Posted on

Our New Site Redesign Benefits You

Thank you for your interest in MacForensicsLab.com. We have been committed to providing great software for forensics and eDiscovery professionals for over 10 years.

To continue our service to the law enforcement, eDiscovery professionals, and Macintosh communities, we have redesigned our web site — bringing a whole new look, as well as support for mobile technologies, and a streamlined shopping experience. It is also much easier to share articles, tips, and product information.

If you previously had an account with us, you will need to create a new account on this site. Obviously, you won’t see prior orders — only current and future orders — but don’t worry. We have retained all previous order information. Simply email our Support staff if you need information on older orders.

We did have to trim a few things with the new site. You might have reached this page from an old link to a discontinued product we no longer offer, or looking for an article where the information is no long relevant. These items either didn’t fit with our current product focus, or have lost their usefulness with developments in technology.

Again, thanks for choosing MacForensicsLab.com!

 

Posted on

Security Sites

This resources page contains a list of the 11 security sites.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.
 


 

MacForensicsLab.com recommended site - Help Net Security

Help Net Security (HNS) is an online portal that covers all the major information security happenings. The portal has been online since 1998 and caters a large number of Information Technology readers specifically interested in computer security. Besides covering news around the globe, HNS focuses on quality technical articles and papers, vulnerabilities, various vendor advisories, latest viruses, malware and hosts the largest security software download area with software for Windows, Linux, Mac OS X and Windows Mobile.
 


 

MacForensicsLab.com recommended site - The Honeynet Project

The Honeynet Project is a non-profit (501c3) volunteer, research organization dedicated to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.
 


 

MacForensicsLab Recommended Site - Security Focus

Security Focus – a good source of security information on the Internet.

Quoted from the Security Focus “about” page

Since its inception in 1999, SecurityFocus has been a mainstay in the security community. From original news content to detailed technical papers and guest columnists, we’ve strived to be the community’s source for all things security related. SecurityFocus was formed with the idea that community needed a place to come together and share its collected wisdom and knowledge. At SecurityFocus, the community has always been our primary focus. The SecurityFocus website now focuses on a few key areas that are of greatest importance to the security community.

  • BugTraq is a high volume, full disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities. BugTraq serves as the cornerstone of the Internet-wide security community.
  • The SecurityFocus Vulnerability Database provides security professionals with the most up-to-date information on vulnerabilities for all platforms and services.
  • SecurityFocus Mailing Lists allow members of the security community from around the world to discuss all manner of security issues. There are currently 31 mailing lists; most are moderated to keep posts on-topic and to eliminate spam.

 


 

MacForensics.com Recommended Site - Forensic Science Communications

Forensic Science Communications (FSC) is a peer-reviewed forensic science journal published quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of communication between forensic scientists. Forensic Science Communications supersedes the Crime Laboratory Digest. Online access is free and archives date back to 1999.

Note
Forensic Science Communications premiered in April 1999 and ended in April 2010. These back issues have been archived and made available for your review.

 


 

MacForensics.com Recommended Site - Computer Security Institute

Computer Security Institute serves the needs of Information Security Professionals through membership, educational events, security surveys and awareness tools. Joining CSI provides you with high quality CSI publications, discounts on CSI conferences, access to on-line archives, career development, networking opportunities and more.
 


 

MacForensics.com Recommended Site - The CERT Program

The CERT Program is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought 10 percent of internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. This center was named the CERT Coordination Center (CERT/CC).
 


 

MacForensics.com Recommended Site - Securelist.com

Securelist.com (formerly Viruslist.com)- Permanently replenishing information about new viruses. Mechanisms of breeding and operation, detailed analysis of algorithms of viruses.
 


 

MacForensics.com Recommended Site - Insecure.org

Insecure.org is an internet security site and the home of the popular NMAP Network Security Scanner tool.
 


 

MacForensics.com Recommended Site - Security Tracker

SecurityTracker is a service that helps you to keep track of the latest security vulnerabilities. They monitor a wide variety of Internet sources for reports of new vulnerabilities in Internet software and/or services. They provide our users with a timely and reliable source for vulnerability notification.
 


 

MacForensics.com Recommended Site - Packet Storm

.:[ packet storm ]:. – Information and computer security full disclosure web site.
 


 

MacForensics.com Recommended Site -

SecuriTeam is a group within Beyond Security dedicated to bringing you the latest news and utilities in computer security.
 


 

LinuxSecurity.com

LinuxSecurity.com was first launched in 1996 by a handful of Open Source enthusiasts and security experts who recognized a void in the availability of accurate and insightful news relating to open source security issues. Led by Dave Wreski, who currently serves as chief executive officer of Guardian Digital, this group has grown into a global network of collaborators who devote their time to gathering and publicizing the latest security news, advisories and reports relevant to the Linux community. Headquartered in Guardian Digital’s offices in Allendale, New Jersey, LinuxSecurity.com’s editorial and web development staff also creates feature articles, commentaries and surveys designed to keep readers informed of the latest Linux advancements and to promote the general growth of Linux around the world.
 

Posted on

Press Releases

Here’s a collection of our press releases.

MacForensicsLab 4.0 Released

MacForensicsLab 3.0 Released

SubRosaSoft.com Inc. Announces MacForensicsLab Version 2.5

SubRosaSoft.com Inc. Announces the Release of the Windows Version of MacForensicsLab Version 2.5

SubRosaSoft.com Inc Announces MacForensicsLab for Linux and Windows and a Welcome New Staff Member

SubRosaSoft Announces MacForensicsLab 2.0

SubRosaSoft.com Inc. Releases MacLockPick 3.0

MacForensicsLab Inc. Releases MacLockPick 2.1

SubRosaSoft Ships MacLockPick

MacForensicsLab.com Releases a White Paper on the Anatomy of Malware, Virus, Worm, and Trojan Threats to Mac OS X

SubRosaSoft.com Inc. Announces MacForensicsLab Social Agent

MacForensicsLab Inc. Releases Free Tool for Investigating Crimes Against Children

SubRosaSoft.com Inc. Releases MacForensicsLab Write Controller 1.0

Posted on

List of bulletin boards

Whether you are in search of opinions on a forensics related question, or want to share your experience with fellow investigators, here’s a few bulletin boards you may want to consider.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.


