In this report, the authors describe the development of the Mac OS X-based tool suite, Mac Marshal, that allows investigators to graphically access and collect data on dual-boot Mac systems, and to gather and analyze forensically-relevant data specific to the Mac OS X platform and common programs that run on it.
The authors report on the design and implementation of Mac Marshal, an extensible tool for the analysis of files on Mac OS X disk images which provides simple access to Spotlight metadata maintained by the operating system, yielding efficient file content search and exposing metadata such as digital camera make and model. Mac Marshal can also help investigators access FileVault encrypted home directories. Mac Marshal extracts and analyzes OS X-specific forensic information from a seized image disk, it could also operate in a live forensics setting by executing directly on the machine to be analyzed, but the authors’ initial attention is on after-the-fact analysis. The authors also discuss the acquisition and forensic implications of metadata gathered by Mac Marshall, the use of Spotlight queries, and application analysis and other features of Mac Marshall that are meant to dramatically speed up investigators’ search for particular files.
Downloads
Related Topics
Forensic sciencesSimilar Publications
- National Problem of Untested Sexual Assault Kits (SAKs): Scope, Causes, and Future Directions for Research, Policy, and Practice
- Characterizing Stutter in Single Cells and the Impact on Multi-cell Analysis
- Reducing Descriptor Measurement Error Through Bayesian Estimation of Fingerprint Minutia Location and Direction