Posted on

macOS related sites

This resources page contains a list of Mac OS related sites.
Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.


 

SecureMac.com

SecureMac was historically one of the best sites for information on mac security topics. Definitely a recommended read.

Quoted from the SecureMac.com site

Mac security is a more serious problem than most people think. It’s true that Macintosh computers have lower security risks than the average PC, but running security software for Macs is every bit as essential.
SecureMac has operated at the cutting edge of Apple security for over a decade. We produce some of the best security software for Mac computers on the market. And we’ve won the awards to prove it.
If you’re reading this right now, you’ve probably realized that securing your Mac against malware and privacy threats is important. If you want to keep your Mac secure, you’ve come to the right place.

 


 

MacForensicsLab for Mac OS X

Click here to visit a page on this site about MacForensicsLab for Mac OS X. The software is a complete forensics suite that is fully cross platform and available on Mac OS X, Microsoft Windows, as well as Linux.

This product is owned and produced by the owners of this website and the page you will be linking to is inside this website.
 


 

MacSurfer.com

www.MacSurfer.com is a news aggregator site for Mac OS X news sites. A handy site to find links to all things happening in the mac world.

 


 

Stuffit Expander

In earlier days – the Mac OS stored compressed files using a program called ‘Stuffit’, you may have seen these files around with a suffix of .sit or .sitx. Since OS X version 10.3, zip compression has been built in but occasionally you will still see legacy files around using this format.

The decompression tool is available for free download and runs mac and other platforms. You can download the expander by clicking here.

 


 

GraphicConverter

Perhaps the most powerful tool for working with graphic formats. This program can open almost every graphic format ever made, and is well known for it’s ability to handle “less than perfect” files. Try it for free and see the great features. We recommend this product to all mac users.

 


 

Apple Product Specifications

An official and comprehensive list of specifciations for all Apple products. Use this list to get details on past and present features for iPods, Mac computers, iPhones, and much more.

 


 

Apple Computer

An official source for security updates on Mac OS X. Users of Mac OS X can also get all their updates by selecting ‘Software update…’ from the Apple menu on the top left corner of the screen, or simply by waiting for the process to be performed automatically.

Quoted from the Apple site:

This document outlines security updates for Apple products. For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

 


 

MacFixIt of Cnet

MacFixIt, now part of CNET provides latest news, reviews of software and hardware products, and the latest workarounds and solutions to technical roadblocks and frustrating barriers.


 

MacInTouch

MacInTouch is an independent journal providing timely, reliable news, information and analysis about Apple Macintosh and iPhone/iOS platforms.


 

Mac OS X Hints

The Mac OS X Hints site gives handy tips and tricks for all things Apple.

Quoted from the Mac OS X Hints website:

I should first say that OS X public beta was my first real exposure to UNIX, and that’s probably one of the bigger reasons for this site — a good friend of mine is a UNIX wizard, and I’m sure he was getting tired of my calls! While trying to learn the system, I was getting somewhat frustrated at having to jump all over the web to find answers to OS X questions. There are some excellent sites out there (make sure you check out the links pages here), but none that seemed to focus specifically on providing how-to’s in a quick, easy-to-use format.

So in November of 2000, I launched macosxhints.com … and in the last five-plus, it has grown into a collection of thousands of hints regarding OS X and related applications, with multiple thousands of comments from experienced users providing even more information. It’s truly a one-stop-shop for OS X hints and how-to’s, and I’m amazed at just how intelligent and friendly the macosxhints community is!


Update — Mac OS X Hints is now a read-only site. There’s still a wealth of great information there the many will find useful.

Posted on

Windows Related Sites

This resources page contains a list of Windows related sites.
Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.
 


 

Microsoft Security Central

Microsoft Security Central contains information on the latest security updates for all Microsoft products.
 


 

MacForensics.com Recommended Site -Guidance Software

Guidance Software are the producers of Encase – a venerable forensics tool for the Microsoft Windows Platform.

Quoted from the Encase website:

At Guidance, we exist to turn chaos and the unknown into order and the known–so that companies and their customers can go about their daily lives as usual without worry or disruption, knowing their most valuable information is safe and secure.

Makers of EnCase®, the gold standard in digital investigations and endpoint data security, Guidance provides a mission-critical foundation of applications that have been deployed on an estimated 33 million endpoints and work in concert with other leading enterprise technologies from companies such as Cisco, Intel, Box, Dropbox, Blue Coat Systems, and LogRhythm.