MacForensics.com Recommended Site - Forensic Focus Forums A bulletin board brought to you by the Forensic Focus website.
 


MacForensics.com Tips - Apple mailing list Mailing list for government computer forensics professionals interested in learning and discussing how to best leverage Apple technology and various industry applications.
 


MacForensics.com Recommended Site - Computer Forensics World A bulletin board brought to you by the Computer Forensics World website.

 

Posted on

macOS related sites

This resources page contains a list of more technical Mac OS related sites. If you are interested in Macs related technical information, tips and insights, you may want to start with the following list.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.


SecureMac.com

SecureMac was historically one of the best sites for information on mac security topics. Definitely a recommended read.

Quoted from the SecureMac.com site:

Mac security is a more serious problem than most people think. It’s true that Macintosh computers have lower security risks than the average PC, but running security software for Macs is every bit as essential.
SecureMac has operated at the cutting edge of Apple security for over a decade. We produce some of the best security software for Mac computers on the market. And we’ve won the awards to prove it.
If you’re reading this right now, you’ve probably realized that securing your Mac against malware and privacy threats is important. If you want to keep your Mac secure, you’ve come to the right place.

 


MacUpdate

MacUpdate is an app/software download website that simplifies finding, buying and installing apps for your Macintosh computer.

MacUpdate.com is updated daily and currently carries more than 40,000 Macintosh applications for download.

 


MacForensicsLab for Mac OS X

Click here to visit a page on this site about MacForensicsLab for Mac OS X. The software is a complete forensics suite that is fully cross platform and available on Mac OS X, Microsoft Windows, as well as Linux.

This product is owned and produced by the owners of this website and the page you will be linking to is inside this website.
 


MacSurfer.com

www.MacSurfer.com is a news aggregator site for Mac OS X news sites. A handy site to find links to all things happening in the mac world.

 


Stuffit Expander

In earlier days – the Mac OS stored compressed files using a program called ‘Stuffit’, you may have seen these files around with a suffix of .sit or .sitx. Since OS X version 10.3, zip compression has been built in but occasionally you will still see legacy files around using this format.

The decompression tool is available for free download and runs mac and other platforms. You can download the expander by clicking here.

 


 

GraphicConverter

Perhaps the most powerful tool for working with graphic formats. This program can open almost every graphic format ever made, and is well known for it’s ability to handle “less than perfect” files. Try it for free and see the great features. We recommend this product to all mac users.

 


Apple Product Specifications

An official and comprehensive list of specifciations for all Apple products. Use this list to get details on past and present features for iPods, Mac computers, iPhones, and much more.

 


Apple Computer

An official source for security updates on Mac OS X. Users of Mac OS X can also get all their updates by selecting ‘Software update…’ from the Apple menu on the top left corner of the screen, or simply by waiting for the process to be performed automatically.

Quoted from the Apple site:

This document outlines security updates for Apple products. For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

 


MacFixIt of Cnet

MacFixIt, now part of CNET provides latest news, reviews of software and hardware products, and the latest workarounds and solutions to technical roadblocks and frustrating barriers.

 


MacInTouch

MacInTouch is an independent journal providing timely, reliable news, information and analysis about Apple Macintosh and iPhone/iOS platforms.

 


Mac OS X Hints

The Mac OS X Hints site gives handy tips and tricks for all things Apple.

Quoted from the Mac OS X Hints website:

I should first say that OS X public beta was my first real exposure to UNIX, and that’s probably one of the bigger reasons for this site — a good friend of mine is a UNIX wizard, and I’m sure he was getting tired of my calls! While trying to learn the system, I was getting somewhat frustrated at having to jump all over the web to find answers to OS X questions. There are some excellent sites out there (make sure you check out the links pages here), but none that seemed to focus specifically on providing how-to’s in a quick, easy-to-use format.

So in November of 2000, I launched macosxhints.com … and in the last five-plus, it has grown into a collection of thousands of hints regarding OS X and related applications, with multiple thousands of comments from experienced users providing even more information. It’s truly a one-stop-shop for OS X hints and how-to’s, and I’m amazed at just how intelligent and friendly the macosxhints community is!

Update — Mac OS X Hints is now a read-only site. There’s still a wealth of great information there the many will find useful.

Posted on

MacForensicsLab Tips and Tutorials – Part Three

Part One

Part Two

Part Three

Imaging a Drive via Target Disk Mode

MacForensics.com Tips - Imaging a Drive via Target Disk ModeSometimes an investigator may not have access to a hardware write blocker or may not be able to remove the suspect drive from their Mac (we do not recommend investigators attempt to image a drive without a hardware write blocker but at times situations may necessitate it). In this case the investigator can connect the suspect Mac to their forensic workstation to process the investigation using a process called Target Disk Mode. Target Disk Mode causes the suspect Mac to act like an external drive at which point it can then be connected to a forensic workstation running MacForensicsLab for imaging and examination.

  1. The first and MOST important step in this process is making sure that Disk Arbitration is disabled. You can do this by following the process for disabling Disk Arbitration found here. Make you verify that it is disabled using Disk Utility once you have completed this. This will ensure that the suspect drive stays forensically sound.
  2. Boot the suspect Mac and hold down the “T” key until a diak icon appears on screen. The suspect machine is now in Target Disk Mode.
  3. Connect the suspect machine to your examination workstation. Target Disk Mode supports FireWire, Thunderbolt 2, USB-C, or Thunderbolt 3 (USB-C) ports. Once the suspect drive appears in MacForensicsLab’s Device area, you can proceed with acquiring an image of it (note: the suspect drive will not appear on the desktop as Disk Arbitration is disabled).
  4. Once the image has been created, you can hold down the power button on the suspect machine until it powers itself off. Then disconnect it from the examination machine.
Warning
MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.

 


Starting Points For A Mac OS X Investigation

MacForensics.com Tips - Starting Points For A Mac OS X InvestigationWhen processing an investigation of a suspect’s Mac OS X hard drive using MacForensicsLab there are several places that you may want to start your search. These folders are present on all versions of Mac OS X and contain a great deal of information that will help the investigator to show intent and may also give them a better idea of where they should look next.

