When installing a package OS X makes a list of what it installs in /Library/Receipts/InstallHistory.plist. The dictionaries show each package installed, along with the installation date, the name displayed during installation, the version of the package being installed, the identifier of the package and the process name used to install the package. This information, along with the file name of the actual package is stored in corresponding property lists in /private/var/db/receipts. Each bill of material is also stored there, in .bom file.
The lsbom command is used to see a list of objects installed by the package. You can also see the options such as the permissions assigned to files by the package as they’re installed. For example, that Twitter app from the app store; to see what it installs:
lsbom /private/var/db/receipts/com.twitter.twitter-mac.bom
This package is installed by the Mac App Store. When run, packages installed by the Mac App Store should only contain objects within that applications .app bundle. That’s a pretty good bit of information, so you can also use the -s option to constrain the output to only see the paths of files (relative paths, of course). I’m usually a fan of getting more information than less, so I usually run it adding the -m option, which shows me those permissions.
lsbom /private/var/db/receipts/com.twitter.twitter-mac.bom
Note: You can also use the mkbom command to create new .bom files. As the man page for bom indicates, this goes back to NeXTSTEP and was extended for 10.0 and again in 10.3.