Posted on

Quick Tips – MacLockPick

On this Page:

This page contains useful tips on how to use MacLockPick not found in the manual.


Choosing a USB Port for MacLockPick

MacForensics.com Tips - Choosing a USB Port for MacLockPickUp until the release of Apple’s aluminum keyboard, all Apple branded keyboards featured USB 1.1 ports. Because of the much higher data transfer speed of USB 2.0, we recommend that investigators plug the MacLockPick thumb-drive into the Mac computer itself, instead of into the keyboard. This will insure the fastest auditing speeds.
 


Filtering with MacLockPick

This lesson is designed to demonstrate how to use the filter feature in MacLockPick.

1. Insert MacLockPick into USB Port

Insert MacLockPick into the USB port

This demo is done using Mac OS X as the base system, however the process, with slight modification applies to other operating systems as well. Insert the MacLockPick into a USB port on the computer. The device will automount as depicted above.

2. Select for Configuration

Select MacLockPick for configuration

There are two icons mounted on the Desktop associated with MacLockPick, one named MACLOCKPICK and the other depicted above MacLockPick (OS X). Double click on the icon MacLockPick (OS X).

3. Locate the Setup Application

Locate the MacLockPick Setup application

The iconic representation of the contents of the MacLockPick (OS X) icon appear above. Select the Applications – OS X folder by double clicking on it.

4. Launch the Setup Application

Launch the MacLockPick Setup application

Select the MacLockPick Setup.app (depicted with the number 1 above) by double clicking on it to launch the application.

5. Create a Customized Plug-In

Create a customized plug-in for MacLockPick

The Setup application will open providing a list of all current plug-ins. To add a plug-in, select the “+” in the lower right corner.

6. The Plug-in Window

MacLockPick Plugin window

Once the “+” button is selected, the Plug-in window opens.

7. Name the Plug-in

Name the new plug-in within MacLockPick

The Plug-in window allows the user to name the plug-in (1) and define its type (2).

8. Design the Plug-in

Design the MacLockPick plug-in

The Plug-in design window is divided into three parts: The Plu-gin Name, the Data and the Operating System. To create a custom filter, allowing the user to sort through a folder and return only the findings with a .pdf extension we will fill out the information depicted above. First, describe the plug-in (1), then enter the filter (in this case the .pdf extension), since we will be finding a folder relative to the user, we will select buttons (3 and 4). Since we are expecting a relatively small output, we will keep the files and folders in the native format (5), (meaning they will be exported directly as opposed to using the built-in MacLockPick Archive tool). Next enter the path to the folder (6), select the operating system the new plu-gin pertains to (7) and select “Save” (8).

9. Checking the Plug-in

Checking the new MacLockPick plug-in

When you save the custom built plug-in, the Setup window opens again, allowing you to review all the plugins, to include your new one. Make sure your new plugin is selected as indicated by the checkbox to the right (1), then select “Quit” (2).

10. Run MacLockPick

Run MacLockPick

Once you quit the Setup window, you will be at the MacLockPick applications window. Select the MacLockPick application by double clicking on it to invoke MacLockPick.

11. MacLockPick Completion

MacLockPick has completed running

Once MacLockPick completes its operations, the above dialogue box will open informing the user that the results are located in the “MacLockPick Output Folder” (1) select “OK” (2).

12. Locating the MacLockPick Output Folder

Locating the MacLockPick Output folder

From the Desktop, select the “MACLOCKPICK” icon (1) by double clicking on it.

13. Open the MacLockPick Output Folder

Opening the MacLockPick Output folder

As the volume opens, locate the MacLockPick Output Folder, double click on the MacLockPick Output Folder and select the appropriate result (the results are arranged by username and date/time stamp).

14. Reviewing the Results

Reviewing the MacLockPick results

Locate the folder containing the MacLockPick output and open it by double clicking on it.

