homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Security Awareness Training
    • Voucher Program
    • Private Training
    • Workforce Development
    • Skill Assessments
    • Hiring Opportunities
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • SANS Community
    • CyberTalent
    • Work Study
    • Instructor Development
    • Sponsorship Opportunities
    • COINS
  • About
    • About SANS
    • Why SANS?
    • Instructors
    • Cybersecurity Innovation Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press Room
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Blog >
  3. OSX Lion User Interface Preservation Analysis
Tom Webb

OSX Lion User Interface Preservation Analysis

October 3, 2011

Recently I've updated to OS X Lion (10.7) and started testing my incident response scripts on the system. I started looking through new default folders created for users and ran across a folder called "Saved Application State." I began researching this folder and determined that it's used to store settings for a new feature called Users Interface Preservation.

According to Apple, this "saves the state of your application's windows and restores them during subsequent launches of your application." By default this is turned on in Lion, but you can permanently disable it by going to system preferences -> general and uncheck "Restore when quitting and re-opening apps." According to this article , there are several other ways to prevent saving the information. This includes using option+command+Q each time you quit the application.

Overview of Files

When you start Word 2011, it creates the initial folder located under the current user's home directory in /Library/Saved Application State/.

#ls /Users/webb/Library/Saved Application State
drwx------  7 webb  staff    238 Sep 15 15:25 com.microsoft.Word.savedState
...(Truncated)....

The content under each folder varies but generally you will have at least one data.data and a windows.plist file for every application.

#ls -al ./com.microsoft.Word.savedState
drwx------   7 webb  staff     238 Sep 15 15:25 .
drwx------@ 28 webb  staff     952 Sep 15 16:43 ..
-rw-------   1 webb  staff  109280 Sep 15 16:24 data.data
-rw-------@  1 webb  staff    6240 Sep 12 14:01 window_1.data
-rw-------@  1 webb  staff  116496 Sep 15 15:25 window_38.data
-rw-------@  1 webb  staff  124720 Sep 14 10:47 window_8.data
-rw-r--r--   1 webb  staff     580 Sep 15 16:24 windows.plist

MAC Time analysis

To gain a better understanding of what we can glean from the saved application state, I deleted the com.microsoft.Word.savedState folder and then started Word 2011.

The directory created time tells us the first time the application was used. Each time you start the application, the file system updates all time stamps for the directory. Macrobber will not give you the original folder creation date. You can look at the meta-data for the folder in finder or use the command line tool stat. This tool shows you file MAC times plus the original creation date, which is the last column in double quotes (e.g. Sep 16 11:40:11 2011).

#stat com.microsoft.Word.savedState
234881028 1348049 drwx—— 6 webb staff 0 204 "Sep 16 13:26:51 2011" "Sep 16 12:56:51 2011" "Sep 16 12:56:51 2011" "Sep 16 11:40:11 2011" 4096 0 0 com.microsoft.Word.savedState

If the window_ .date file has a different modify time then the windows.plist., the window_.data is the last time the user started the application. The windows.plist modified time is when the user closed the application.

In the example below Word was started at 12:56 and was closed at 14:51.

drwx------   6 webb  staff     204 Sep 16 12:56 .
drwx------@ 31 webb  staff    1054 Sep 16 14:41 ..
-rw-------   1 webb  staff    9216 Sep 16 14:48 data.data
-rw-------@  1 webb  staff    6240<strong> Sep 16 12:56 window_1.data</strong>
-rw-------@  1 webb  staff  112976 Sep 16 12:56 window_2.data
-rw-r--r--   1 webb  staff     454 <strong>Sep 16 14:51 windows.plist</strong>

When you start Word back up, it will update all the files in the folder to be the same.