Our field-tested and court-proven solutions are used with confidence by 78 of the Fortune 100 and hundreds of agencies worldwide.


 


 

MacForensics.com Recommended Site - Information Week

Information Week Security provides the latest updates on sercurity news from around the web.
 


 

Access Data

Access Data are the producers of ForensicToolKit (aka FTK) as well as other tools for the Microsoft Windows Platform.

Quoted from the AccessData website:

AccessData Group has pioneered digital forensics and litigation support for more than twenty years. Over that time, the company has grown to provide both stand-alone and enterprise-class solutions that can synergistically work together to enable both criminal and civil E-Discovery of any kind, including digital investigations, computer forensics, legal review, compliance, auditing and information assurance. More than 130,000 customers in law enforcement, government agencies, corporations and law firms around the world rely on AccessData software solutions, and its premier digital investigations products and services. AccessData Group is also a leading provider of digital forensics training and certification, with our much sought after AccessData Certified Examiner® (ACE®) and Mobile Phone Examiner Certification AME programs.
 


 

The Coroners Toolkit

The Coroners Toolkit – a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. The software was presented first in a Computer Forensics Analysis class in August 1999.

According to the site,development of the Coroner’s Toolkit was stopped years ago. It is updated only for for bug fixes which are very rare, and after Wietse discovers that the programs no longer work on a new machine. Users of The Coroners Toolkit are encourage to use Brian Carrier’s Sleuthkit. It is the official successor of TCT.

 


 

Windows IT Pro

WindowsITPro is the leading independent, impartial source of practical, technical information to help IT professionals better understand and manage the Windows and Server enterprise. Each month, they help over millions of IT professionals overcome the same issues you struggle with every day.

 


 

WindowsSecurity.com

WindowSecurity.com contains latest Windows security articles and tutorials on the following topics:

  • Authentication, Access Control & Encryption
  • Cloud Computing
  • Content Security (Email & FTP)
  • Firewalls & VPNs
  • Intrusion Detection
  • Misc Network Security
  • Mobile Device Security
  • Viruses, trojans and other malware
  • Web Application Security
  • Web Server Security
  • Windows 10 Security
  • Windows 2003 Security
  • Windows Networking
  • Windows OS Security
  • Windows Server 2008 Security
  • Windows Server 2012 Security
  • Windows Server 2016 Security
  • Wireless Security

 


 

MacFixIt of Cnet

MacFixIt, now part of CNET provides latest news, reviews of software and hardware products, and the latest workarounds and solutions to technical roadblocks and frustrating barriers.

Posted on

Linux Related Sites

This resources page contains a list of many authoritative Linux related sites.
Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.
 


 

International Journal of Digital Evidence

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems.

The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.

The volume system (media management) tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks. With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools.

When performing a complete analysis of a system, we all know that command line tools can become tedious. The Autopsy Forensic Browser is a graphical interface to the tools in The Sleuth Kit, which allows you to more easily conduct an investigation. Autopsy provides case management, image integrity, keyword searching, and other automated operations.

 


 

International Journal of Digital Evidence

ASR Data has been recognized as a leading authority in the field of computer investigations by the United States Department of Justice.

Quoted from the ASR website

In 1984 , ASR Data began providing custom software solutions to companies that needed vertical market software tailored to their specific requirements.

In 1992, ASR Data was asked to develop a software tool and methodology to support the unique requirements of the law enforcement community. At that time, conducting a computer investigation was a tedious, time consuming process which required the use of several single-purpose DOS command line utilities. Investigators were forced to image original media to tape or a disk, then restore the image to another disk. Searching the evidence was limited to one search term at a time and recovering deleted files was accomplished by using off-the-shelf software which was never designed to support the forensic process. Often times, the process changed data and analysts had to restore the image several times.

We sat down with leading authorities from the legal and law enforcement communities and took a close look at the forensic process and what was needed. One of the greatest challenges was the fact that there was no precedent for what we were trying to create. Nobody had done it before, there was no pattern to follow, no giants shoulders to stand on and no failures to learn from. As it turns out, this was also the greatest factor which enabled us to innovate and create something completely new.

