Posted on

Forensics Related Sites

On this Page:

This resources page contains a list of Forensics related sites.
Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.

 


 

Advanced ForensicsFormat (AFF)

AFF (Advanced Forensics Format) is an open and extensible file format designed to store disk images and associated metadata. Using AFF, the user is not locked into a proprietary format that may limit how he or she may analyze it. An open standard enables investigators to quickly and efficiently use their preferred tools to solve crimes, gather intelligence, and resolve security incidents.
 


 

AFCEA International

AFCEA International is a non-profit membership association serving the military, government, industry, and academia as an ethical forum for advancing professional knowledge and relationships in the fields of communications, IT, intelligence, and global security.
 


 

The American Academy of Forensics Sciences

The American Academy of Forensics Sciences is a multi-disciplinary professional organization that provides leadership to advanced science and it’s applications to the legal system. The objectives of the Academy are to promote education, foster research, improve practice, and encourage collaboration in the forensic sciences.
 


 

The American Board of Criminalistics

The American Board of Criminalistics is composed of regional and national organizations which represent forensic scientists. It’s an organization that provides forensic certification in a number of different forensic fields. They look to: establish professional levels of knowledge, skills and abilities; define a mechanism for achieving these levels; recognize those who have demonstrated attainment of these levels; and promote growth within the profession.
 


 

AntiChildPorn.Org

AntiChildPorn.Org (ACPO) is an organization, comprised of volunteers from all around the world, whose mission is to stop the sexual exploitation of the world’s children. For the past five years ACPO has been addressing the issues of Child Pornography production and distribution via the Internet, as well as the predatory use of the Internet for the sexual abuse of children.

Homepage has not been updated since 2006.
 


 

 Association Of Sites Advocating Child Protection

Association Of Sites Advocating Child Protection – Founded in 1996, the Association of Sites Advocating Child Protection (ASACP) is a non-profit organization dedicated to eliminating child pornography from the Internet. ASACP battles child pornography through its CP reporting hotline, and by organizing the efforts of the online adult industry to combat the heinous crime of child sexual abuse. ASACP also works to help parents prevent children from viewing age-inappropriate material online.
 


 

Computer Forensics World

Computer Forensics World – A large database driven news site for the law enforcement, e-discovery, and digital forensics community.

A quote for the Computer Forensics World website:

Computer Forensics World is a growing community of professionals involved in the digital forensics industry. It is an open resource, free for all to access and to use. It strongly encourages the sharing of information and peer to peer assistance.

To support this initiative, a range of interactive facilities are available, including surveys, forums and posting areas for information and papers. Please feel free to use all these features.

As with all user groups and communities, its success ultimately depends upon its members. Greater involvement by larger numbers will always create a more vibrant and useful experience.

 


 

Computer-Forensics.co.uk

Computer-Forensics.co.uk – The main users of Computer Forensics are law enforcement officers, as a large percentage of crimes in some way utilise digitally stored data. This data could be a phone call made on a mobile phone, (or cell phone), which could place an individual at the scene of a crime, (or of course away from it), accounts for illegal activities such as drug sales, images of pedophilia, human resource issues, hacking, email abuse, unauthorised data duplication, IP theft etc. Corporate organisations are utilising computer forensics more and more now as they often have to investigate incidents such as inappropriate computer use, inappropriate email use, unauthorised data duplication and disloyal employees. Human Resource departments and Internal Security are the biggest users of these specialist corporate services. Private individuals may also use these services. It may be the lover cheating on their partner, or inappropriate internet use by a family member.
 


 

COSPOL Internet Related Child Abusive Material Project

CIRCAMP is one of several COSPOL groups on various crime areas, and had worked on other Action Plans since its initiation in 2004. COSPOL is an abbreviation for Comprehensive Operational Strategic Planning for the Police.

 


 

Cybercrime Summit

The Cybercrime Summit is a yearly computer forensics event held in Kennesaw, Georgia. Forensic professionals from all over the US attend this 5 day event.

The event has not been held since 2007.
 


 

Digital Forensics Research Conference

DFRWS (Digital Forensics Research Conference) is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors annual conferences, technical working groups, and challenges to help drive the direction of research and development.
 


 

CCIPS

The Computer Crime and Intellectual Property Section (CCIPS) is responsible for implementing the Department’s national strategies in combating computer and intellectual property crimes worldwide.

The Computer Crime Initiative is a comprehensive program designed to combat electronic penetrations, data thefts, and cyberattacks on critical information systems. CCIPS prevents, investigates, and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions, and foreign counterparts. Section attorneys work to improve the domestic and international infrastructure-legal, technological, and operational-to pursue network criminals most effectively.