A good place to start forensic discovery on any Mac OS X machine is inside the ~Users/“USERNAME”/ folder. Within this folder you can find sub-folders containing large amounts of user data. Many peer-to-peer applications create folders here and many times there are other user-created folders found here.

The ~/Users/“USERNAME”/Library folder and it’s sub-folders have a vast amount of usable forensic material. Some sub-folders of interest in here are; Caches, Calendars, Cookies, Keychains, Logs, Mail, Preferences, Recent Servers, and Safari. Any of these can be examined with MacForensicsLab’s Analyze function or the Salvage function depending on the kind of data discovery you are after.

The ~/Users/“USERNAME”/Documents is the default save-to folder for many applications and many users use this folder to store everything from text documents to pictures and movies.

The ~/Users/“USERNAME”/Pictures folder if the default storage location for Apple’s iPhoto. Photos loaded into iPhoto are stored here in the iPhoto Library folder in iPhoto version before ’08. In iPhoto ’08 the iPhoto Library folder is replaced by a package with the same title. Many users use this folder to store images from other applications also.

The ~/Users/“USERNAME”/Movies folder is the default storage location for many video editing applications including Apple’s iMovie. Many users use this folder to store video files on their system.
 


Turning On Software Write Blocking

MacForensics.com Tips - Turning On Software Write BlockingWhen creating a forensically sound image of a suspect drive, care must be taken to insure that the suspect evidence is not compromised. This is usually done through the use of a hardware write blocker connected to the drive. The write blocker allows information to be read from the suspect drive but will not allow the acquisition computer to write data to the drive, thus preventing the information from being compromised.

Warning
MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.

If you do not have access to a hardware write blocker and need to image a suspect drive, you can use MacForensicsLab’s Disable Disk Arbitration option to disabled writing to the drive.

The process to use MacForensicsLab to disable Disk Arbitration is as follows.

  1. Turn off Disk Arbitration from File menu. You can verify that it is disabled by attempting to launch Disk Utility. If Disk Arbitration is disabled, Disk Utility will not launch.
  2. Plug drive in/power-up or insert media card.
  3. Go back to File Menu and select “Rescan Bus”.
  4. Drive/media will now be visible within MacForensicsLab.
  5. Image drive with the Acquire function.
  6. Disconnect drive BEFORE turning Disk Arbitration back on the same way you turned it off.

MacForensicsLab highly recommends that a hardware write blocker be used when acquiring an image of a suspect drive.
 


Why Won’t My Acquired Disk Image Mount on The Desktop

MacForensics.com Tips - Why Won't My Acquired Disk Image Mount on The DesktopDoes your acquired disk image refuse to mount on the desktop? If you have selected the option to turn off Disk Arbitration when MacForensicsLab launches or disabled Disk Arbitration by selecting the option from the Window menu, Disk Utility will not be able to mount any images until Disk Arbitration is turned back on. This issue can be resolved using either of these options.

Re-enabling Disk Arbitration can be done either by selecting the Disk Arbitration option from the Window menu within MacForensicsLab again and enabling it or by rebooting your Mac. Many times Disk Arbitration can be turned off and forgtten about because of MacForensicsLab’s ability to see drives at the device level. This means you can still work with disk images within MacForensicsLab even without mounting them on the desktop as you normally would. If you’re still having problems mounting disk images after re-enabling Disk Arbitration in MacForensicsLab restart your computer.

Posted on

MacForensicsLab Tips and Tutorials – Part Two

Part One

Part Two

Part Three


MacForensics.com Tips - Erasing a Target Drive

Erasing a Target Drive

This lesson demonstrates how to erase a target drive.

Open Preferences Window

Securely erasing a drive will overwrite the contents of the device to insure that no data can be recovered. This process involves overwriting every block of data on the drive one or more times to insure that no trace of the previous information on the device remains. Simply deleting the data on a drive does not actually erase it but rather only frees that space to be overwritten by new data.

Before imaging a suspect device to a target drive it is necessary for the investigator to first wipe the existing data on the target drive. This insures that the target drive is free of any information from previous investigations and insures the integrity of the suspect evidence. Clearing the target drive can be done either using Apple Disk Utility or MacForensicsLab.
Using Apple Disk Utility to erase your target drive

Locating the Applications folder on Mac OS X

To clear the acquisition drive using Apple Disk Utility, first open the Mac’s hard drive and locate the Applications folder and open it.

Finding the Utilities folder in Mac OS X

Find and open the Utilities folder and open it.

Finding Disk Utility in Mac OS X

Locate and open the application Disk Utility.

Setting up Disk Utility to wipe an aquisition drive.

First select the target drive you wish to wipe by clicking it on the left side. Next click the "Erase" toolbar option at the top of the window. Finally click the Security Options… button at the bottom of the window. If you would like, give the drive a name by entering it in the name area.

Selecting secure erase options in Disk Utility

In the Secure Erase Options the investigator can then select the desired method of erasing. Then click OK.

Secure erasing a drive

Click the Erase button to start erasing the target drive. A progress bar will indicate the status of the device erasure.

Using MacForensicsLab to erase your target drive

Selecting device to erase with MacForensicsLab

First select the target drive you would like to erase in the Device area of MacForensicsLab in the upper left corner.

Selecting Clear Work Drive in MacForensicsLab

With the desired device selected, go to the File menu and select Clear Work Drive.

Selecting secure erase options in MacForensicsLab

Select the number of passes you would like to make when erasing the data on your target drive. This can be done by either using the slider or entering the desired number in the box. When you have set the desired number of passes, click the Start button.

Operation cannot be undone

MacForensicsLab will inform you that the operation cannot be undone. Make sure you have selected the correct device and then click the OK button.

MacForensicsLab secure erase status

The shred process will begin and a status window will show the current progress of the task. When the device has been erased the software will notify the user that the process has completed.

 


Finding Child Pornography with the Skin Tone Analyzer

This lesson demonstrates how to use the skin tone analyzer feature of MacForensicsLab.
MacForensics.com Tips - Finding Child Pornography with the Skin Tone AnalyzerThe distribution of child pornography is one of the most disturbing cyber crimes. With the growth of the internet and the ease of file-sharing these days, child pornography has grown to become a world wide issue. Dealing with the exploitation of children in a sexual manner has become a big issue for law enforcement around the world. These cases sometimes involve thousands of images and finding the right ones can become a huge task.