 


 

LinuxSecurity.com

LinuxSecurity.com was first launched in 1996 by a handful of Open Source enthusiasts and security experts who recognized a void in the availability of accurate and insightful news relating to open source security issues. Led by Dave Wreski, who currently serves as chief executive officer of Guardian Digital, this group has grown into a global network of collaborators who devote their time to gathering and publicizing the latest security news, advisories and reports relevant to the Linux community. Headquartered in Guardian Digital’s offices in Allendale, New Jersey, LinuxSecurity.com’s editorial and web development staff also creates feature articles, commentaries and surveys designed to keep readers informed of the latest Linux advancements and to promote the general growth of Linux around the world.
 


 

The Coroners Toolkit

The Coroners Toolkit – a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. The software was presented first in a Computer Forensics Analysis class in August 1999.

According to the site,development of the Coroner’s Toolkit was stopped years ago. It is updated only for for bug fixes which are very rare, and after Wietse discovers that the programs no longer work on a new machine. Users of The Coroners Toolkit are encourage to use Brian Carrier’s Sleuthkit. It is the official successor of TCT.

 


 

Linux.org

Linux.org – Their main goal is to inform the public about every company, project and group that uses the Linux operating system and to report on the hard work of countless developers, programmers and individuals who strive everyday to improve on the Linux offerings in the marketplace.
 


 

Linux Journal

Linux Journal – Their mission is to serve the Linux community and to promote the use of Linux worldwide. As more and more people see Linux as a viable alternative to traditional OSes, Linux is increasingly being used as a primary operating system. Linux Journal focuses specifically on Linux and other open-source OSes, allowing the content to be a highly specialized source of information for open-source enthusiasts.
 


 

Linux.com

Linux.com is always evolving. Their goal is to give you all of the resources and information you need to make your experience with Linux a success.
 


 

Security-Enhanced Linux

Security-Enhanced Linux – As part of its Information Assurance mission, the National Security Agency has long been involved with the computer security research community in investigating a wide range of computer security topics including operating system security. Recognizing the critical role of operating system security mechanisms in supporting security at higher levels, researchers from NSA’s Information Assurance Research Group have been investigating an architecture that can provide the necessary security functionality in a manner that can meet the security needs of a wide range of computing environments.

Posted on

List – Security Sites

This resources page contains a list of the 11 security sites we have discovered. You can learn more about each of then below.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.
 


 

MacForensicsLab.com recommended site - Help Net Security

Help Net Security (HNS) is an online portal that covers all the major information security happenings. The portal has been online since 1998 and caters a large number of Information Technology readers specifically interested in computer security. Besides covering news around the globe, HNS focuses on quality technical articles and papers, vulnerabilities, various vendor advisories, latest viruses, malware and hosts the largest security software download area with software for Windows, Linux, Mac OS X and Windows Mobile.
 


 

MacForensicsLab.com recommended site - The Honeynet Project

The Honeynet Project is a non-profit (501c3) volunteer, research organization dedicated to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.
 


 

MacForensicsLab Recommended Site - Security Focus

Security Focus – a good source of security information on the Internet.

Quoted from the Security Focus “about” page

Since its inception in 1999, SecurityFocus has been a mainstay in the security community. From original news content to detailed technical papers and guest columnists, we’ve strived to be the community’s source for all things security related. SecurityFocus was formed with the idea that community needed a place to come together and share its collected wisdom and knowledge. At SecurityFocus, the community has always been our primary focus. The SecurityFocus website now focuses on a few key areas that are of greatest importance to the security community.

  • BugTraq is a high volume, full disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities. BugTraq serves as the cornerstone of the Internet-wide security community.
  • The SecurityFocus Vulnerability Database provides security professionals with the most up-to-date information on vulnerabilities for all platforms and services.
  • SecurityFocus Mailing Lists allow members of the security community from around the world to discuss all manner of security issues. There are currently 31 mailing lists; most are moderated to keep posts on-topic and to eliminate spam.

 


 

MacForensics.com Recommended Site - Forensic Science Communications

Forensic Science Communications (FSC) is a peer-reviewed forensic science journal published quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of communication between forensic scientists. Forensic Science Communications supersedes the Crime Laboratory Digest. Online access is free and archives date back to 1999.

Note
Forensic Science Communications premiered in April 1999 and ended in April 2010. These back issues have been archived and made available for your review.

