Posted on

MacForensicsLab Tips and Tutorials – Part One

Spread the love

Tips and Lessons – MacForensicsLab

Part One

Part Two

Part Three


Adding a Case in MacForensicsLab

This lesson demonstrates how to add a case using MacForensicsLab
Open Preferences Window
Open Preferences

Select MacForensicsLab from the Main Window and select Preferences (or from the Main Window use the keyboard shortcut of Command + , ).
Select Cases
Select Cases

Select the Cases Tab from the Preferences Window.
Add a Case
Add a Case

In the lower left corner, select the “+” button to add a new case.
Give the Case a Name
Give the case a name

Delete the default Case ID 1 and give the new case a name (1) , then fill out the Description field (2) to give additional case details.
Complete Case Information
Complete case information

Complete the case information (1 and 2) and then select “Save” (3).
Confirm the New Case was created in the Preferences Pane
Confirm the new case was created in the Preferences pane

 

Confirm the new case was created by reviewing the Preferences Pane (which automatically displays when you selected Save in the previous step.


Adding a Disk Image in MacForensicsLab

This lesson demonstrates how to add a disk image to a case.
Attach a Disk Image
Attach a disk image

 

From the Main Window, select “File” (1) and from the drop down list “Attach Disk Image” (2).
Navigate to Disk Image
Navigate to disk image

From the Navigation Window that appears, navigate to and select the desired disk image.
Select Open to Attach the Disk Image
Select Open to attach the disk image

Once you have selected the desired disk image select “Open” to attach the disk image.
Confirm Disk Image has been attached
Confirm Disk Image has been attached

Confirm the disk image has been attached from MacForensicsLab’s Main Window, which appears automatically after selecting the disk image.


Adding Exported Files into a Report in MacForensicsLab

This lesson demonstrates how to add exported files back into the case so they can be bookmarked and added into the report.
Navigate to exported folder containing the exported files
Navigate to the Export folder

Open a navigation window (Finder) and navigate to the location of the exported files folder. In this example, I have Salvaged JPEG files onto the Desktop (1) and (2) into a subfolder named "JPEG" (3).
Open Disk Utility
Open Disk Utility

Open the Disk Utility application located in the Applications -> Utilities folder.
Create a “Disk Image from Folder” using the exported folder
Create Disk Image from Folder using the exported folder
From within Disk Utility select "File" from the Main Window and "New -> Disk Image from Folder" from the drop down list.
Navigate the the Exported Folder
Navigate the the Exported Folder

Navigate to the location where the exported folder is located (1) select it and select "Image" (2).
Name the new disk image
Name the new disk image

Name the new disk image (1), leave all the defaults in place (image format and encryption) (2), then select "Save" (3).
Enter your password
Enter your password

Enter your password to create the disk image.
Quit Disk Utility
Quit Disk Utility

Once the disk image is created (1), quit the Disk Utility application (2).
Navigate to new disk image
Navigate to new disk image

Open a navigation window (Finder) and navigate to the new disk image.
Lock the new disk image
Lock the new disk image

Once you have navigated to the new disk image, use Get Info (command + i) to see the properties (1). From within the Get Info window, select the "Locked" checkbox to lock the image (2), preventing changes to the disk image.
Attach Disk Image to Case
Attach disk image to case

From the MacForensicsLab Main Window, select "File" (1) and "Attach Disk Image …" (2) from the drop down list.
Navigate to the Disk Image
Navigate to the Disk Image

When the navigation box opens, navigate to your newly created and locked disk image (1) and select "Open" (2).
Highlight Volume of new disk image
Highlight Volume of new disk image

From with MacForensicsLab’s Main Window, select the Volume of the new disk image (1), then select the Browse function at the bottom of the Window (2).
Configure the Browse Window
Configure the Browse window

Be sure that only the "Images Only" checkbox is marked (1), then select Browse (2).
Select all Files for Bookmarking
Select all files for bookmarking

Select all the files by highlighting one and selecting (Command + A).
Add Bookmark
Add bookmark

From MacForensicsLab’s Main Window, select "Bookmarks" (1) and "Add Bookmark" from the drop down list (2).
Select Bookmark Folder
Select bookmark folder

Select the appropriate bookmark folder from the drop down list. In this example, I bookmarked all the files into the "suspicious images" bookmark folder.
Create the Bookmark
Create the bookmark

Once the appropriate bookmark folder is selected (1), select "Bookmark" (2).
Open Bookmarks
Open bookmarks

From MacFornensicsLab’s Main Window select "Bookmarks" (1) and "Show All Bookmarks" from the drop down list (2).
Review new bookmarks
Review new bookmarks

Select the appropriate bookmark folder (1) and review the newly created bookmarks (2).
Generate a report
Generate a report

From MacForensicsLab’s Main Window, select "File" (1) and "Write Report" from the drop down list (2).
Select the “Bookmarks” type checkbox
Select the bookmarks type checkbox

Select the Bookmarks type check box (1) to include the new bookmarks in your report, then select: "Start" (2).
Save Report
Save report

Select a location to save your report to (1) and select "Choose" (2).
Review Bookmarks
Review bookmarks

From within the newly created report, review the newly created bookmarks.