Finding the digital evidence can be a real headache when it’s mixed in with thousands of unrelated images. To make an investigator’s job easier, MacForensicsLab offers a built-in skin tone analyzer. This feature quickly filters out images of interest based on a number of user entered parameters. The investigator filter their results based on any combination of the following criteria:

  • Percentage of skin tone contained in the image.
  • Minimum and maximum file size.
  • Vertical and horizontal minimum and maximum pixel size.

You can use the browse function to quickly locate and display potential evidence of child pornography.

By using these simple parameters an investigator can narrow a search for suspect images down from hundreds of thousands to just a couple hundred (or even less). This can save the investigator hours of time that would have been spent manually searching through images that had no relevance to their case.


Forensic Image Hash Validation

MacForensics.com Tips - Forensic Image Hash Validation>The ability to obtain a valid forensic image is critical to the successful completion of a forensic examination. Therefore, as with all forensic tools, it is encumbant upon the examiner to validate their current tools against well documented and validated tools; this should be done every time there is an update to your softwware.

As an example, to validate a forensic image acquired under MacForensicsLab, open a terminal window and type: openssl md5 (path and device name – i.e. /dev/rdisk1) now compare the output with that of MacForensicsLab, they should match.


Forensic Imaging of the Amazon Kindle

MacForensics.com Tips - Forensic Imaging of the Amazon KindleThe Amazon Kindle is currently the most popular ebook reader on the market. With expected sales of 5 million Kindles in 2010 and up to 11.5 million in 2012, the popularity looks to continue to increase. The Kindle can store a wealth of information, not only limited to ebooks but also notes, music, search information, and other items of interest to a forensic investigator. It can also be used as a USB storage device. With 4GB of internal storage, the Kindle 3 can hold a wealth of data. Other Kindle models have less internal storage but can still valuable suspect data.

Examining the Amazon Kindle

Connecting the Kindle

Amazon Kindle 3 connected is USB

The Kindle uses a standard Micro USB cable (not to be confused with Mini USB which looks similar but is slightly larger). Attach a Micro USB to USB cable to the USB port on the Kindle and plug the standard USB end into a USB write blocker, such as the WiebeTech USB WriteBlocker, then connect the write blocker to the forensic workstation (first making sure to disable Disk Arbitration on the Mac first, for an extra layer of protection against accidental mounting of the device).

Imaging the Kindle

Selecting the Kindle device for forensic imagine in MacForensicsLab

Once the Kindle has been connected to a USB write blocker and connected to the forensic workstation, the device should appear in the MacForensicsLab Device/Volume area. Select the "Kindle Internal Storage" device from the Device/Volume area and then click Acquire at the bottom of the window. Set your imaging options and then run the acquisition. Once the imaging is complete (should take only a couple minutes), detach the Kindle device using the Detach option in the ‘File’ menu of MacForensicsLab and then physically detach the device from the forensic workstation.

Examining the contents of the image

Once the device is detached, re-enable Disk Arbitration using the Disk Arbitration… option in the ‘Window’ menu. Next, select Attach Disk Image… from the ‘File’ menu. Select the Kindle image. You may now use MacForensicsLab to examine the contents of the Kindle for items of forensic interest.

Contents of the Amazon Kindle for forensic examination.

 


Hardware and Software Write Blocking

MacForensics.com Tips - Hardware and Software Write BlockingWhen creating an image of a suspect drive, the investigator needs to insure that the evidence is not altered and it remains forensically sound. This can be done through the use of a hardware write blocker, software write blocking, or a combination of the two. It is highly recommended that all acquisitions are done using a combination of the two.

If you are using a hardware write blocker attached to your suspect drive to be acquired or examined, remembering to check the jumper settings. In most cases and with most hardware, the jumpers on the drive must be set to Master (consult the drive manufacturer’s website for information on jumper settings for your specific drive model). If the drive does not appear in the device window of MacForensicsLab after a rescan (you can manually rescan the bus by selecting “Rescan” from the File menu), check to make sure that the jumper settings are set to Master on the drive/device.

To enable software write blocking, inside MacForensicsLab turn Disk Arbitration off under the popup menu that appears at the start of the application or you can select Disk Arbitration from the Window menu and disable it there. Disk Arbitration is a background application in Mac OS X that is always running. When Disk Arbitration detects a new storage device it automatically mounts it with write access if available. By disabling it you prevent the suspect drive from being mounted and insure that it cannot be written to. Disk Arbitration will be off until you enabled it again from the Window menu or you reboot.

Warning
MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.
Posted on

MacForensicsLab Tips and Tutorials – Part One

Tips and Lessons – MacForensicsLab

Part One

Part Two

Part Three


Adding a Case in MacForensicsLab

This lesson demonstrates how to add a case using MacForensicsLab
Open Preferences Window
Open Preferences

Select MacForensicsLab from the Main Window and select Preferences (or from the Main Window use the keyboard shortcut of Command + , ).
Select Cases
Select Cases

Select the Cases Tab from the Preferences Window.
Add a Case
Add a Case

In the lower left corner, select the “+” button to add a new case.
Give the Case a Name
Give the case a name

Delete the default Case ID 1 and give the new case a name (1) , then fill out the Description field (2) to give additional case details.
Complete Case Information
Complete case information

Complete the case information (1 and 2) and then select “Save” (3).
Confirm the New Case was created in the Preferences Pane
Confirm the new case was created in the Preferences pane

 

Confirm the new case was created by reviewing the Preferences Pane (which automatically displays when you selected Save in the previous step.


Adding a Disk Image in MacForensicsLab

This lesson demonstrates how to add a disk image to a case.
Attach a Disk Image
Attach a disk image

 

From the Main Window, select “File” (1) and from the drop down list “Attach Disk Image” (2).
Navigate to Disk Image
Navigate to disk image

From the Navigation Window that appears, navigate to and select the desired disk image.
Select Open to Attach the Disk Image
Select Open to attach the disk image

Once you have selected the desired disk image select “Open” to attach the disk image.
Confirm Disk Image has been attached
Confirm Disk Image has been attached

Confirm the disk image has been attached from MacForensicsLab’s Main Window, which appears automatically after selecting the disk image.