 


 

MacForensics.com Recommended Site - Computer Security Institute

Computer Security Institute serves the needs of Information Security Professionals through membership, educational events, security surveys and awareness tools. Joining CSI provides you with high quality CSI publications, discounts on CSI conferences, access to on-line archives, career development, networking opportunities and more.
 


 

MacForensics.com Recommended Site - The CERT Program

The CERT Program is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought 10 percent of internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. This center was named the CERT Coordination Center (CERT/CC).
 


 

MacForensics.com Recommended Site - Securest.com

Securelist.com (formerly Viruslist.com)- Permanently replenishing information about new viruses. Mechanisms of breeding and operation, detailed analysis of algorithms of viruses.
 


 

MacForensics.com Recommended Site - Insecure.org

Insecure.org is an internet security site and the home of the popular NMAP Network Security Scanner tool.
 


 

MacForensics.com Recommended Site - Security Tracker

SecurityTracker is a service that helps you to keep track of the latest security vulnerabilities. They monitor a wide variety of Internet sources for reports of new vulnerabilities in Internet software and/or services. They provide our users with a timely and reliable source for vulnerability notification.
 


 

MacForensics.com Recommended Site - Packet Storm

.:[ packet storm ]:. – Information and computer security full disclosure web site.
 


 

MacForensics.com Recommended Site -

SecuriTeam is a group within Beyond Security dedicated to bringing you the latest news and utilities in computer security.

Posted on

List of bulletin boards

This page is a list of bulletin boards

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.

MacForensics.com Recommended Site - Forensic Focus Forums A bulletin board brought to you by the Forensic Focus website.

 

MacForensics.com Tips - Apple mailing list Mailing list for government computer forensics professionals interested in learning and discussing how to best leverage Apple technology and various industry applications.

 

MacForensics.com Recommended Site - Computer Forensics World A bulletin board brought to you by the Computer Forensics World website.

 

Posted on

Our New Site Redesign Benefits You

Thank you for your interest in MacForensicsLab.com. We have been committed to providing great software for forensics and eDiscovery professionals for over 10 years.

To continue our service to the law enforcement, eDiscovery professionals, and Macintosh communities, we have redesigned our web site — bringing a whole new look, as well as support for mobile technologies, and a streamlined shopping experience. It is also much easier to share articles, tips, and product information.

If you previously had an account with us, you will need to create a new account on this site. Obviously, you won’t see prior orders — only current and future orders — but don’t worry. We have retained all previous order information. Simply email our Support staff if you need information on older orders.

We did have to trim a few things with the new site. You might have reached this page from an old link to a discontinued product we no longer offer, or looking for an article where the information is no long relevant. These items either didn’t fit with our current product focus, or have lost their usefulness with developments in technology.

Again, thanks for choosing MacForensicsLab.com!

 

Posted on

Old Press Releases

Here’s a collection of our press releases.

MacForensicsLab 4.0 Released

MacForensicsLab 3.0 Released

SubRosaSoft.com Inc. Announces MacForensicsLab Version 2.5

SubRosaSoft.com Inc. Announces the Release of the Windows Version of MacForensicsLab Version 2.5

SubRosaSoft.com Inc Announces MacForensicsLab for Linux and Windows and a Welcome New Staff Member

SubRosaSoft Announces MacForensicsLab 2.0

SubRosaSoft.com Inc. Releases MacLockPick 3.0

MacForensicsLab Inc. Releases MacLockPick 2.1

SubRosaSoft Ships MacLockPick

MacForensicsLab.com Releases a White Paper on the Anatomy of Malware, Virus, Worm, and Trojan Threats to Mac OS X

SubRosaSoft.com Inc. Announces MacForensicsLab Social Agent

MacForensicsLab Inc. Releases Free Tool for Investigating Crimes Against Children

SubRosaSoft.com Inc. Releases MacForensicsLab Write Controller 1.0

Posted on

Plugins for MacLockPick

The following is a list of plugins that come as standard with MacLockPick:

AddressBook

MacLockPick plugin to extract address book contents

The Address Book plugin for MacLockPick extracts items stored in the Address Book caches on a Mac OS X system. This includes most buddies and email correspondent’s details used by a Mac OS X user as well as items that have been deleted from the main addressbook storage file.

Adium

The Adium plugin for MacLockPick captures the chat logs from Adium on a Mac OS X operating system.Adium is a popular free software instant messaging client for Mac OS X that supports multiple protocols through the libezv (for Bonjour) and the libpurple (all other protocols) libraries.

