File and Directory Discovery
Understanding the Filesystem Structure
Common Directories:
| Directory | Description |
|---|---|
/Users | Home directories for users |
/System | System files and libraries |
/Applications | Installed applications |
/Library | Shared resources, configurations, and logs |
/private | Temporary files and logs |
Exploring Filesystem Hierarchy
-
Enumerating Hidden Files
ls -la | grep "^\."
Searching for Specific Files
-
Use locate to find files by name (requires locate database update):
locate <filename> -
Search files in a directory and subdirectories:
find / -name "<filename>" 2>/dev/null -
Find files by type:
find / -type f -name "*.plist" 2>/dev/null -
Search files modified in the last 7 days:
find / -mtime -7 -
Spotlight Search (mdfind)
mdfind "kMDItemDisplayName == '<filename>'"
Sensitive File Discovery
-
Common Locations of Configuration Files
# User config files:
/Users/<username>/.config
/Users/<username>/Library/Preferences
# System config files:
/etc
/Library/Preferences -
Look for .plist files
Many configuration files are in PLIST (Property List) files.
find / -name "*.plist" 2>/dev/nullTo view .plist files:
plutil -p <filename>.plistTo edit a .plist file, open it in Xcode:
open <filename>.plist
Logs
-
System logs
ls /var/log -
User-specific logs
ls ~/Library/Logs
File Metadata
View Metadata
-
Inspect metadata for a file
mdls <file> -
Check extended attributes
xattr -l <file>
File Permissions
-
Files Owned by Specific Users
find / -user <username> 2>/dev/null
Directory Permissions
-
Find world-writable files:
find / -type f -perm -o+w 2>/dev/null -
Find SUID files:
find / -type f -perm -4000 2>/dev/null -
Find SGID files:
find / -type f -perm -2000 2>/dev/null