The Section’s enforcement responsibilities against intellectual property crimes are similarly multi-faceted. Intellectual Property (IP) has become one of the principal U.S. economic engines, and the nation is a target of choice for thieves of material protected by copyright, trademark, or trade-secret designation. In pursuing all these goals, CCIPS attorneys regularly run complex investigations, resolve unique legal and investigative issues raised by emerging computer and telecommunications technologies; litigate cases; provide litigation support to other prosecutors; train federal, state, and local law enforcement personnel; comment on and propose legislation; and initiate and participate in international efforts to combat computer and intellectual property crime.

 


 

Expert Witness Network

Expert Witness Network – The mission of the Expert Witness Network is to link attorneys and expert witnesses via the World Wide Web by using online technology to reduce the time and costs associated with locating the best expert for a case.
 


 

Federal Bureau Of Investigation

The FBI is the principal investigative arm of the United States Department of Justice. It has the authority and responsibility to investigate specific crimes assigned to it. The FBI also is authorized to provide other law enforcement agencies with cooperative services, such as fingerprint identification, laboratory examinations, and police training.
 


 

Forensic Focus

Forensic Focus is a forensic community with over thirty thousand members. It provides a platform for digital forensics and eDiscovery professional with forums, email discussion list, and newsletter.
 


 

Forensics Wiki

Forensics Wiki – a Creative Commons-licensed wiki devoted to information about digital forensics.
 


 

Forum for Incident Response and Security Teams

FIRST brings together a variety of computer security incident response teams from government, commercial, and educational organizations. FIRST aims to foster cooperation and coordination in incident prevention, to stimulate rapid reaction to incidents, and to promote information sharing among members and the community at large.
 


 

HTCIA High Technology Crime Investigation Association

The High Technology Crime Investigation Association (HTCIA) is designed to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership.
 


 

International Journal of Digital Evidence

International Journal of Digital Evidence (IJDE) is a forum for discussion of theory, research, policy, and practice in the rapidly changing field of digital evidence.
 


 

MacForensicsLab for Mac OS X

Click here to visit a page on this site about MacForensicsLab for Mac OS X. The software is a complete forensics suite that is fully cross platform and available on Mac OS X, Microsoft Windows, as well as Linux.

This product is owned and produced by the owners of this website and the page you will be linking to is inside this website.

 


 

National Forensic Science Technology Center

The National Forensic Science Technology Center is a not-for-profit corporation funded by a Cooperative Agreement with the National Institute of Justice (NIJ) and provides programs that build individual competency and quality systems for the forensic science community in the United States.
 


 

National Institute Of Justice

National Institute Of Justice – NIJ is the research, development, and evaluation agency of the U.S. Department of Justice and is dedicated to researching crime control and justice issues. NIJ provides objective, independent, evidence-based knowledge and tools to meet the challenges of crime and justice, particularly at the State and local levels. NIJ’s principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968, as amended (see 42 USC 3721-3723) and Title II of the Homeland Security Act of 2002.
 


 

National Institute of Justice

The National Institute of Justice’s (NIJ’s) Office of Science and Technology, the National Law Enforcement and Corrections Technology Center (NLECTC) system serves as an "honest broker" offering support, research findings, and technological expertise to help State and local law enforcement, corrections, and other criminal justice personnel perform their duties more safely and efficiently.
 


 

National Institute Of Standards and Technology

National Institute Of Standards and Technology (NIST) – The Computer Forensics Tools Verification project provides a measure of assurance that the tools used in the investigations of computer-related crimes produce valid results. It also supports other projects in the National Institute of Justices overall computer forensics research program, such as the National Software Reference Library (NSRL).
 


 

The National Security Agency

The National Security Agency/Central Security Service is Americas cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. government information systems and produce foreign signals intelligence information. A high technology organization, NSA is on the frontiers of communications and data processing. It is also one of the most important centers of foreign language analysis and research within the government.
 


 

Officer.com

Officer.com provides today’s law enforcement officer with up to date news, information, and resources to help them do their job.
 


 

Open Source Digital Forensics

The Open Source Digital Forensics site is a reference for the use of open source software in digital investigations (a.k.a. digital forensics, computer forensics, incident response). Open source tools may have a legal benefit over closed source tools because they have a documented procedure and allow the investigator to verify that a tool does what it claims.
 