Adding Exported Files into a Report in MacForensicsLab

This lesson demonstrates how to add exported files back into the case so they can be bookmarked and added into the report.
Navigate to exported folder containing the exported files
Navigate to the Export folder

Open a navigation window (Finder) and navigate to the location of the exported files folder. In this example, I have Salvaged JPEG files onto the Desktop (1) and (2) into a subfolder named "JPEG" (3).
Open Disk Utility
Open Disk Utility

Open the Disk Utility application located in the Applications -> Utilities folder.
Create a “Disk Image from Folder” using the exported folder
Create Disk Image from Folder using the exported folder
From within Disk Utility select "File" from the Main Window and "New -> Disk Image from Folder" from the drop down list.
Navigate the the Exported Folder
Navigate the the Exported Folder

Navigate to the location where the exported folder is located (1) select it and select "Image" (2).
Name the new disk image
Name the new disk image

Name the new disk image (1), leave all the defaults in place (image format and encryption) (2), then select "Save" (3).
Enter your password
Enter your password

Enter your password to create the disk image.
Quit Disk Utility
Quit Disk Utility

Once the disk image is created (1), quit the Disk Utility application (2).
Navigate to new disk image
Navigate to new disk image

Open a navigation window (Finder) and navigate to the new disk image.
Lock the new disk image
Lock the new disk image

Once you have navigated to the new disk image, use Get Info (command + i) to see the properties (1). From within the Get Info window, select the "Locked" checkbox to lock the image (2), preventing changes to the disk image.
Attach Disk Image to Case
Attach disk image to case

From the MacForensicsLab Main Window, select "File" (1) and "Attach Disk Image …" (2) from the drop down list.
Navigate to the Disk Image
Navigate to the Disk Image

When the navigation box opens, navigate to your newly created and locked disk image (1) and select "Open" (2).
Highlight Volume of new disk image
Highlight Volume of new disk image

From with MacForensicsLab’s Main Window, select the Volume of the new disk image (1), then select the Browse function at the bottom of the Window (2).
Configure the Browse Window
Configure the Browse window

Be sure that only the "Images Only" checkbox is marked (1), then select Browse (2).
Select all Files for Bookmarking
Select all files for bookmarking

Select all the files by highlighting one and selecting (Command + A).
Add Bookmark
Add bookmark

From MacForensicsLab’s Main Window, select "Bookmarks" (1) and "Add Bookmark" from the drop down list (2).
Select Bookmark Folder
Select bookmark folder

Select the appropriate bookmark folder from the drop down list. In this example, I bookmarked all the files into the "suspicious images" bookmark folder.
Create the Bookmark
Create the bookmark

Once the appropriate bookmark folder is selected (1), select "Bookmark" (2).
Open Bookmarks
Open bookmarks

From MacFornensicsLab’s Main Window select "Bookmarks" (1) and "Show All Bookmarks" from the drop down list (2).
Review new bookmarks
Review new bookmarks

Select the appropriate bookmark folder (1) and review the newly created bookmarks (2).
Generate a report
Generate a report

From MacForensicsLab’s Main Window, select "File" (1) and "Write Report" from the drop down list (2).
Select the “Bookmarks” type checkbox
Select the bookmarks type checkbox

Select the Bookmarks type check box (1) to include the new bookmarks in your report, then select: "Start" (2).
Save Report
Save report

Select a location to save your report to (1) and select "Choose" (2).
Review Bookmarks
Review bookmarks

From within the newly created report, review the newly created bookmarks.


Creating a Custom Bookmarks Folder in MacForensicsLab

Open Bookmarks Window
Open Bookmarks window

From MacForensicsLab Main Window select “Bookmarks” (1) and from the drop down list “Show All Bookmarks” (2).
Add a Custom Bookmark Folder
Add custom bookmark folder

To add a custom bookmark folder select the “+” button at the bottom of the screen.
Name the Custom Bookmark Folder
Name the custom bookmark folder

After selecting the “+” button, a text box opens, enabling you to enter a name for the custom bookmark folder.
Add the Name of the Custom Bookmark Folder
Add the name of the custom bookmark folder

Type in the name of the Custom Bookmark Folder and press “Enter.”
Add a description to the Custom Bookmark Folder
Add a description to the custom bookmark folder

With the newly created Custom Bookmark highlighted (1), enter a description of the bookmark folder contents in the text box at the bottom of the screen (2).


Credit Card and Social Security Number Searching

MacForensics.com Tips - Credit Card and Social Security Number SearchingIdentity theft is a growing issue. With phishing scams and corporate theft, it’s an issue that can affect everyone, even those not online. MacForensicsLab has a built in credit card and social security number (SSN) scanner. This powerful feature allows investigators to zero in on identity theft information. Not only does it search for what appears to be credit card numbers imbedded within files, it also validates them to make sure they are true credit card numbers. No other tool offers this feature.

Credit card number and social security number searching to track down fraud evidence can be done easily with MacForensicsLab

Select the device, folder, or file you’d like to scan and click the “Search” function button. At the bottom of the Search wind at two check boxes. One for Credit Cards and the other for SSN. Check one or both of these and click the "Search" button to scan the selected data. MacForensicsLab will then scan and show you any files containing credit card or social security numbers.