15. Reviewing the Filter Results

Reviewing the MacLockPick filter results

The MacLockPick Output will contain, by default several files, the .bash_history file (1), the Log Database (2) and a Screenshot (3) of the computer screen from which MacLockPick was run. In addtion to these files will be any number of additonal elements the user selected or created, in this case the results of the custom .pdf filter we created (4). Open the folder containing the .pdf filter results by double clicking on the appropriate folder (4).

16. Review the Custom Filter Results

Reviewing the custom MacLockPick filter results

Contained within the customized filter folder are the results of the search, in this case, only the .pdf files were exported from the folder (Dog_Training).
 


Searching MacLockPick Logs

MacForensics.com Tips - Searching MacLockPick Logs.MacLockPick extracts a wide range of valuable data from suspect machines. The information is presented in an easy to view format for the investigator to view. Even with the suspect information clearly formatted, there can be a very large amount of suspect data to sort through to find what you are looking for. If you are looking for something specific, you can use MacLockPick’s Search feature to find specific information. Simply click the “Find” button, enter your query and click the “Find” button. All entries containing the searched term will be grouped together and highlighted at the top of the listing.
 


Exporting Data from the MacLockPick Logs

MacForensics.com Tips - Exporting Data from the MacLockPick LogsMacLockPick acquires lots of detailed information about a suspect. Much of the data it finds can be very helpful in an investigation. When viewing the MacLockPick log file, the investigator can export all or a portion of the log data to a plain text file through the use of the “Export” button. Simply highlight the information you would like exported (choose “Select All” from the Edit menu if you would like to export everything in the log file) and then click the “Export” button. Name your exported text file and select the desired location to save it to.

Posted on

General Forensics Tips for Mac Platform

On this Page:

Find the Last Server a User was Connected to in Mac OS X

MacForensics.com Tips - Find the Last Server a User was Connected to in Mac OS XMac OS X makes connecting to remote servers very easy. Retrieving information about servers a suspect has connected to will help an investigator find other resources they should be investigating or to prove intent. Mac OS X logs these connections along with other information that may be of interest to an investigator.

You can use the MacForensicsLab’s Analyze function explore the following file: ~/Library/Preferences/com.apple.finder.plist Within that file you will find “FXConnectToLastURL”. This entry shows the last file servers your suspect connected to. The entry “CFURLAliasData” will have the names of file servers accessed, disk images mounted, and sometimes names of DVDs (although they seem to be Apple authored only) that have been mounted on within the Finder. The entry “recent-folders” will show the last batch of folders that were accessed.
 


Resetting the Admin Password in Mac OS X

MacForensics.com Tips - Resetting the Admin Password in Mac OS XThe easiest way to bypass the administrator password is to remove the drive and attach it to another machine or a forensic station, then use MacForensicsLab to image the drive. That being said if you need to for some reason keep the drive inside the machine, you can reset the system administrator password using the Mac OS X installation CD/DVD.

An easy way to reset passwords is to boot from the original OS install CD/DVD and select Password Reset from the Utilities menu after booting from the installer CD/DVD.

On Macs without CD/DVD drives, you can reboot the Mac into OS X Utilities mode by restarting the machine and holding down the “command-r” keys. Once OS X Utilities appears on-screen, select Terminal from the Utilities menu. At the prompt enter resetpassword and then hit enter.

A Reset Password window will appear. You can select the volume you would like to have the Admin password reset, and then enter a new password for the selected volume.

Doing this will destroy the forensic integrity of the suspect drive so make sure you do this on a copy of the suspect drive.
 


Finding Recent Google Searches

MacForensics.com Tips - Finding Recent Google SearchesGoogle is the most popular search engine on the planet. Safari, the default web browser in Mac OS X, has a built in Google search bar in the upper right corner of it’s window. This makes it very easy to conduct a search and also means it’s very likely that search information can be found if a suspect uses Safari. Knowing what a suspect recently searched for can be helpful to an investigator or help prove intent.

