Last Thursday I had the pleasure of attending the Mac Forensics F3 training day.Â For those of you that do not know what F3 is, it is the â€˜First Forensic Forumâ€™.Â Most digital forensic investigators in the UK are linked to this organisation in some way and they offer training days every few months.
I thought that I would quickly note some items that were shared with us before I either forget about it or lose my notes.
This can be accomplished on either a Mac or a PC. If youâ€™re looking to image with a Mac there are a few options to choose from but one of the best is offered by the guys over at http://macosxforensics.com.Â Their Mac OS X Forensics Imager is based on libewf and offers a graphical interface to the console-driven acquisition tool.
Obviously there are the common everyday items such as DD and DCFLDD that are easily run on the Mac.
Although a write blocker is always recommended it is possible to image a drive without.Â In order to do this you need to turn off â€˜Disk Arbitrationâ€™. This is the process that automounts drives when they are connected to the computer.Â After turning this off any newly connected drives will not be mounted. Just donâ€™t forget to turn it back on once youâ€™re finished otherwise you may run into some difficulty.Â In order to turn this off just open Terminal and type:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitration.plist
To turn it back on type:
sudo launchctl load /System/Library/LaunchDaemons/com.apple.diskarbitration.plist
Spotlight Files â€“ These maintain an index of the volume from which the file is taken.
Swap File – /private/var/vm/swapfile0
Sleepimage â€“ This file is like the hiberfile on Windows.
Log Files – /var/log â€“ can be opened with the Mac â€˜Consoleâ€™
Property Lists â€“ Two main types: XML and Binary â€“ plists are like the Windows registry. A plist editor is available on the Mac Developer Tools provided with a new Mac. There is also â€˜Pref Setterâ€™ (which has a nice search feature) and iPod Robot offers a plist reader for Windows.
Printing â€“ The Mac has an inbuilt PDF printer. This doubles up as a printer spool. This means that, regardless of the printer used, a PDF is created of anything that is printed from a Mac. Once the printing is finished the PDF is released into unallocated clusters. A file carve for PDFs in unallocated space will return items printed with the Mac. These PDFs will also contain metadata providing the application used to print.Â I thought that this was the most interesting part of the day. This may be worth some more investigation and a full article written.
PeekIt, iBored, Hex Fiend, File Juicer, Mactracker, and Firefox Add-ons â€“ CacheViewer and SQLiteManager.