Root directory structure in Mac

It is also important to know which directory has what sort of Forensic Artifacts. Below is list of directories and details as generally found in root directory of Mac.

Feel free to comment below if you find new files or directories (name and details)

/: Root directory, present on virtually all UNIX based file systems. Parent directory of all other files

  • .DS_Store: This file contains Finder settings, such as icon location, position of icons, choice of a background image, window size and the names of all files (and also directories) in that folder. The file will appear in any directory that you’ve viewed with the Finder and and has functions similar to the file desktop.ini in Microsoft Windows. .DS_Store is an abbreviation of Desktop Services Store

  • .DocumentRevisions-V100/: DocumentRevisions-V100 is an internal version control system introduced by Apple in OSX Lion. It basically saves a copy of a file each and every time you save it. Apple uses it for TextEdit, KeyNote, Pages, Numbers, and some other programs. Developers can also interact with this API in their apps. Basically this system is a very big database file that keeps track of all your changes to documents and allows you to revert back to any versions.

  • .fseventsd/: fseventsd is a “File system events daemon” – it is a system process that writes file system event log files and is responsible for handling changes to the file system. When a file changes, the operating system sends a message to any programs which care, such as the Spotlight indexing system. /.fseventsd directory acts as a staging or buffer area for notifications for cases like when userspace process that have registered for file system notifications is now too preoccupied with other things and hasn’t pulled any notification events off its queue in the past few seconds

  • .HFS+ Private Directory Data?/: .HFS+ Private Directory Data\r and HFS+ Private Data are special folders used by the HFS+ filesystem to handle hard-linked folders and files, respectively. HFS+ doesn’t support hard links and UNIX, upon which macOS is based, requires them. So developer macOS simulated hard links; any file that has more than one link is moved into one of these invisible directories as an inode; the actual hard links are really just aliases to the inode file with a special flag set in its metadata.

  • .PKInstallSandboxManager/: used for software updates and the Sandbox

  • .PKInstallSandboxManager-SystemSoftware/: used for system software updates

  • .Spotlight-V100/: in this directory Spotlight keeps its index data: when you search in Spotlight, it looks in this index rather than searching all the files directly

  • .Trashes/: Trash folder, stored individually on each mounted volume, contains files that have been dragged to the Trash. On a boot volume, such files are stored in ~/.Trash . On a non-boot volume, these files are in /.Trashes/$UID/

  • .vol/: a pseudo-directory used to access files by their ID or inode number, maps HFS+ file IDs to files. If you know a file’s ID, you can open it using /.vol/ID

  • /Applications/: contains all your Mac OS X applications

  • /bin/: contains essential common binaries, holds files and programs needed to boot the operating system and run properly

  • /cores/: This directory is a symbolic link to /private/cores . If core dumps are enabled (with tcsh’s limit and bash/sh’s ulimit commands, they will be created in this directory as core.pid .

  • /dev/: contains files that represent various peripheral devices including keyboards, mice, trackpads, etc

  • /etc/ -> private/etc/: contains machine local system configuration, holds administrative, configuration, and other system files. The directory is a symbolic link to /private/etc

  • /home/:

  • /Library/: contains shared libraries, files necessary for the operating system to function properly, including settings, preferences, and other necessities (note: you also have a Libraries folder in your home directory, which holds files specific to that user).

  • /net/:

  • /Network/: This is the “real” location of the Network item that appears at the Computer level in the finder. It provides a place to attach network-wide resources and server volumes. Under OS X 10.1, network resources actually tend to get mounted in /private/Network, and symbolic links to them created in /Network. In OS 10.3, various network resources (mainly servers) appear dynamically in /Network (thanks to some virtual filesystem magic)

  • /opt/: optional installations such as X11

  • /private/: where tmp, var, etc, tftpboot and cores directories actually are

  • /sbin/: contains executables for system administration and configuration

  • /System/: contains system related files, libraries, preferences, critical for the proper function of Mac OS X

  • /tmp/: holds temporary files and caches, which can be written by any user. It is a symbolic link to /private/tmp

  • /User Information/ -> /Library/Documentation/User Information.localized: PDF manuals

  • /Users/: All user accounts on the machine and their accompanying unique files, settings, etc. Much like /home in Linux

  • /usr/: contains BSD Unix applications and support files. Includes subdirectories that contain information, configuration files, and other essentials used by the operating system

  • /var/: contains miscellaneous data, configuration files and frequently modified files, such as log files. It is a symbolic link to /private/var

  • /vm/: used to store the swap files for Mac OS X’s virtual memory

  • /Volumes/: Mounted devices and volumes, either virtual or real, such as hard disks, CD’s, DVD’s, DMG mounts etc. including the boot volume