Customize the Report within MacForensicsLab

This lesson will demonstrate how to customize the Report by altering default files and adding files that the examiner wants to be added to every case thereafter.
The MacForensicsLab Templates Folder
MacForensicsLab templates folder

The first time a report is generated using MacForensicsLab, a folder called "MacForensicsLab Templates" folder is created in the same location that the MacForensicsLab application was installed.
The Supplementary Files Folder
Supplementary Files folder

Contained within the MacForensicsLab Template folder is a folder named the Supplementary Files folder. This folder, by default contains three template files; Agency, Investigator and Software Tool. These files are designed to be customized by the user.
Customizing a Default File
Customizing a Default File

To customize a default file located within the Supplementary Files folder, simply double click on the file to open it and make changes to the file, then save your changes. In this example, the "Agency.rtf" file has been customized.
Write a Report
Write a report

To generate a report in MacForensicsLab, select "File" from the Main Window and "Write Report …" from the subsequent drop down list.
Setting up the Report
Setting up the report

A report dialogue box opens and the user selects the items they want to appear in the report by selecting the appropriate checkbox (1) and then select "Start" (2).
Select a Location for the Report
Select a location for the report

Once the "Start" button is selected in the previous step, a navigation window opens, select the location for the report to be written to (1) and select "Choose" (2).
Default Supplementary Files in the Report
Default Supplementary Files in the Report

There are three default files in the Supplementary Files section, which are designed to be customized by the user; these files are: Agentcy.rtf, Investigator.rtf and Software Tool.rtf.
Adding Additional Files to Supplementary Files folder
Adding Additional Files to Supplementary Files folder

In MacForensicsLab you can add as many files as you like to the Supplementary Files folder. These files will remain resident in every case thereafter. This is a great way to reduce the time it takes to continually generate documentation that does not change from case to case. In this example, I would like to add a file called "Glossary of Computer Related Terms" into all of my reports. The first step is to open a navigation window (Finder) and navigate to the desired file.
Add File to Supplementary Files folder
Add File to Supplementary Files folder

Copy or move the desired file into the MacForensicsLab Templates -> Supplementary Files folder.
Generate the New Report
Generate the New Report

Once the report is written it will automatically launch. Observe the new file "Glossary of Computer Related Terms.pdf has been added into the report.
Open new file
Open new file

Select on the hyperlink to the newly copied file to open the file.

Posted on

Plugins for MacLockPick

The following is a list of plugins that come as standard with MacLockPick:

AddressBook

MacLockPick plugin to extract address book contents

The Address Book plugin for MacLockPick extracts items stored in the Address Book caches on a Mac OS X system. This includes most buddies and email correspondent’s details used by a Mac OS X user as well as items that have been deleted from the main addressbook storage file.

Adium

The Adium plugin for MacLockPick captures the chat logs from Adium on a Mac OS X operating system.Adium is a popular free software instant messaging client for Mac OS X that supports multiple protocols through the libezv (for Bonjour) and the libpurple (all other protocols) libraries.

Apple Mobile

The Apple iPhone has become a popular cell phone for many due to the mass market appeal and the easy of use. It’s feature rich and has become much more then just a cell phone for many. This also means it’s full of artifacts that are of interest to forensic investigators. By using MacLockPick II, an investigator can acquire a wealth of information about a suspect and their activities. Some of the useful information available to an investigator includes:

  • Call history with time and date information.
  • Incoming and outgoing SMS messages including the sender/recipient with time and date information.
  • Speed dial favorites including name and phone number.
  • Email account set to sync.
  • Pictures taken with and stored on the phone.
  • Safari (web browser) search history.
  • History of pages viewed with Safari (web browser).
  • Address book contents including each entries name, number, address and any other information entered about the contact.
  • Notes created within the iPhones Notes application.
  • And much more.

Apple Mobile Pictures

The Apple Mobile Pictures plugin for MacLockPick gathers information stored by the Apple iPhone and other devices using the Apple Mobile Sync system on Windows and Mac OS X computers.

The iPhone is an Internet-enabled multimedia mobile phone designed and marketed by Apple Inc. It has a multi-touch screen with virtual keyboard and buttons, but a minimal amount of hardware input. The iPhone’s functions include those of a camera phone and portable media player (equivalent to the iPod) in addition to text messaging and visual voicemail. It also offers Internet services including e-mail, web browsing, and local Wi-Fi connectivity. The first generation phone hardware was quad-band GSM with EDGE; the second generation uses UMTS and HSDPA.

Bluetooth

The Bluetooth plugin for MacLockPick captures the dates and addresses of bluetooth devices that have been paired with a Mac OS X system.

Bluetooth is a wireless protocol utilizing short-range communications technology facilitating data transmission over short distances from fixed and/or mobile devices, creating wireless personal area networks (PANs). The intent behind the development of Bluetooth was the creation of a single digital wireless protocol, capable of connecting multiple devices and overcoming issues arising from synchronization of these devices.

Clipboard

The Clipboard plugin for MacLockPick captures any text contents or graphics found in the clipboard on Mac, Windows, and Linux platforms.

The clipboard is a software program that is used for short-term storage of data as it is transferred between documents or applications, via copy and paste operations. It is most commonly a part of a GUI environment and is usually implemented as an anonymous, temporary block of memory that can be accessed from most or all programs within the environment.

Disk Utility

The Disk Images plugin for MacLockPick extracts the dates and paths of disk images that have been attached to a Mac OS X system using Disk Utility. OS X users can often use disk images when downloading installers from the internet or when trying to encrypt information into virtual volumes.

Firefox

The Firefox plugin for MacLockPick creates a summary of the bookmarks, form autofill settings, cookies, and history records made by the suspect using Firefox on Mac OS X, Microsoft Windows, or Linux operating systems.

Mozilla Firefox (abbreviated officially as Fx, but also commonly as FF), is a web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation.

Google Chrome

The Google Chrome plugin for MacLockPick creates a summary of the bookmarks, cookies, and history records made by the suspect using Google Chrome on Microsoft Windows operating systems.

Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.

iChat

The iChat plug for MacLockPick captures the account details and buddy lists for iChat on a Mac OS X system.

iChat AV is an AOL Instant Messenger (AIM), .Mac, ICQ and XMPP client by Apple Inc. for their Mac OS X operating system. Using a Jabber-like protocol and Bonjour for user discovery, it also allows for LAN communication. iChat’s AIM support is fully endorsed by AOL, and uses their official implementation of the AIM OSCAR protocol. Using a Jabber transport, iChat users may also integrate their MSN, Yahoo! and Google Talk contacts into the Jabber pane.

Internet Explorer

The Internet Explorer plugin for MacLockPick creates a summary of the bookmarks, cookies, and history records made by the suspect using Microsoft Internet Explorer on Micrsoft Windows operating systems.

Windows Internet Explorer (formerly Microsoft Internet Explorer abbreviated MSIE), commonly abbreviated to IE, is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. It has been the most widely used web browser since 1999, attaining a peak of about 95% usage share during 2002 and 2003 with IE5 and 6 but steadily declining since, despite the introduction of IE7.

ifconfig

The ifconfig plugin for MacLockPick will collect network adapter information on Mac OS X and Linux machines using the ifconfig command.