Apple Mobile

The Apple iPhone has become a popular cell phone for many due to the mass market appeal and the easy of use. It’s feature rich and has become much more then just a cell phone for many. This also means it’s full of artifacts that are of interest to forensic investigators. By using MacLockPick II, an investigator can acquire a wealth of information about a suspect and their activities. Some of the useful information available to an investigator includes:

  • Call history with time and date information.
  • Incoming and outgoing SMS messages including the sender/recipient with time and date information.
  • Speed dial favorites including name and phone number.
  • Email account set to sync.
  • Pictures taken with and stored on the phone.
  • Safari (web browser) search history.
  • History of pages viewed with Safari (web browser).
  • Address book contents including each entries name, number, address and any other information entered about the contact.
  • Notes created within the iPhones Notes application.
  • And much more.

Apple Mobile Pictures

The Apple Mobile Pictures plugin for MacLockPick gathers information stored by the Apple iPhone and other devices using the Apple Mobile Sync system on Windows and Mac OS X computers.

The iPhone is an Internet-enabled multimedia mobile phone designed and marketed by Apple Inc. It has a multi-touch screen with virtual keyboard and buttons, but a minimal amount of hardware input. The iPhone’s functions include those of a camera phone and portable media player (equivalent to the iPod) in addition to text messaging and visual voicemail. It also offers Internet services including e-mail, web browsing, and local Wi-Fi connectivity. The first generation phone hardware was quad-band GSM with EDGE; the second generation uses UMTS and HSDPA.

Bluetooth

The Bluetooth plugin for MacLockPick captures the dates and addresses of bluetooth devices that have been paired with a Mac OS X system.

Bluetooth is a wireless protocol utilizing short-range communications technology facilitating data transmission over short distances from fixed and/or mobile devices, creating wireless personal area networks (PANs). The intent behind the development of Bluetooth was the creation of a single digital wireless protocol, capable of connecting multiple devices and overcoming issues arising from synchronization of these devices.

Clipboard

The Clipboard plugin for MacLockPick captures any text contents or graphics found in the clipboard on Mac, Windows, and Linux platforms.

The clipboard is a software program that is used for short-term storage of data as it is transferred between documents or applications, via copy and paste operations. It is most commonly a part of a GUI environment and is usually implemented as an anonymous, temporary block of memory that can be accessed from most or all programs within the environment.

Disk Utility

The Disk Images plugin for MacLockPick extracts the dates and paths of disk images that have been attached to a Mac OS X system using Disk Utility. OS X users can often use disk images when downloading installers from the internet or when trying to encrypt information into virtual volumes.

Firefox

The Firefox plugin for MacLockPick creates a summary of the bookmarks, form autofill settings, cookies, and history records made by the suspect using Firefox on Mac OS X, Microsoft Windows, or Linux operating systems.

Mozilla Firefox (abbreviated officially as Fx, but also commonly as FF), is a web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation.

Google Chrome

The Google Chrome plugin for MacLockPick creates a summary of the bookmarks, cookies, and history records made by the suspect using Google Chrome on Microsoft Windows operating systems.

Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.

iChat

The iChat plug for MacLockPick captures the account details and buddy lists for iChat on a Mac OS X system.

iChat AV is an AOL Instant Messenger (AIM), .Mac, ICQ and XMPP client by Apple Inc. for their Mac OS X operating system. Using a Jabber-like protocol and Bonjour for user discovery, it also allows for LAN communication. iChat’s AIM support is fully endorsed by AOL, and uses their official implementation of the AIM OSCAR protocol. Using a Jabber transport, iChat users may also integrate their MSN, Yahoo! and Google Talk contacts into the Jabber pane.

Internet Explorer

The Internet Explorer plugin for MacLockPick creates a summary of the bookmarks, cookies, and history records made by the suspect using Microsoft Internet Explorer on Micrsoft Windows operating systems.

Windows Internet Explorer (formerly Microsoft Internet Explorer abbreviated MSIE), commonly abbreviated to IE, is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. It has been the most widely used web browser since 1999, attaining a peak of about 95% usage share during 2002 and 2003 with IE5 and 6 but steadily declining since, despite the introduction of IE7.

ifconfig

The ifconfig plugin for MacLockPick will collect network adapter information on Mac OS X and Linux machines using the ifconfig command.

