Posted on

MacForensicsLab Tips and Tutorials – Part Two

Spread the love

Part One

Part Two

Part Three Tips - Erasing a Target Drive

Erasing a Target Drive

This lesson demonstrates how to erase a target drive.

Open Preferences Window

Securely erasing a drive will overwrite the contents of the device to insure that no data can be recovered. This process involves overwriting every block of data on the drive one or more times to insure that no trace of the previous information on the device remains. Simply deleting the data on a drive does not actually erase it but rather only frees that space to be overwritten by new data.

Before imaging a suspect device to a target drive it is necessary for the investigator to first wipe the existing data on the target drive. This insures that the target drive is free of any information from previous investigations and insures the integrity of the suspect evidence. Clearing the target drive can be done either using Apple Disk Utility or MacForensicsLab.
Using Apple Disk Utility to erase your target drive

Locating the Applications folder on Mac OS X

To clear the acquisition drive using Apple Disk Utility, first open the Mac’s hard drive and locate the Applications folder and open it.

Finding the Utilities folder in Mac OS X

Find and open the Utilities folder and open it.

Finding Disk Utility in Mac OS X

Locate and open the application Disk Utility.

Setting up Disk Utility to wipe an aquisition drive.

First select the target drive you wish to wipe by clicking it on the left side. Next click the "Erase" toolbar option at the top of the window. Finally click the Security Options… button at the bottom of the window. If you would like, give the drive a name by entering it in the name area.

Selecting secure erase options in Disk Utility

In the Secure Erase Options the investigator can then select the desired method of erasing. Then click OK.

Secure erasing a drive

Click the Erase button to start erasing the target drive. A progress bar will indicate the status of the device erasure.

Using MacForensicsLab to erase your target drive

Selecting device to erase with MacForensicsLab

First select the target drive you would like to erase in the Device area of MacForensicsLab in the upper left corner.

Selecting Clear Work Drive in MacForensicsLab

With the desired device selected, go to the File menu and select Clear Work Drive.

Selecting secure erase options in MacForensicsLab

Select the number of passes you would like to make when erasing the data on your target drive. This can be done by either using the slider or entering the desired number in the box. When you have set the desired number of passes, click the Start button.

Operation cannot be undone

MacForensicsLab will inform you that the operation cannot be undone. Make sure you have selected the correct device and then click the OK button.

MacForensicsLab secure erase status

The shred process will begin and a status window will show the current progress of the task. When the device has been erased the software will notify the user that the process has completed.


Finding Child Pornography with the Skin Tone Analyzer

This lesson demonstrates how to use the skin tone analyzer feature of MacForensicsLab. Tips - Finding Child Pornography with the Skin Tone AnalyzerThe distribution of child pornography is one of the most disturbing cyber crimes. With the growth of the internet and the ease of file-sharing these days, child pornography has grown to become a world wide issue. Dealing with the exploitation of children in a sexual manner has become a big issue for law enforcement around the world. These cases sometimes involve thousands of images and finding the right ones can become a huge task.

Finding the digital evidence can be a real headache when it’s mixed in with thousands of unrelated images. To make an investigator’s job easier, MacForensicsLab offers a built-in skin tone analyzer. This feature quickly filters out images of interest based on a number of user entered parameters. The investigator filter their results based on any combination of the following criteria:

  • Percentage of skin tone contained in the image.
  • Minimum and maximum file size.
  • Vertical and horizontal minimum and maximum pixel size.

You can use the browse function to quickly locate and display potential evidence of child pornography.

By using these simple parameters an investigator can narrow a search for suspect images down from hundreds of thousands to just a couple hundred (or even less). This can save the investigator hours of time that would have been spent manually searching through images that had no relevance to their case.

Forensic Image Hash Validation Tips - Forensic Image Hash Validation>The ability to obtain a valid forensic image is critical to the successful completion of a forensic examination. Therefore, as with all forensic tools, it is encumbant upon the examiner to validate their current tools against well documented and validated tools; this should be done every time there is an update to your softwware.

As an example, to validate a forensic image acquired under MacForensicsLab, open a terminal window and type: openssl md5 (path and device name – i.e. /dev/rdisk1) now compare the output with that of MacForensicsLab, they should match.

Forensic Imaging of the Amazon Kindle Tips - Forensic Imaging of the Amazon KindleThe Amazon Kindle is currently the most popular ebook reader on the market. With expected sales of 5 million Kindles in 2010 and up to 11.5 million in 2012, the popularity looks to continue to increase. The Kindle can store a wealth of information, not only limited to ebooks but also notes, music, search information, and other items of interest to a forensic investigator. It can also be used as a USB storage device. With 4GB of internal storage, the Kindle 3 can hold a wealth of data. Other Kindle models have less internal storage but can still valuable suspect data.

Examining the Amazon Kindle

Connecting the Kindle

Amazon Kindle 3 connected is USB

The Kindle uses a standard Micro USB cable (not to be confused with Mini USB which looks similar but is slightly larger). Attach a Micro USB to USB cable to the USB port on the Kindle and plug the standard USB end into a USB write blocker, such as the WiebeTech USB WriteBlocker, then connect the write blocker to the forensic workstation (first making sure to disable Disk Arbitration on the Mac first, for an extra layer of protection against accidental mounting of the device).

Imaging the Kindle

Selecting the Kindle device for forensic imagine in MacForensicsLab

Once the Kindle has been connected to a USB write blocker and connected to the forensic workstation, the device should appear in the MacForensicsLab Device/Volume area. Select the "Kindle Internal Storage" device from the Device/Volume area and then click Acquire at the bottom of the window. Set your imaging options and then run the acquisition. Once the imaging is complete (should take only a couple minutes), detach the Kindle device using the Detach option in the ‘File’ menu of MacForensicsLab and then physically detach the device from the forensic workstation.

Examining the contents of the image

Once the device is detached, re-enable Disk Arbitration using the Disk Arbitration… option in the ‘Window’ menu. Next, select Attach Disk Image… from the ‘File’ menu. Select the Kindle image. You may now use MacForensicsLab to examine the contents of the Kindle for items of forensic interest.

Contents of the Amazon Kindle for forensic examination.


Hardware and Software Write Blocking Tips - Hardware and Software Write BlockingWhen creating an image of a suspect drive, the investigator needs to insure that the evidence is not altered and it remains forensically sound. This can be done through the use of a hardware write blocker, software write blocking, or a combination of the two. It is highly recommended that all acquisitions are done using a combination of the two.

If you are using a hardware write blocker attached to your suspect drive to be acquired or examined, remembering to check the jumper settings. In most cases and with most hardware, the jumpers on the drive must be set to Master (consult the drive manufacturer’s website for information on jumper settings for your specific drive model). If the drive does not appear in the device window of MacForensicsLab after a rescan (you can manually rescan the bus by selecting “Rescan” from the File menu), check to make sure that the jumper settings are set to Master on the drive/device.

To enable software write blocking, inside MacForensicsLab turn Disk Arbitration off under the popup menu that appears at the start of the application or you can select Disk Arbitration from the Window menu and disable it there. Disk Arbitration is a background application in Mac OS X that is always running. When Disk Arbitration detects a new storage device it automatically mounts it with write access if available. By disabling it you prevent the suspect drive from being mounted and insure that it cannot be written to. Disk Arbitration will be off until you enabled it again from the Window menu or you reboot.

MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.