The Unix command ifconfig serves to configure and control TCP/IP network interfaces from a command line interface (CLI). The name ifconfig expresses the purpose of the command: an interface configurator. ifconfig originally appeared in 4.2BSD as part of the BSD TCP/IP suite so in effect it formed part of the original internet toolkit.

IO Registry

The IO Registry plugin for MacLockPick will extract the “ioregistry” on a Mac OS X system. This includes all devices connected to the system.

iPod

The iPod plugin for MacLockPick extracts dates and serial numbers of iPods and iPhones that have been connected to a Mac OS X system.

iPod is a popular brand of portable media players designed and marketed by Apple Inc and launched on October 23, 2001. The current product line-up includes the touchscreen iPod Touch, the video-capable iPod Nano, the screenless iPod Shuffle and the iPhone. Former products include the compact iPod Mini, the hard drive-based iPod Classic, and the spin-off iPod Photo (later re-integrated into the main iPod Classic line). iPod Classic models store media on an internal hard drive, while all other models use flash memory to enable their smaller size (the long discontinued mini used a Microdrive miniature hard drive). As with many other digital music players, iPods, excluding the iPod Touch, can also serve as external data storage devices. Storage capacity varies by model.

OS X – Keychain Extractor

The OS X Keychain Extractor plugin for MacLockPick is available to law enforcement only. This module will extract all available passwords stored in an unlocked keychain on Mac OS X System (lower than OS X 10.11) then use this data to perform a dictionary attack on the system password.

Mail

The Mail plugin for MacLockPick captures account preferences and the date of opening and the path to the saved file for attachments opened by Mail.app on a Mac OS X system. This information can be used to see what email files and attachments a suspect has accessed.

Network

The Network plugin for MacLockPick does an analysis of the network activity on the suspect’s computer. This information includes ARP tables, interfaces, and netstat activity. This plugin will run on suspect machines running Microsoft Windows, Mac OS X, and Linux operating systems.

ARP converts an Internet Protocol (IP) address to its corresponding physical network address. ARP is a low-level network protocol, operating at Layer 2 of the OSI model.

From a forensics point of view the ARP table shows what computers were connected to the suspect’s machine on their local area network at the time of analysis.

Interface tables describe what interfaces are in use on the system and what the individual MAC address is for each of them. The Media Access Control (MAC) address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number.

Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems.

It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.

Network Interfaces

The Network Interfaces plugin for MacLockPick II will extract a list of network interfaces as well as their MAC addresses a Mac OS X system. This information can be used to identify the suspect system.

Processes

The Processes plugin for MacLockPick uses the OS to list all active applications running on the suspect’s computer at the time of analysis. This module is important in determining if malware is present as well as any active tools used by the suspect.

Note: This will not show background and system processes. OS Specific plugins are included for this purpose.

Recent items

The Recent Items plugin for MacLockPick will extract paths and details for recent applications, recent documents, and recent servers on a Mac OS X system. This information will show the items a suspect has recently accessed and can help prove intent.

Registry – Explorer

The Registry – Explorer plugin for MacLockPick will extract various keys from the CurrentUser:Software:Microsoft:Windows:CurrentVersion:Explorer hive in the registry database on Microsoft Windows systems.

The keys include recent items executed by Explorer and the names of network servers that have been visible to the system being audited.

Registry – Full Tree (Classes Root

The Registry – Full Tree (Classes Root) plugin for MacLockPick will extract all settings from the classes root hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Current Config)

The Registry – Full Tree (Current Config) plugin for MacLockPick will extract all settings from the current config hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Current User)

The Registry – Full Tree (Current User) plugin for MacLockPick will extract all settings from the current user hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Local Machine

The Registry – Full Tree (Local Machine) plugin for MacLockPick will extract all settings from the local machine hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Users)

The Registry – Full Tree (Users) plugin for MacLockPick will extract all settings from the Users hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Internet Explorer

The Registry – Internet Explorer plugin for MacLockPick will collate lists of URLs that have been typed by the user and the main Internet Explorer settings in the Microsoft Windows registry database.

Registry – Most Recently Used Lists

The Registry – Most Recent Used Lists plugin for MacLockPick will collate MRU (most recently used) lists from various applications in the Microsoft Windows registry database.

Registry – SSID

The Registry – SSID plugin for MacLockPick will gather a list of all SSID records for wifi base stations that the system has discovered from the Microsoft Windows registry database.

Registry – USB Flash Drive History

The Registry – USB Flash Drive History plugin for MacLockPick will grab information about USB drives that have been connected to a Microsoft Windows machine. USB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They’re small, portable, and often contain evidence that can be helpful to an investigation.

When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Registry – User Assist

The Registry – User Assist plugin for MacLockPick will find and decode the settings for the UserAssist key, HCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist, contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs). Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, programs, etc. These values then decoded using a ROT-13 decryption algorithm, sometimes known as a Caesar cipher.

Registry – VNC

The Registry – VNC plugin for MacLockPick will collate server lists for VNC from the Microsoft Windows registry database. This information may be useful to show other systems that a suspect may have connected to or has control of.

Remote Desktop

The Remote Desktop plugin for MacLockPick will extract account names and server addresses used by Remote Desktop on a Mac OS X system.

Apple Remote Desktop (ARD) is a Macintosh application produced by Apple Inc., first released on March 14, 2002, that replaced a similar product called Apple Network Assistant. Aimed at computer administrators responsible for large numbers of computers and teachers who need to assist individuals or perform group demonstrations, Apple Remote Desktop allows users to remotely control or monitor other computers over a network.

Safari

The Safari plugin for MacLockPick will extract search strings, bookmarks, cookies, downloads, and history stored by Apple Safari on a Mac OS X or Microsoft Windows system.

Safari is a web browser developed by Apple Inc. and included in Mac OS X. It was first released as a public beta on January 7, 2003, and is the default browser in Mac OS X v10.3 and later. It is also the native browser on the Apple iPhone and iPod touch. Safari for Windows was released on June 11, 2007. Windows XP and Windows Vista are supported.

