Obtaining user application data
By default, macOS users have access to built-in applications from Apple, such as Calendar, Contacts, and Notes. Due to their quality and convenience, these applications have won the love of users, as well as the interest of investigators. Volatility provides a set of ready-to-use plugins allowing you to extract data from the above-mentioned applications. For example, to retrieve events from Calendar.app, you can use the mac_calendar plugin. To retrieve the contents of Notes messages, you can use mac_notesapp, and for contacts from Contacts.app, you can use mac_contacts:
$ vol.py --plugins=profiles -f /mnt/hgfs/flash/MacSierra_10_12_6_16G23ax64 --profile=MacSierra_10_12_6_16G23ax64 mac_contacts Volatility Foundation Volatility Framework 2.6.1 <edited> AppleappleAppleapple Apple ?5E Johnyphish Johny phish Johny
Once you have this data, you can use regular expressions or YARA rules with the mac_yarascan plugin to try to find more information...