 

Reddy's Forensic Page

 Reddy’s Forensic Page is run by a retired forensic scientist with Police Laboratory, New York City Police Department. He spent 36 years in the forensics field and his site is a large collection of forensics material and links.
 


 

Regional Computer Forensics Laboratory

Regional Computer Forensics Laboratory – The RCFL is a one-stop, full service forensics laboratory and training center devoted entirely to the examination of digital evidence in support of criminal investigations, such as, but not limited to

  • Terrorism
  • Child pornography
  • Crimes of violence
  • The theft or destruction of intellectual property
  • Internet crimes
  • Fraud

 


 

Royal Canadian Mounted Police Technical Security Branch

Royal Canadian Mounted Police Technical Security Branch – The Technical Security Branch (TSB) is part of the RCMP’s Technical Operations and are dedicated to providing the Canadian federal government with a full range of professional physical and IT security services.
 


 

SWGDE

The Scientific Working Group on Digital Evidence (SWGDE) brings together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation as well as ensuring quality and consistency within the forensic community.
 


 

The Computer Crime Research Center

The Computer Crime Research Center was created in 2001 to conduct research in legal criminal and criminological problems of cybercrime with the purpose to render scientific and methodical aid, consulting. They accumulate experience and perform analysis of results of scientific practical research in counteracting and preventing computer crimes.
 


 

The Computer Forensics Tool Testing project

The Computer Forensics Tool Testing (CFTT) project provides a measure of assurance that the tools used in computer forensics investigations produce accurate results. The CFTT develops specifications and test methods for computer forensics tools and then tests tools to those specifications. The results help toolmakers improve the tools, users make informed choices about acquiring and using computer forensics tools, and the legal community and others to understand the tools’ capabilities. This approach for testing computer forensic tools is based on well recognized methodologies for conformance testing and quality testing.
 


 

The Electronic Discovery Reference Model

EDRM, now a part of the Duke Law Center for Judicial Studies, creates practical resources to improve e-discovery and information governance. Since 2005 EDRM has delivered leadership, standards, best practices, tools, guides and test data sets to improve electronic discovery and information governance. Member individuals, law firms, corporations and government organizations actively contribute to the direction of EDRM.
 


 

The National Center for Forensic Science

The National Center for Forensic Science provides research, education, training, tools and technology to meet the current and future needs of the forensic science, investigative and criminal justice communities. The NCFS is a program of the National Institute of Justice hosted by the University of Central Florida.
 


 

The National Museum of Crime & Punishment

The National Museum of Crime & Punishment, located in Washington, D.C. The museum displays excellent depictions of historically famous crime scenes along with detailed information concerning national crime and punishment.

Forensics professionals are invited to join the forensic blog.
 


 

The Virtual Global Taskforce

The Virtual Global Taskforce (VGT) is made up of police forces from around the world working together to fight online child abuse.
 

Posted on

Windows Related Sites

This resources page contains a list of Windows centric security and forensics related sites.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.
 


 

Access Data

Access Data are the producers of ForensicToolKit (aka FTK) as well as other tools for the Microsoft Windows Platform.

Quoted from the AccessData website:

AccessData Group has pioneered digital forensics and litigation support for more than twenty years. Over that time, the company has grown to provide both stand-alone and enterprise-class solutions that can synergistically work together to enable both criminal and civil E-Discovery of any kind, including digital investigations, computer forensics, legal review, compliance, auditing and information assurance. More than 130,000 customers in law enforcement, government agencies, corporations and law firms around the world rely on AccessData software solutions, and its premier digital investigations products and services. AccessData Group is also a leading provider of digital forensics training and certification, with our much sought after AccessData Certified Examiner® (ACE®) and Mobile Phone Examiner Certification AME programs.
 


 

MacForensics.com Recommended Site -Guidance Software

Guidance Software are the producers of Encase – a venerable forensics tool for the Microsoft Windows Platform.

Quoted from the Encase website:

At Guidance, we exist to turn chaos and the unknown into order and the known–so that companies and their customers can go about their daily lives as usual without worry or disruption, knowing their most valuable information is safe and secure.

Makers of EnCase®, the gold standard in digital investigations and endpoint data security, Guidance provides a mission-critical foundation of applications that have been deployed on an estimated 33 million endpoints and work in concert with other leading enterprise technologies from companies such as Cisco, Intel, Box, Dropbox, Blue Coat Systems, and LogRhythm.

Our field-tested and court-proven solutions are used with confidence by 78 of the Fortune 100 and hundreds of agencies worldwide.