Screenshot

The Screenshot plugin for MacLockPick will capture and save a screenshot of the main screen on the suspect’s system. The plugin will temporarily hide MacLockPick during the process and save the file to your output folder along side the captured logs database. This plug works on systems running Microsoft Windows, Mac OS X, and Linus operating systems.

Skype

The Skype plugin for MacLockPick creates transcripts of instant messaging, VoIP calls, buddies, and chat logs created by Skype on Mac OS X and Microsoft Windows operating systems.

Skype is a software program that allows users to make telephone calls over the Internet. Calls to other users of the service are free of charge, while calls to landlines and cell phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing.

System Information

The System Information plugin for MacLockPick will gather information about the hardware, the current user, the configuration of the system and general system information. This plugin works with systems running Mac OS X, Microsoft Windows, and Linus operating systems.

UNIX – Process List

The UNIX – Process List plugin for MacLockPick will execute the terminal command “ps -axww” to show all processes including root processes on suspect systems running Linux and Mac OS X operating systems.

In most Unix-like operating systems, the ps program displays the currently-running processes. A related Unix utility named top provides a real-time view of the running processes.

Uptime

The Uptime plugin for MacLockPick displays the current time, the length of time the system has been up, the number of users, and the load average of the system over the last 1, 5, and 15 minutes. This plugin works on Linux and Mac OS X operating systems.

User Folder Dates

The User Folder Dates plugin for MacLockPick will traverse the active users home folder and list the creation and modification dates for the contents. This plugin works on systems running Microsoft Windonws, Mac OS X and Linux operating systems.

Volume Dates

The Voume Dates plugin for MacLockPick lists the name, creation date, and modification dates for all mounted volumes in Mac OS X or Linux (this plugin is not supported in MS Windows).

Wi-Fi

The WiFi plugin for MacLockPick will list all of the wifi connections historically made on a Mac OS X system. This includes the date and MAC address of each base station. This information can be used to show the location of a suspect at a specific time and may be helpful to generate further leads and steer the investigation.

Windows – DNS Dump

The Windows – DNS Dump plugin for MacLockPick dumps the contents of the DNS cache in Microsoft Windows. The DNS cache stores information from DNS queries.

Windows – ipconfig

The Windows ipconfig plugin for MacLockPick will collect network adapter information on Windows machines using the ipconfig.exe command.

ipconfig (Internet Protocol Configuration) in Microsoft Windows is a console application that displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol DHCP and Domain Name System DNS settings. Similar GUI tools named winipcfg and wntipcfg also exist. The former pre-dates ipconfig.

Windows – Net User

The Windows – Net User plugin for MacLockPick will get a list of all user accounts on the host machine using the “net.exe” command.

Posted on

MacForensicsLab Version History

MacForensicsLab version 4.0

  • Redesigned main window interface.
  • Button panel replaced by the Action menu and context sensitive menus.
  • User can now select which plugins are run by the Audit function.
  • Acquisition information can be added to or deleted.
  • Users can now move bookmarks between folders.
  • Totally revamped search window.
  • Updated device and volume navigation.
  • Better bookmark management.
  • Rewritten backend code for faster functionality.
  • Mac OS X 10.7 Lion compatibility.
  • User addable and creatable audit plugins.
  • Bug fixes.

MacForensicsLab version 3.0

  • Redesigned main window divided into Device and File views.
  • System drive is noted in the shortcuts view in the Files tab.
  • Hash button added to main screen.
  • Analyze hits tracked when viewed.
  • New Analyze window interface. Now defaults to ACSII view and is larger to allow viewing of a block at a time.
  • Ability to highlight data area for carving.
  • Ability to scroll blocks to select areas for carving.
  • New counter reports number of search items found for each keyword within Analyze function.
  • Skin Tone Analyzer now has a sliding bar to dynamically view results of any percentage of Skin Tone on the fly.
  • Browsing search results now allows examiner to apply Skin Tone Analysis to the results.
  • Audit results are now reportable in a separate HTML and/or text document.
  • Audit results can be saved or exported out.
  • Speed improvements with some tasks up to 12 times faster then 2.5.5.
  • Mac OS X 10.6 Snow Leopard compatibility.
  • Resolved all previously known bugs.
  • Redesigned allocation of memory, preventing system freezes due to memory leaks and/or inefficient memory allocation.
  • Now displays system information at the bottom of the main window.
  • “Flying” location bar has been removed.
  • Acquire function window has been redesigned for an easier, more intuitive look and feel.
  • Acquire functions Golden Master option now allows the target save locations to be different for each image.
  • Acquire function now has 64-bit engine.
  • Limit on size and number of keywords has been increased to 128 in the Analyze function.
  • Analyze function is now 64-bit.
  • Attach disk image function now has Shadow File option.
  • Attach disk image function now has Ignore Permissions option.

MacForensicsLab version 2.5.2

  • Mac OS X 10.5 Leopard compatibility.

MacForensicsLab version 2.5

  • Added Microsoft Windows and Linux beta versions.
  • Function buttons laid out in more logical order.
  • Added email alert when operation is complete.
  • Speed increases for processor intensive operations.
  • Increased keyword limits for Search and Analyze functions.
  • More powerful acquisition engine.

MacForensicsLab version 2.0

  • Added Skin Tone analyzer.
  • Added Social Security number and credit card number filtering.
  • Added multi-threaded operations.
  • Added filtering by image size and dimensions.
  • Added ability to create additional file types to salvage.
  • Added pattern matching for hash lists.
  • Added built-in SQL database engine.
  • Added ability to select information included or excluded from a report.
  • Added bookmark manager for adding, deleting, and commenting.
  • Added ability to comment on individual files.

MacForensicsLab version 1.6

  • Added Universal Binary support for Intel and PowerPC Macs.
  • Coding optimizations.
  • Added Audit function.

MacForensicsLab version 1.5

  • Added dual-bootable DVD for Intel and PowerPC based Macs.
  • Added auto report generation function.
  • Added Browse function.
  • Improved bookmark function to allow bookmarking of files across multiple functions.
  • Improved Salvage function to allow resuming of halted salvage process.
  • Streamlined Salvage function.

MacForensicsLab version 1.0

  • Initial release of MacForensicsLab.