Creating a Custom Bookmarks Folder in MacForensicsLab

Open Bookmarks Window
Open Bookmarks window

From MacForensicsLab Main Window select “Bookmarks” (1) and from the drop down list “Show All Bookmarks” (2).
Add a Custom Bookmark Folder
Add custom bookmark folder

To add a custom bookmark folder select the “+” button at the bottom of the screen.
Name the Custom Bookmark Folder
Name the custom bookmark folder

After selecting the “+” button, a text box opens, enabling you to enter a name for the custom bookmark folder.
Add the Name of the Custom Bookmark Folder
Add the name of the custom bookmark folder

Type in the name of the Custom Bookmark Folder and press “Enter.”
Add a description to the Custom Bookmark Folder
Add a description to the custom bookmark folder

With the newly created Custom Bookmark highlighted (1), enter a description of the bookmark folder contents in the text box at the bottom of the screen (2).


Credit Card and Social Security Number Searching

MacForensics.com Tips - Credit Card and Social Security Number SearchingIdentity theft is a growing issue. With phishing scams and corporate theft, it’s an issue that can affect everyone, even those not online. MacForensicsLab has a built in credit card and social security number (SSN) scanner. This powerful feature allows investigators to zero in on identity theft information. Not only does it search for what appears to be credit card numbers imbedded within files, it also validates them to make sure they are true credit card numbers. No other tool offers this feature.

Credit card number and social security number searching to track down fraud evidence can be done easily with MacForensicsLab

Select the device, folder, or file you’d like to scan and click the “Search” function button. At the bottom of the Search wind at two check boxes. One for Credit Cards and the other for SSN. Check one or both of these and click the "Search" button to scan the selected data. MacForensicsLab will then scan and show you any files containing credit card or social security numbers.


Customize the Report within MacForensicsLab

This lesson will demonstrate how to customize the Report by altering default files and adding files that the examiner wants to be added to every case thereafter.
The MacForensicsLab Templates Folder
MacForensicsLab templates folder

The first time a report is generated using MacForensicsLab, a folder called "MacForensicsLab Templates" folder is created in the same location that the MacForensicsLab application was installed.
The Supplementary Files Folder
Supplementary Files folder

Contained within the MacForensicsLab Template folder is a folder named the Supplementary Files folder. This folder, by default contains three template files; Agency, Investigator and Software Tool. These files are designed to be customized by the user.
Customizing a Default File
Customizing a Default File

To customize a default file located within the Supplementary Files folder, simply double click on the file to open it and make changes to the file, then save your changes. In this example, the "Agency.rtf" file has been customized.
Write a Report
Write a report

To generate a report in MacForensicsLab, select "File" from the Main Window and "Write Report …" from the subsequent drop down list.
Setting up the Report
Setting up the report

A report dialogue box opens and the user selects the items they want to appear in the report by selecting the appropriate checkbox (1) and then select "Start" (2).
Select a Location for the Report
Select a location for the report

Once the "Start" button is selected in the previous step, a navigation window opens, select the location for the report to be written to (1) and select "Choose" (2).
Default Supplementary Files in the Report
Default Supplementary Files in the Report

There are three default files in the Supplementary Files section, which are designed to be customized by the user; these files are: Agentcy.rtf, Investigator.rtf and Software Tool.rtf.
Adding Additional Files to Supplementary Files folder
Adding Additional Files to Supplementary Files folder

In MacForensicsLab you can add as many files as you like to the Supplementary Files folder. These files will remain resident in every case thereafter. This is a great way to reduce the time it takes to continually generate documentation that does not change from case to case. In this example, I would like to add a file called "Glossary of Computer Related Terms" into all of my reports. The first step is to open a navigation window (Finder) and navigate to the desired file.
Add File to Supplementary Files folder
Add File to Supplementary Files folder

Copy or move the desired file into the MacForensicsLab Templates -> Supplementary Files folder.
Generate the New Report
Generate the New Report

Once the report is written it will automatically launch. Observe the new file "Glossary of Computer Related Terms.pdf has been added into the report.
Open new file
Open new file

Select on the hyperlink to the newly copied file to open the file.