sudo kextload MacPmem.kext
sudo dd if=/dev/pmem of=memorydump.raw
date
sw_vers
uname –a
hostname
cat /System/Library/CoreServices/SystemVersion.plist
cat /private/var/log/daily.out
cat /Library/preferences/.Globalpreferences.plist
netstat –an
netstat –anf
lsof -i
netstat –rn
arp –an
ndp -an
ifconfig
lsof
sudo fs_usage
sudo fs_usage [process]
sudo fs_usage -f network
sudo fs_usage pid [PID]
cat ~/.bash_history
history
who -a
w
last
ps aux
system_profiler -xml -detaillevel full > systemprofiler.spx
./KnockKnock.app/Contents/MacOS/KnockKnock -whosthere > /path/to/some/file.json
XPC Services
ls Applications/<application>.app/Contents/XPCServices/
cat Applications/<application>.app/Contents/XPCServices/*.xpc/Contents/Info.plist
ls ~/System/Library/XPCServices/
Launch Agents & Launch Daemons
ls /Library/LaunchAgents/
ls /System/Library/LaunchAgents/
ls /System/Library/LaunchDaemons/
ls /Library/LaunchDaemons/
ls /users/*/Library/LaunchAgents/
ls /users/*/Library/LaunchDaemons/
LoginItems
cat ~/Library/Preferences/com.apple.loginitems.plist
ls <application>.app/Contents/Library/LoginItems/
sudo launchctl unload -w /Library/LaunchDaemons/<name>.plist
sudo launchctl stop /Library/LaunchDaemons/<name>.plist
cat ~/Library/Preferences/com.apple.Safari.plist
ls ~/Library/Application Support/Google/Chrome/Default/Preferences
ls ~/Library/Application Support/Firefox/Profiles/********.default/prefs.js
cat ~/Library/Safari/Downloads.plist
cat ~/Library/Safari/History.plist
cat ~/Library/Safari/LastSession.plist
ls ~/Library/Caches/com.apple.Safari/Webpage Previews/
sqlite3 ~/Library/Caches/com.apple.Safari/Cache.db
ls ~/Library/Application Support/Google/Chrome/Default/History
ls ~/Library/Caches/Google/Chrome/Default/Cache/
ls ~/Library/Caches/Google/Chrome/Default/Media Cache/
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/places.sqlite
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/downloads.sqlite
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/formhistory.sqlite
ls ~/Library/Caches/Firefox/Profiles/********.default/Cache
cat ~/Library/Mail/V2/MailData/Accounts.plist
ls ~/Library/Mail/V2/
ls ~/Library/Mail Downloads/
ls ~/Downloads
cat ~/Library/Mail/V2/MailData/OpenAttachments.plist
ls /tmp
ls /var/tmp
ls /Users/<user>/Library/Caches/Java/tmp
ls /Users/<user>/Library/Caches/Java/cache
/Applications/Utilities/Java Preferences.app
ls /private/var/log/asl/
ls /private/var/audit/
cat /private/var/log/appfirewall.log
ls ~/Library/Logs
ls /Library/Application Support/<app>
ls /Applications/
ls /Library/Logs/
bzcat system.log.1.bz2
system.log.0.bz2 >> system_all.log
cat system.log >> system_all.log
syslog -f <file>
syslog –T utc –F raw –d /asl
syslog -d /asl
praudit –xn /var/audit/*
sudo log collect
log show
log stream
ls ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents.V2
ls ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
ls /private/var/db/dslocal/nodes/Default/users/
ls /private/var/db/shadow/<User GUID>
cat /etc/pam.d/sudo
cat /etc/pam.conf
ls /etc/pam.d/
file <filename>
xxd <filename>
nm -arch x86_64 <filename>
otool -L <filename>
sudo vmmap <pid>
sudo lsof -p <pid>
xattr –xl <file>
diskutil list
diskutil info <disk>
diskutil cs
ap list
gpt –r show
gpt -r show -l
hdiutil imageinfo *.dmg
security list-keychains
security dump-keychains -d <keychain>
mdimport –X | -A
mdls <file>