You can use the MacForensicsLab Analyze function to explore the following file: ~/Library/Preferences/com.apple.Safari.plist This is the main plist that needs to be trashed if Safari crashes upon opening or pages refuse to load. This file contains a section titled "RecentSearchStrings". These are the last 10 items that have been searched for in the Google toolbar of Safari. Clearing the browser history in Safari does not clear this information. The same file also shows the most recent files downloaded from Apple and the last search made on the Apple website.
 


Finding Disk Images that Have Been Burnt to CD/DVD

MacForensics.com Tips - Finding Disk Images that Have Been Burnt to CD-DVDDisk Images (.dmg) are very common on Mac OS X. Disk Images allow both compression and password protection so they are very common for the distribution of software over the internet. When opened Disk Images mount as a drive in the Finder.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.DiskUtility.plist Inside this file is a section called “DUSavedDiskImageList” that shows the most recent disk images that have been used and burned by Disk Utility, including pathname locations. It also gives the device name that burned them and serial number of that device.
 


Finding the Last iPod Connected to Mac OS X

MacForensics.com Tips - Finding the Last iPod Connected to Mac OS XiPods are popular devices for suspects to store information other then just MP3s on thanks to their ability to be used as a mass storage device. Every time an iPod is attached to a Mac, the serial number of the iPod is recorded by the system. Being able to prove a specific iPod was connected to a suspect machine can be beneficial to an investigation.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.iPod.plist This file shows the serial number, firmware, and model of the last Apple iPod connected to the suspect drive. This will allow the investigator to track down the iPod used and see if there may be further evidence contained on it
 


Finding Recently Viewed Pictures in Mac OS X

MacForensics.com Tips - Finding Recently Viewed Pictures in Mac OS XThe default image browsing application in Mac OS X is Preview. It is a popular program for viewing images as it supports a large number of file formats and provides a simple user interface. Finding recently browsed images can help direct an investigator to files of interest or help prove intent.

Use MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.Preview.bookmarks.plist This file shows files recently viewed using Preview (files opened in the program Preview.app with newest on top) including path to file on local drives and network file servers.
 


Recently Accessed Items in Mac OS X

MacForensics.com Tips - Recently Accessed Items in Mac OS XShowing applications, documents, and severs a user most recently accessed can help direct an investigator to files of interest or help show intent. By default, Mac OS X keeps track of the last 10 applications, documents, and servers used. The user can increase of decrease this number but most leave it set to the default state.

You can use the MacForensicsLab Analyze function to explore the following file: ~/Library/Preferences/com.apple.recentitems.plist Inside this file you will find recent applications, documents, and servers accessed on the suspect computer. The lists includes applications and documents on local and network drives and include the user that accessed the file (sometimes the user is different if it was accessed on remote server). It also shows PC shared files accessed through a Workgroup and the access path used to open the files. Some of the file pathnames could be the most forensically useful as well as applications used and documents opened.
 


Recently Opened QuickTime Files

MacForensics.com Tips - Recently Opened QuickTime FilesQuickTime is the default movie player in Mac OS X. Because of it’s ability to play a wide range of video and audio media, QuickTime Player is a convenient tool for most users. Being able to show the last file played using QuickTime Player can help an investigator show intent.

You can use the MacForensicsLab analyze function to explore the following file: ~/Library/Preferences/com.apple.quicktimeplayer.plist This file shows recently viewed movies and audio clips (any files opened in the program QuickTime Player.app). This file also shows “NSNavLastRootDirectory” the default directory (last accessed) that was used for opening each movie. The pathnames and document name inside this file could be useful for your forensic investigation.
 


Finding Remote Desktop Connections

MacForensics.com Tips - Finding Remote Desktop ConnectionsApple Remote Desktop (sometime abbreviated ARD) allows users to control or monitor another computer over a network or internet connection.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.RemoteDesktop.plist This file shows all the machines this Mac has had control of or viewed with Apple Remote Desktop. This file also includes information about the connection such as, the machine’s MAC address, IP, name, and the time and date. This file also stores information that could have other forensic interest. It can also store saved tasks for Apple Remote Desktop. You can find more information on stored task data here.
 