 


 

MacForensics.com Recommended Site - Information Week

Information Week Security provides the latest updates on sercurity news from around the web.
 


 

Microsoft Security Central

Microsoft Security Central contains information on the latest security updates for all Microsoft products.
 


 

Windows IT Pro

WindowsITPro is the leading independent, impartial source of practical, technical information to help IT professionals better understand and manage the Windows and Server enterprise. Each month, they help over millions of IT professionals overcome the same issues you struggle with every day.

 


 

WindowsSecurity.com

WindowSecurity.com contains latest Windows security articles and tutorials on the following topics:

  • Authentication, Access Control & Encryption
  • Cloud Computing
  • Content Security (Email & FTP)
  • Firewalls & VPNs
  • Intrusion Detection
  • Misc Network Security
  • Mobile Device Security
  • Viruses, trojans and other malware
  • Web Application Security
  • Web Server Security
  • Windows 10 Security
  • Windows 2003 Security
  • Windows Networking
  • Windows OS Security
  • Windows Server 2008 Security
  • Windows Server 2012 Security
  • Windows Server 2016 Security
  • Wireless Security

 

Posted on

Linux Related Sites

This resources page contains a list of many authoritative Linux related sites and tools.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.
 


International Journal of Digital Evidence

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems.

The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.

The volume system (media management) tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks. With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools.

When performing a complete analysis of a system, we all know that command line tools can become tedious. The Autopsy Forensic Browser is a graphical interface to the tools in The Sleuth Kit, which allows you to more easily conduct an investigation. Autopsy provides case management, image integrity, keyword searching, and other automated operations.

 


International Journal of Digital Evidence

ASR Data has been recognized as a leading authority in the field of computer investigations by the United States Department of Justice.

Quoted from the ASR website

In 1984 , ASR Data began providing custom software solutions to companies that needed vertical market software tailored to their specific requirements.

In 1992, ASR Data was asked to develop a software tool and methodology to support the unique requirements of the law enforcement community. At that time, conducting a computer investigation was a tedious, time consuming process which required the use of several single-purpose DOS command line utilities. Investigators were forced to image original media to tape or a disk, then restore the image to another disk. Searching the evidence was limited to one search term at a time and recovering deleted files was accomplished by using off-the-shelf software which was never designed to support the forensic process. Often times, the process changed data and analysts had to restore the image several times.

We sat down with leading authorities from the legal and law enforcement communities and took a close look at the forensic process and what was needed. One of the greatest challenges was the fact that there was no precedent for what we were trying to create. Nobody had done it before, there was no pattern to follow, no giants shoulders to stand on and no failures to learn from. As it turns out, this was also the greatest factor which enabled us to innovate and create something completely new.

 


LinuxSecurity.com

LinuxSecurity.com was first launched in 1996 by a handful of Open Source enthusiasts and security experts who recognized a void in the availability of accurate and insightful news relating to open source security issues. Led by Dave Wreski, who currently serves as chief executive officer of Guardian Digital, this group has grown into a global network of collaborators who devote their time to gathering and publicizing the latest security news, advisories and reports relevant to the Linux community. Headquartered in Guardian Digital’s offices in Allendale, New Jersey, LinuxSecurity.com’s editorial and web development staff also creates feature articles, commentaries and surveys designed to keep readers informed of the latest Linux advancements and to promote the general growth of Linux around the world.
 


The Coroners Toolkit

The Coroners Toolkit – a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. The software was presented first in a Computer Forensics Analysis class in August 1999.

According to the site,development of the Coroner’s Toolkit was stopped years ago. It is updated only for for bug fixes which are very rare, and after Wietse discovers that the programs no longer work on a new machine. Users of The Coroners Toolkit are encourage to use Brian Carrier’s Sleuthkit. It is the official successor of TCT.

 


Linux.org

Linux.org – Their main goal is to inform the public about every company, project and group that uses the Linux operating system and to report on the hard work of countless developers, programmers and individuals who strive everyday to improve on the Linux offerings in the marketplace.
 


Linux Journal

Linux Journal – Their mission is to serve the Linux community and to promote the use of Linux worldwide. As more and more people see Linux as a viable alternative to traditional OSes, Linux is increasingly being used as a primary operating system. Linux Journal focuses specifically on Linux and other open-source OSes, allowing the content to be a highly specialized source of information for open-source enthusiasts.
 


Linux.com

Linux.com is always evolving. Their goal is to give you all of the resources and information you need to make your experience with Linux a success.
 