The Unix command ifconfig serves to configure and control TCP/IP network interfaces from a command line interface (CLI). The name ifconfig expresses the purpose of the command: an interface configurator. ifconfig originally appeared in 4.2BSD as part of the BSD TCP/IP suite so in effect it formed part of the original internet toolkit.

IO Registry

The IO Registry plugin for MacLockPick will extract the “ioregistry” on a Mac OS X system. This includes all devices connected to the system.

iPod

The iPod plugin for MacLockPick extracts dates and serial numbers of iPods and iPhones that have been connected to a Mac OS X system.

iPod is a popular brand of portable media players designed and marketed by Apple Inc and launched on October 23, 2001. The current product line-up includes the touchscreen iPod Touch, the video-capable iPod Nano, the screenless iPod Shuffle and the iPhone. Former products include the compact iPod Mini, the hard drive-based iPod Classic, and the spin-off iPod Photo (later re-integrated into the main iPod Classic line). iPod Classic models store media on an internal hard drive, while all other models use flash memory to enable their smaller size (the long discontinued mini used a Microdrive miniature hard drive). As with many other digital music players, iPods, excluding the iPod Touch, can also serve as external data storage devices. Storage capacity varies by model.

OS X – Keychain Extractor

The OS X Keychain Extractor plugin for MacLockPick is available to law enforcement only. This module will extract all available passwords stored in an unlocked keychain on Mac OS X System (lower than OS X 10.11) then use this data to perform a dictionary attack on the system password.

Mail

The Mail plugin for MacLockPick captures account preferences and the date of opening and the path to the saved file for attachments opened by Mail.app on a Mac OS X system. This information can be used to see what email files and attachments a suspect has accessed.

Network

The Network plugin for MacLockPick does an analysis of the network activity on the suspect’s computer. This information includes ARP tables, interfaces, and netstat activity. This plugin will run on suspect machines running Microsoft Windows, Mac OS X, and Linux operating systems.

ARP converts an Internet Protocol (IP) address to its corresponding physical network address. ARP is a low-level network protocol, operating at Layer 2 of the OSI model.

From a forensics point of view the ARP table shows what computers were connected to the suspect’s machine on their local area network at the time of analysis.

Interface tables describe what interfaces are in use on the system and what the individual MAC address is for each of them. The Media Access Control (MAC) address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number.

Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems.

It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.

Network Interfaces

The Network Interfaces plugin for MacLockPick II will extract a list of network interfaces as well as their MAC addresses a Mac OS X system. This information can be used to identify the suspect system.

Processes

The Processes plugin for MacLockPick uses the OS to list all active applications running on the suspect’s computer at the time of analysis. This module is important in determining if malware is present as well as any active tools used by the suspect.

Note: This will not show background and system processes. OS Specific plugins are included for this purpose.

Recent items

The Recent Items plugin for MacLockPick will extract paths and details for recent applications, recent documents, and recent servers on a Mac OS X system. This information will show the items a suspect has recently accessed and can help prove intent.

Registry – Explorer

The Registry – Explorer plugin for MacLockPick will extract various keys from the CurrentUser:Software:Microsoft:Windows:CurrentVersion:Explorer hive in the registry database on Microsoft Windows systems.

The keys include recent items executed by Explorer and the names of network servers that have been visible to the system being audited.

Registry – Full Tree (Classes Root

The Registry – Full Tree (Classes Root) plugin for MacLockPick will extract all settings from the classes root hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Current Config)

The Registry – Full Tree (Current Config) plugin for MacLockPick will extract all settings from the current config hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Current User)

The Registry – Full Tree (Current User) plugin for MacLockPick will extract all settings from the current user hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Local Machine

The Registry – Full Tree (Local Machine) plugin for MacLockPick will extract all settings from the local machine hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Users)

The Registry – Full Tree (Users) plugin for MacLockPick will extract all settings from the Users hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Internet Explorer

The Registry – Internet Explorer plugin for MacLockPick will collate lists of URLs that have been typed by the user and the main Internet Explorer settings in the Microsoft Windows registry database.

Registry – Most Recently Used Lists

The Registry – Most Recent Used Lists plugin for MacLockPick will collate MRU (most recently used) lists from various applications in the Microsoft Windows registry database.

Registry – SSID

The Registry – SSID plugin for MacLockPick will gather a list of all SSID records for wifi base stations that the system has discovered from the Microsoft Windows registry database.