View Web Cache Data on Mac OS X

MacForensics.com Tips - View Web Cache Data on Mac OS XWeb caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent.

You can use MacForensicsLab’s Salvage function to salvage the contents of these folders and show the cached information. This will show you websites that have been browsed who’s files have not been over-written as well as present cache files that have not been flushed

  • The default web browser in Mac OS X is Safari. The Safari web cache is located: ~/Library/Caches/Safari
  • The default storage location for Firefox’s web cache is: ~/Users/“USERNAME”/Library/Caches/Firefox/
    Profiles/”COMPUTERCODE.default”/Cache

There are a large number of other folders contained within the ~/Users/“USERNAME”/Library/Cache folder that may be of interest for investigators also. They can be viewed using the same process as the web caches.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.
 


Unfreezing A FireWire Bus That Has Hung

MacForensics.com Tips - Unfreezing A FireWire Bus That Has HungOn occasion FireWire buses can hang and stop responding. Should you run into this issue, here’s are the suggested steps to resolve it.

If you have a hard drive freeze your FireWire bus and hang your machine, you can cause the system to reset the bus by plugging in a second device in the chain. The Mac will immediately rescan the bus and this will sometimes unfreeze the bus. If these steps fail to unfreeze the FireWire bus you will need to shut the machine down and restart the computer. You can resume your drive acquisition in MacForensicsLab after unfreezing the bus by checking the “Resume a previous recover.” box under the Acquire function and selecting the previous image when prompted.
 


Sleepimage in Mac OS X

MacForensics.com Tips - Sleepimage in Mac OS XThe sleepimage is a file that Mac OS X uses to store the contents of the active RAM when a machine is put to sleep. This information is stored to allow the OS to restore the pre-sleep state of the computer should the batter or power be interupted while the computer is sleeping.

For an investigator, the sleepimage may contain information that could be valuble to an investigation. This information may show what a suspect was doing before they put their computer to sleep and may include incriminating evidence that could lead to a conviction.
The sleepimage file can be found in the following location in the Mac OS X system:
/private/var/vm/sleepimage

Please note that this is an hidden file that isn’t normally visible from the Finder. Computer forensics programs such as MacForensicsLab can be used to view the sleepimage location and the contents of the sleepimage file.
 


Finding the system time and date on a Mac


MacForensics.com Tips - Finding the system time and date on a MacAcquiring the computer time from a Mac is a common task for many investigators. Having the computer time allows and investigator to correlate computer events to actual time frames and may help secure a conviction.

Macs sold after March of 2001 will most likely have Mac OS X loaded on them and all Intel Macs run Mac OS X only. PowerPC Macs run Open Firmware from Sun. Intel Macs use EFI (Extensible Firmware Interface).

Determining if a firmware password is set

Before you can boot info Single User Mode, you must first determine if the user has set an firmware password on the system. A firmware password would prevent the investigator from booting into Single User Mode to determine the system’s time and date. The firmware password can be reset but doing do also resets the system time also. To determine if there is a firmware password set, do the following:

  • Power on the Mac while holding down the Option key.
    • If you are presented with a screen showing the bootable partitions on the system then there is no firmware password set.
    • If you are presented with a password screen then there is an firmware password and you will not be able to boot into Single User Mode.
  • Once you have determined if there is an firmware password, power the Mac down by holding power button until the system powers off.

Finding the system date and time via Single User Mode

  1. Press the Power button and immediately hold down the Command (Apple) and S key. Doing so will make the Mac boot up in Single User Mode.
  2. Once booted into Single User Mode, you will see text across the top of the screen along with a command prompt. Type date and press the Enter key. The Mac will return the computer’s current date and time along with the user configured time zone.
  3. You can then power down the computer safely.
  4. Another option for finding the Mac’s system time is to boot from the Mac OS X install CD/DVD. Once booted from the CD/DVD, select Terminal from the Utilities menu. In the Terminal type date and then press Enter. The system time and date will be shown. You may also boot from a Linux Live CD and get the system time using the terminal within Linux.