Security-Enhanced Linux

Security-Enhanced Linux – As part of its Information Assurance mission, the National Security Agency has long been involved with the computer security research community in investigating a wide range of computer security topics including operating system security. Recognizing the critical role of operating system security mechanisms in supporting security at higher levels, researchers from NSA’s Information Assurance Research Group have been investigating an architecture that can provide the necessary security functionality in a manner that can meet the security needs of a wide range of computing environments.

Posted on

General Forensics Tips for Windows Platform

On this Page:

Disabling Windows BitLocker Encryption

MacForensics.com Tips - Disabling Windows BitLocker EncryptionBitLocker is a new drive encryption technology introduced with the Vista operating system. With BitLocker enabled, all files on a personal computers hard disk drive are automatically encrypted. BitLocker is included in the Enterprise and Ultimate editions of Vista and is disabled by default. Disk encryption can pose a problem for forensic investigators and additional steps must be taken to insure access to suspect data.

When an investigator come across a running Windows Vista system they should first determine which version of Windows Vista the suspect system is running. As only Vista Enterprise and Ultimate offer BitLocker drive encryption, investigators can disregard further steps on other versions.

Once an investigator has determined that the system is running either Windows Vista Enterprise or Ultimate, the next step is to determine if BitLocker is running. The easiest way to determine this is through the BitLocker configuration in the Control Panel. If BitLocker encryption is running, use the following steps to disable it.

Disabling BitLocker does not decrypt the suspect data which would alter each file. Instead it stores the encryption key on the disk so that it can be decrypted when it is booted or accessed without the need for the startup key or numerical password.

The following command shows how to disable Bitlocker from the command line:

cscript manage-bde.wsf -protectors -disable c:

The above command will disable Bitlocker (not decrypt). It can then later be attached to another Vista machine using a hardware write blocker and all the data will be visible. The investigator can then image the suspect drive.

The investigator should also obtain the BitLocker numeric recovery password to ensure later access to the drive for imaging should it be needed.

The following command will display the BitLocker numerical recovery password:

cscript manage-bde.wsf -protectors -get c:


Disabling Windows Autorun

MacForensics.com Tips - Disabling Windows AutorunCare needs to be taken when examining suspect USB thumb drives and CDs. These types of media may contain autorun viruses and malware that could potentially infect the investigators workstation. Steps should be taken to disable autorun on Windows computers and decrease the chance of damage by malware. By disabling autorun on a Windows machine the investigator stops programs that may attempt to run when suspect media is attached. Disabling autorun will also stop MacLockPick from accidentally being run on an investigator’s forensic examination station. It may still be run manually.

To protect your Windows forensic workstations, follow these steps:

Copy and paste the following into a .reg file and merge it into the registry.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist&quit;

More information on disabling Windows Autorun can be found here:

http://support.microsoft.com/kb/953252


FireFox Artifacts

MacForensics.com Tips - Firefox ArtifactsMozilla Firefox is fast becoming one of the most popular browsers on the internet today. Current estimates as of June 2007 believe Firefox makes up 14.55% of the world’s web browsers. Being free, cross-platform, and updated regularly is just some of the many reasons many users have made the switch to it. Firefox also allows the user to easily install add-ons to enhance the functionality of the browser. Here are some Firefox files that may be of interest during an investigation with MacForensicsLab.

Firefox stores the user data in the following places:
Mac OS X: ~/Library/Application Support/Firefox/Profiles//
Windows XP & 2000: C:Documents and SettingsApplication DataMozillaFirefoxProfiles
Windows 98 & ME: C:WindowsApplication DataMozillaFirefoxProfiles
or
C:WindowsProfilesApplication DataMozillaFirefoxProfiles
Windows NT 4.x: C:WinntProfilesApplication DataMozillaFirefoxProfiles
Unix: ~/.mozilla/firefox//

Website History
File name: history.dat
By default Firefox stores the browsing history for 9 days.
Side note: “history.dat” is written in a complex format called “Mork”.

Encrypted Saved Passwords
File name: signons.txt
This file also stores a list of sites to never save the passwords for. The encryption key is contained in the file called key3.db

More information about specific files in the user profile can be found at MozillaZine’s Knowledge Base article on the Profile Folder.

Update!

If you need a tool in extracting FireFox’s cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.


Viewing Recently Accessed Windows Files

MacForensics.com Tips - Viewing Recently Accessed Windows FilesThe Windows Registry stores a wealth of information that can be helpful to a forensic investigator during an examination. Knowing which documents were recently accessed on a suspects Windows machine can point an investigator to files of interest along with helping to show proof of intent.

