In this report, the authors describe the development of the Mac OS X-based tool suite, Mac Marshal, that allows investigators to graphically access and collect data on dual-boot Mac systems, and to gather and analyze forensically-relevant data specific to the Mac OS X platform and common programs that run on it.
The authors report on the design and implementation of Mac Marshal, an extensible tool for the analysis of files on Mac OS X disk images which provides simple access to Spotlight metadata maintained by the operating system, yielding efficient file content search and exposing metadata such as digital camera make and model. Mac Marshal can also help investigators access FileVault encrypted home directories. Mac Marshal extracts and analyzes OS X-specific forensic information from a seized image disk, it could also operate in a live forensics setting by executing directly on the machine to be analyzed, but the authors’ initial attention is on after-the-fact analysis. The authors also discuss the acquisition and forensic implications of metadata gathered by Mac Marshall, the use of Spotlight queries, and application analysis and other features of Mac Marshall that are meant to dramatically speed up investigators’ search for particular files.
Downloads
Similar Publications
- The cross-reactivity of cannabinoid analogs (delta-8-THC, delta-10-THC and CBD), their metabolites and chiral carboxy HHC metabolites in urine of six commercially available homogeneous immunoassays
- Forensic Science and the Courts - The Uses and Effects of Scientific Evidence in Criminal Case Processing - Final Report
- Life and death: A systematic comparison of antemortem and postmortem gene expression