     


    Finding the Original Registrant of Mac OS X


    MacForensics.com Tips - Finding the Original Registrant of Mac OS XWhen Mac OS X is run for the first time after installation, the user is prompted to enter their registration information such as name, address, email, and phone number. This information is then sent to Apple (if an internet connection is present) and also used to populate the administrators information within the Address Book and used for auto-fill forms within Safari.

    When attempting to locate original registered owner of a Mac OS X installation with MacForensicsLab, look for the file titled “Sendregistration.setup” in ~Users/“USERNAME”/Library/Assistants/ In certain situations (eg: when there is no internet connection present at the time of registration) the file “Sendregistration.setup” is still within this directory and can contain the original registered content.

    Secondary location for information of original registrant of a computer running Mac OS X is the file titled AddressBookMe.plist located in ~Users/“USERNAME”/Library/Preferences/ Using MacForensicsLabs’ Analyze function (ASCII view within that section) on that file will reveal the original owners registration.
     


    Firefox Artifacts

    MacForensics.com Tips - Firefox ArtifactsMozilla Firefox is fast becoming one of the most popular browsers on the internet today. Being free, cross-platform, and updated regularly is just some of the many reasons many users have made the switch to it. Firefox also allows the user to easily install add-ons to enhance the functionality of the browser. Here are some Firefox files that may be of interest during an investigation with MacForensicsLab.

    Firefox stores the user data in the following places:
    Mac OS X: ~/Library/Application Support/Firefox/Profiles//
    Windows XP & 2000: C:Documents and SettingsApplication DataMozillaFirefoxProfiles
    Windows 98 & ME: C:WindowsApplication DataMozillaFirefoxProfiles
    or
    C:WindowsProfilesApplication DataMozillaFirefoxProfiles
    Windows NT 4.x: C:WinntProfilesApplication DataMozillaFirefoxProfiles
    Unix: ~/.mozilla/firefox//

    Website History
    File name: history.dat
    By default Firefox stores the browsing history for 9 days.
    Side note: “history.dat” is written in a complex format called “Mork”.

    Encrypted Saved Passwords
    File name: signons.txt
    This file also stores a list of sites to never save the passwords for. The encryption key is contained in the file called key3.db

    More information about specific files in the user profile can be found at MozillaZine’s Knowledge Base article on the Profile Folder.

    Update!

    If you need a tool in extracting FireFox’s cache files, consider SubRosaSoft Cache Detective.

    SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.

     


    iPhone Artifacts

    MacForensics.com Tips - iPhone ArtifactsiPhones and iPod Touch with firmware version 2.0 or later will call home periodicly to see if any applications have been blacklisted by Apple. This allows Apple to disable malicious applications from iPhone and iPod Touch users phones. The iPhone and iPod Touch will check the following URL for any blacklisted applications:

    https://iphone-services.apple.com/clbl/unauthorizedApps

     


    Recovering Email from Mac OS X Mail

    MacForensics.com Tips - Recovering Email from Mac OS X MailSince the release of Mac OS X, Mail.app has been the default email application. Mail stored emails in .mbox files up until the release of Mac OS X Tiger 10.4, at which point Apple changed the default file type to .emlx. The instructions below outline the process used to recover and investigate the contents of these formats.

    When looking for email on suspect Mac OS X drive, the standard location for the stored email is ~/Users/“USERNAME”/Library/Mail

    You can use either the Analyze or Salvage functions of MacForensicsLab to examine Mail files.

    • To use the Analyze function, use search query of “.mbox” for systems from Mac OS X 10.0-10.3 and “.emlx” for Mac OS X 10.4 Tiger and higher.
    • When using the Salvage function, direct the search to ~/Users/“USERNAME”/Library/Mail and do a Salvage of that location. Both .mbox and .emlx files will automatically be found.
Posted on

Tips – Field Triage (M – Z)

Here’s part two of our Field Triage Tips (from M – Z).

Forensic triage is the practice of searching and analyzing a digital device (computer, smart phone, and tablets) in the field or at the crime scene. In many investigations crucial digital evidence is essential while at the scene. The traditional method of seizing a device(s), transferring it to the forensics lab, acquiring an image, and then analyzing the image for potential evidence, may no longer be appropriate in cases such as child abductions, pedophiles, or missing persons, when every second counts.

As one of the pioneers in computer triage tool, we have gathered here a set of tips for references.

 


MacLockPick

MacForensics.com Tips - MacLockPickMacLockPick adheres to commonly held forensic principals and does not negate the ability to transfer systems/storage media back to the lab for more detailed investigation after field triage has been concluded.

Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly, sometimes this is quite literally difference between life and death for the victim.

MacLockPick is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspects computer that is running. Once the MacLockPick software is run it will extract the requisite data providing the examiner fast access to the suspects critical information, that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick is the only cross platform solution on the market and therefore the best chance of successfully capturing data critical to any investigation involving running computers. In addition, MacLockPick is minimally evasive, providing results that can hold up in a court of law.
 


Maintain the Validity of Evidence

MacForensics.com Tips - Maintain the Validity of EvidenceTriage tools are a powerful addition to any forensic investigators toolbox. One important aspect of a triage tool is that it minimize the chances of costly mistakes and the potential of altering a suspects system that may cause loss of evidence. First responder triage tools like MacLockPick are designed to minimize the footprint left on the suspect system and insure that the validity of the suspect evidence is maintained.
 


Modification of Suspect Systems

MacForensics.com Tips - Modification of Suspect SystemsOne concern some have with live forensics is the risk of modifying data on the suspect machine and there-by making the suspect evidence inadmissible in court. A good live forensics tool should be designed to minimize the footprint on the suspects system and the footprint left by the tool should be verifiable and reproducible. This allows the investigation to show that no modifications were made to the evidence through use of the live forensics tool. Verifying MAC times (modify, access, and create times) can help establish the time context also.
 


Network Artifacts

MacForensics.com Tips - Network ArtifactsIn these increasingly connected times, most computers are connected to some sort of network. The information about current network connections can help direct an investigation or show examiners new areas that may be of interest to the investigation. Using a triage tool like MacLockPick can show an examiner a suspects ARP tables, open interfaces, and netstat activity.
 


Often Overlooked but Beneficial Artifacts

MacForensics.com Tips - Often Overlooked but Beneficial ArtifactsAny information that allows an investigator to paint a better picture of a suspects activities can be beneficial to an investigation. The clipboard can often contain contents showing what a suspect was recently doing on their system. A screen shot of the suspect system in it’s current state of the machine when investigators first came in contact with the system. MacLockPick can capture both of these items for later examination.
 


Order of Volatility

MacForensics.com Tips - Order of VolatilityWhen collecting data for a computer forensic investigation you want to collect the most volatile data first as it will be lost the quickest. The order of volatility shows which data will be lost first.
 
 

Order of Volatility

  1. Memory contents
  2. Swap files
  3. Network processes
  4. System processes
  5. File system information
  6. Raw disk blocks

Memory contents, swap files, network processes, and system processes will all be lost when the suspect system is shut down.
 


Scripted Incident Response

MacForensics.com Tips - Scripted Incident ResponseKeeping track of what has been done is an important part of the first responders job. By scripting the procedures required an investigator can make sure no steps were missed. Scripting the processes run on a suspect computer can also help authenticate any changes made to the machine during a live forensic investigation.
 


Stop Drug Crimes

MacForensics.com Tips - Stop Drug CrimesDrug trafficking has reached epidemic levels in some countries. These criminals are also more commonly using digital means to organize their criminal networks. Through the use of specialize forensic tools like MacLockPick and MacForensicsLab, an investigator can search for evidence common to drug crimes. Spreadsheet files, documents and databases can easily be located using keyword searches.
 