Fri Sep 16 2011 14:51:38      204 m.c. drwx------ 502  20 0 /Users/webb/.../com.microsoft.Word.savedState
    3584 mac. -rw------- 502 20  0  /Users/webb/.../com.microsoft.Word.savedState/data.data
    6240 mac. -rw------- 502 20  0  /Users/webb/.../com.microsoft.Word.savedState/window_1.data
    112976 mac. -rw------- 502  20 0  /Users/webb/.../com.microsoft.Word.savedState/window_2.data
    454 mac. -rw-r--r-- 502  20  0  /Users/webb/.../com.microsoft.Word.savedState/windows.plist
Fri Sep 16 2011 14:51:39 204 .a.. drwx------ 502  20   0  /Users/webb/.../com.microsoft.Word.savedState

Plist analysis

To use the GUI Plist viewer, right click on the windows.plist and select open. If you want to analyze the plist from the console, you will need to use plutil to convert the binary plist to xml format. The perl library Mac::PropertyList generates an error when trying to parse the file, so plutil is the best command line option right now.

The command below takes the windows.plist and creates a new plist in XML format named /tmp/plist. Then you can look at it using any command line text utility you want.

#plutil -convert xml1 -o /tmp/plist ./com.apple.Terminal.savedState/windows.plist

Word 2011 windows.plist

The NStitle, name, and NSRepresentedURL attributes seems to be the most useful until we have a better understanding of the file.

word-plist-open.png

There are four different elements within this file. As you expand it, you will see attributes for the file.

word-plist.png

NSTitle includes the name of the Word document I was editing(Todo List.docx) when the application was closed.

Additional Plist Examples

The terminal windows.plist may show you the last file path the user was working under NSRepresentedURL.

Or it may show you the last ssh connection the user had

terminal-ssh-host.png

Below is the text version of the out put showing the portion of the Outlook 2011 window.plist. NSTitle show the subjects of an email that were open when the application was closed.

key>NSTitle < /keystring> Mandiant MIRcon Conference - Hotel room block offer ends Monday, Sept. 19 - Inbox < /string

Data File analysis

You may be able to determine what is in the .data files if you use some Cocoa code for creating archives. I took a quick look at this, but I'm not familiar with the language. Hopefully I'll get a little time to play with this, but it looks like a fun project if someone from the community would like to pick it up.

Wrapping it up

Information you can get from the saved application state can be very helpful in certain instances.

  • You can tell the first time the application was run based on the original create date of the specific folder.
  • You can tell the last time the application was run and how long it was open.
  • In certain cases, you can tell what file they had open. This can be very useful if the file is located on portable media

—

Tom Webb has over 11 years of experience in IT Administration and Security. He is currently employed as an Information Security Architect where his primary roles include: system design, lead incident handler and forensic investigations. He holds various certifications including: GCIH,GCFA,GCIA and GREM.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
SUMMIT_Free_SANS_2021_Summits_Teaser.jpg
Digital Forensics and Incident Response, Cyber Defense Essentials, Industrial Control Systems Security, Purple Team, Blue Team Operations, Penetration Testing and Ethical Hacking, Cloud Security, Security Management, Legal, and Audit
November 30, 2020
Good News: SANS Virtual Summits Will Be FREE for the Community in 2021
They’re virtual. They’re global. They’re free.
Emily Blades
read more
Blog
En.png
Digital Forensics and Incident Response
November 24, 2020
SANS DFIR Presenta Nuevos Webcasts en Español
SANS DFIR presenta sus nuevos episodios en Español! En este blog podrás ver todos los episodios con concluciones y con recursos para aprender DFIR
SANS DFIR
read more
Blog
shutterstock_1473864617.jpg
Digital Forensics and Incident Response
October 14, 2020
Defense Spotlight: Finding Hidden Windows Services
Attackers can make a Window services disappear from view. Fortunately these services can still be found, through unconventional discovery techniques.
370x370_Joshua-Wright.jpg
Joshua Wright
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters
  • The Critical Security Controls
  • Focus Areas
  • Blue Team Operations
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2021 SANS™ Institute
  • Privacy Policy
  • Contact
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn