + |grep -i 'Jul  8'|grep 2013
for example, path_to_file=["/System/Library/XPCServices/","/System/Library/LaunchAgents/","/Library/LaunchAgents/","/Users/<USERNAME>/Library/LaunchAgents/","/System/Library/LaunchDaemons/","/Library/LaunchDaemons/"]

Added files (like trojan or malware App) on July 8

[On Lion and Mountain Lion] $sudo find /path_to_directory -type f -exec stat -f '%SB %N' '{}' + |grep -i 'Jul  8'|grep 2013
for example, path_to_directory=["/Users/<USERNAME>/Library/Preferences/com.apple.loginitems.plist","/etc/passwd"]

Accessed files (like your secret files) on July 8

[On Lion and Mountain Lion] $sudo find /path_to_directory -type f  -exec stat -f '%Sa %N' '{}' + |grep -i 'Jul  8'|grep 2013
for example, path_to_directory=["/Users/<USERNAME>","/Volume/Supersecret"]

Accessed Mails (last access dates) on July 8

[On Lion and Mountain Lion] grep /Users/<USERNAME>/Library/Mail/V2/IMAP-YYYY\@mail.XXXX.fr/INBOX.mbox/ -type f -name *.emlx -exec stat -f '%Sa %N' '{}' + |grep -i 'Jul  8'|grep 2013

 NETWORK ACTIVITIES

Network connections (based on DNS queries) on July 8

[On Mountain Lion] $sudo grep -i 'DNS+' /var/log/system.log|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'DNS+' /var/log/system.log.*|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'

Network disconnections (based on DNS queries) on July 8

[On Mountain Lion] $sudo grep -i 'DNS-' /var/log/system.log|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'DNS-' /var/log/system.log.*|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'

Ethernet/WiFI connections (activation of 'enX' interface) on July 8

[On Mountain Lion] $sudo grep -i 'en' /var/log/system.log|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
$sudo bzgrep -i 'en' /var/log/system.log.*|grep -i 'Jul  8'|grep 'network changed'|awk '{print$1,$2,$3}'
[On Lion] $sudo egrep -i 'frequent transitions|network configuration changed' /var/log/system.log|grep -i 'Jul  8'
$sudo bzegrep -i 'frequent transitions|network configuration changed' /var/log/system.log.*|grep -i 'Jul  8'

WiFI access points (last connection dates) / warning to the time zone on July 8

[On Lion and Mountain Lion] $sudo defaults read /Volumes/Macintosh\ HD/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3 |grep -A 3 2013-07-08



 WIFI 

 My WiFI Scripts

 WiFI tricks

How to display available WiFI networks:

$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -s

                 FreeWifi_secure 16:10:18:47:f2:4d -83  5       Y  -- WPA(802.1x/AES/AES) 
                    Livebox-eaXX 00:1d:6a:45:06:eb -79  6       Y  FR WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP) 
                  Freebox-4862XX f4:ca:e5:e1:ec:ac -88  8       Y  -- WPA(PSK/AES/AES) 
                        FreeWifi 22:48:94:aa:8d:e2 -84  11      Y  -- NONE
                        FreeWifi f4:ca:e5:8b:46:91 -85  11      Y  -- NONE
           Réseau Wi-Fi de toto 5c:96:9d:69:36:92 -85  60,+1   Y  FR WPA2(PSK/AES/AES) 
           Réseau Wi-Fi de toto 5c:96:9d:69:36:91 -66  11      Y  FR WPA2(PSK/AES/AES) 
                        FreeWifi f4:ca:e5:e1:ec:ad -86  8       Y  -- NONE
                 FreeWifi_secure 00:24:d4:ca:02:5e -85  7       Y  -- WPA2(802.1x/AES,TKIP/TKIP) 
 2 IBSS networks found:
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                        HP01C65B f6:3f:43:f9:3f:92 -85  1       N  EU NONE
                        HP0142F9 02:2d:8d:e6:9f:e0 -65  10      N  EU NONE

How to join WiFI networks (or test pre-shared key) :

$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword8888" 
    ==> good pre-shared key (no error message)
$/usr/sbin/networksetup -setairportnetwork en1 "yellowstay" "P@ssword12345" 
Failed to join network yellowstay.
    ==> bad pre-shared key (error message)

How to disassociate you of a WiFI network :

$sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 -z

WiFI history (last connection, date, SSID, etc.):

defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences| sed 's|\./|`pwd`/|g' | sed 's|.plist||g'|grep 'LastConnected' -A 3

 MISC 

How to take a screenshot every second and store images (during 30s in this example):

for i in $(seq 1 30);  do sleep 1 && /usr/sbin/screencapture /tmp/screen$i.png;done > /dev/null 2>&1



Comment by netantho, May 26, 2014

Awesome! Thanks for this page :-)

Powered by Google Project Hosting