Target Child Pornography

MacForensics.com Tips - Target Child PornographyChild pornography is a serious crime plaguing our society and one of the most commonly investigated crimes for many agencies. Through the use of specialized tools built to target imaged based crimes, like MacLockPick, an investigator can quickly zero in on critical evidence. When time is of the essence, specialized tools can make a big difference.
 


The Focus of Computer Forensic Triage

MacForensics.com Tips - The Focus of Computer Forensic TriageComputer forensic triage is usually defined as the process by which projects or activities are prioritized to determine which should be attempted first, second, etc. and which projects or activities should never be done at all. This process applies to the forensic examination process to determine which data should be investigated first, second, etc. and which data should not be investigated at all. Triage considers the value of investigating, the complexity and the cost and the order in which the investigation should be accomplished.

The focus of forensic triage is to:

  1. Find useable evidence quickly
  2. Identify possible victims that may be at risk
  3. Direct the ongoing investigation
  4. Identify potential charges
  5. Assess the possible danger the suspect poses to society


The Triage Phase

MacForensics.com Tips - The Triage PhaseThe triage phase of the investigation is the foundation on which the other phases after it will be built. All potential evidence must be considered (computer systems, disks, CD/DVDs, PDAs, etc) and then prioritized based on the likely hood they contain potential evidence reliant to the investigation. An investigator will still need to review the evidence collected in the triage phase at a later time in the lab.
 


Time Considerations

MacForensics.com Tips - Time ConsiderationsMaking considerations for the time each process will take within an investigation is important. The time cost of every activity in an examination must be weighed against the potential return of the results of that activity. In general it is best to perform tasks that can be done quickly first.
 


Timing is Critical

MacForensics.com Tips - Timing is CriticalTiming is critical throughout an investigation and even more so at the beginning of an investigation. During the early stages of the investigation it is critical to the investigator to have a detailed knowledge of the crime or involvement of the suspect and possible triggers that may increase the willingness of the suspect to cooperate or confess. It has been shown that suspects are more vulnerable and more likely to cooperate within the first several hours of their initial contact with police. By using triage tools to quickly acquire critical suspect data during the early stages of an investigation, an investigator can increase the likelihood of an arrest and confession.
 


Triage is Proven in the Field

MacForensics.com Tips - Triage is Proven in the FieldThe benefits of field triage have been proven. It has been shown that quick and effective analysis of suspect evidence can be critical to a case. The evidence found through live forensics can provide investigative leads that lead to an arrest and conviction. The information found may also protect others from becoming future victims of crime.
 


Triage Provides Direction for Investigations

MacForensics.com Tips - Triage Provides Direction for InvestigationsTriage at the scene helps to provide time sensitive investigative and interview leads. It also helps to provide helpful direction for later investigation back at the lab. The information acquired through the use of triage tools can help direct investigators in the lab to information of relevance to the case.
 


USB Device History

MacForensics.com Tips - USB Device HistoryUSB has become one of the main standards to connecting all types of devices to computers these days. With the dropping prices of personal flash drives, they’ve become a popular way to transfer information from computer to computer. With MacLockPick an investigator can quickly gather information about the various USB devices that have been connected to a suspects Windows machine. This may point them to other potential evidence in their case.
 


Verification of System Information

MacForensics.com Tips - Verification of System InformationBeing able to confirm that there have been no change made to a suspects system or evidence between the time of seizure and the lab investigation can be important should the integrity of evidence be called into question on trial. By using MacLockPick to record the suspect systems configuration including; username, computer name, operating system, processor, RAM, model, UUID and more, an investigator can have verifiable proof that no changes have been made during the investigation.
 


What is Live Forensics?

MacForensics.com Tips - What is Live Forensics?Live forensics considers the value of the data that may be lost by powering down a system and collect it while the system is still running. The other objective of live forensics is to minimize impacts to the integrity of data while collecting evidence from the suspect system.
 


Click here for part one of our Field Triage Tips (from A – L).