Registry – USB Flash Drive History

The Registry – USB Flash Drive History plugin for MacLockPick will grab information about USB drives that have been connected to a Microsoft Windows machine. USB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They’re small, portable, and often contain evidence that can be helpful to an investigation.

When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Registry – User Assist

The Registry – User Assist plugin for MacLockPick will find and decode the settings for the UserAssist key, HCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist, contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs). Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, programs, etc. These values then decoded using a ROT-13 decryption algorithm, sometimes known as a Caesar cipher.

Registry – VNC

The Registry – VNC plugin for MacLockPick will collate server lists for VNC from the Microsoft Windows registry database. This information may be useful to show other systems that a suspect may have connected to or has control of.

Remote Desktop

The Remote Desktop plugin for MacLockPick will extract account names and server addresses used by Remote Desktop on a Mac OS X system.

Apple Remote Desktop (ARD) is a Macintosh application produced by Apple Inc., first released on March 14, 2002, that replaced a similar product called Apple Network Assistant. Aimed at computer administrators responsible for large numbers of computers and teachers who need to assist individuals or perform group demonstrations, Apple Remote Desktop allows users to remotely control or monitor other computers over a network.

Safari

The Safari plugin for MacLockPick will extract search strings, bookmarks, cookies, downloads, and history stored by Apple Safari on a Mac OS X or Microsoft Windows system.

Safari is a web browser developed by Apple Inc. and included in Mac OS X. It was first released as a public beta on January 7, 2003, and is the default browser in Mac OS X v10.3 and later. It is also the native browser on the Apple iPhone and iPod touch. Safari for Windows was released on June 11, 2007. Windows XP and Windows Vista are supported.

Screenshot

The Screenshot plugin for MacLockPick will capture and save a screenshot of the main screen on the suspect’s system. The plugin will temporarily hide MacLockPick during the process and save the file to your output folder along side the captured logs database. This plug works on systems running Microsoft Windows, Mac OS X, and Linus operating systems.

Skype

The Skype plugin for MacLockPick creates transcripts of instant messaging, VoIP calls, buddies, and chat logs created by Skype on Mac OS X and Microsoft Windows operating systems.

Skype is a software program that allows users to make telephone calls over the Internet. Calls to other users of the service are free of charge, while calls to landlines and cell phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing.

System Information

The System Information plugin for MacLockPick will gather information about the hardware, the current user, the configuration of the system and general system information. This plugin works with systems running Mac OS X, Microsoft Windows, and Linus operating systems.

UNIX – Process List

The UNIX – Process List plugin for MacLockPick will execute the terminal command “ps -axww” to show all processes including root processes on suspect systems running Linux and Mac OS X operating systems.

In most Unix-like operating systems, the ps program displays the currently-running processes. A related Unix utility named top provides a real-time view of the running processes.

Uptime

The Uptime plugin for MacLockPick displays the current time, the length of time the system has been up, the number of users, and the load average of the system over the last 1, 5, and 15 minutes. This plugin works on Linux and Mac OS X operating systems.

User Folder Dates

The User Folder Dates plugin for MacLockPick will traverse the active users home folder and list the creation and modification dates for the contents. This plugin works on systems running Microsoft Windonws, Mac OS X and Linux operating systems.

Volume Dates

The Voume Dates plugin for MacLockPick lists the name, creation date, and modification dates for all mounted volumes in Mac OS X or Linux (this plugin is not supported in MS Windows).

Wi-Fi

The WiFi plugin for MacLockPick will list all of the wifi connections historically made on a Mac OS X system. This includes the date and MAC address of each base station. This information can be used to show the location of a suspect at a specific time and may be helpful to generate further leads and steer the investigation.

Windows – DNS Dump

The Windows – DNS Dump plugin for MacLockPick dumps the contents of the DNS cache in Microsoft Windows. The DNS cache stores information from DNS queries.

Windows – ipconfig

The Windows ipconfig plugin for MacLockPick will collect network adapter information on Windows machines using the ipconfig.exe command.

ipconfig (Internet Protocol Configuration) in Microsoft Windows is a console application that displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol DHCP and Domain Name System DNS settings. Similar GUI tools named winipcfg and wntipcfg also exist. The former pre-dates ipconfig.

Windows – Net User

The Windows – Net User plugin for MacLockPick will get a list of all user accounts on the host machine using the “net.exe” command.