The following key and it’s associated sub-keys contain a fairly comprehensive list of files that were opened while that account was logged in:

HKEY_USERS\’username’\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs


Flash Drive Registry Information

MacForensics.com Tips - Flash Drive Registry InformationUSB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They’re small, portable, and often contain evidence that can be helpful to an investigation.

When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Also there is an entry that is keyed to the mounted device volume letter. The letter is not that important but I think there is a date associated with the last time the device was written. This would be of value during a forensic exam.

USB thumb drives sometimes have a registry entry indicating that they are CD-ROM drives to be aware of that.

Thanks to Tim Clark for this information.

Posted on

General Forensics Tips

Recognizing Potential Evidence

MacForensics.com Tips - Recognizing Potential EvidenceThe following was taken from the United States Secret Service’s Best Practices For Seizing Electronic Evidence. We highly recommend you read the entire article located here as it contains lots of good information regarding electronic evidence.
 

Recognizing Potential Evidence

Computers and digital media are increasingly involved in unlawful activities. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence range from the mainframe computer to the pocket-sized personal data assistant to the floppy diskette, CD or the smallest electronic chip device. Images, audio, text and other data on these media are easily altered or destroyed. It is imperative that law enforcement officers recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices and guidelines.

Answers to the following questions will better determine the role of the computer in the crime:

  • Is the computer contraband of fruits of a crime?
    For example, was the computer software or hardware stolen?

  • Is the computer system a tool of the offense?
    For example, was the system actively used by the defendant to commit the offense? Were fake IDs or other counterfeit documents prepared using the computer, scanner, and color printer?

  • Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?
    For example, is a drug dealer maintaining his trafficking records in his computer?
  • Is the computer system both instrumental to the offense and a storage device for evidence?
    For example did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?

Once the computer’s role is understood, the following essential questions should be answered:

  • Is there probable cause to seize hardware?
  • Is there probable cause to seize software?
  • Is there probable cause to seize data?
  • Where will this search be conducted?
    • For example, is it practical to search the computer system on site or must the examination be conducted at a field office or lab?
    • If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized date, to its owner/user before trial?
    • Considering the incredible storage capacities of computers, how will experts search this data in an efficient, timely manner?

Source: US Secret Service

Posted on

Comparing the Mac OS X Property List to the Windows Registry

Apple Property List:
Comparing the Mac OS X Property List
to the Windows Registry

Dennis Browning
Champlain College
Burlington, VT
dennisbrowning@gmail.com

Abstract


This paper will introduce the Property Lists in the Apple OS X and compare them to the Microsoft Windows Registry. Also within this paper we will examine how important some of the Property List can be to an examination. Examples of crucial information that can be found within Property List will be presented.


Acknowledgement


Let it be noted that this paper is by no means a complete look into the property lists and Mac OS X. All information looked at this in this paper has been the product of personal research. All opinions expressed in this paper are those of the authors.


Introduction


The Importance of Plist Examinations


In 2007, Derrick Farmer, a Champlain College student, wrote a paper entitled A Forensic Analysis of the Windows Registry. This paper explored some of the key locations of where vital information could be found during a computer investigation. In Farmers paper, he explores areas of the registry pertaining to the location of autorun locations, recent items, wireless networks, Internet history, and 3rd party software that has been installed on a Windows machine. In todays world, Macintosh (Mac) computers are becoming very popular. For this reason, it is important for forensic examiners to understand where they can find similar information in Mac OS X as they would find in Windows. Property Lists are very similar to that of the Windows Registry. These files contain information that can make or break a case. In this paper I will be comparing the Mac version to the Registry entries found in Windows.


History


First off, it is important to know what a Property List (plist) actually is, and the type of information that can be stored within them. Apple Developers describe the plist as follows, property lists organize data into named values and lists of values using several object types. These types give you the means to produce data that is meaningfully structured, transportable, storable, and accessible, but still as efficient as possible (Property List Programming Topics, 2008). Plists can be considered the registry for OS X. A little later we will explore the structure of a plist file. The information contained within these files is different for each program on the system. Each contains the settings for the program, which calls the plist. Similar to Windows Registry entries, if you change any value set in the file, the program will run differently. It should be noted that plist are not a Mac OS X item. They are actually found within Linux and Unix distributions.


Structure of Property List


Plists can take one of three different formats. The most recent, and more common, format one will see is the XML format. This format is more portable then that of the alternatives and can be edited manually where as the other two options are not. The other two formats are binary and ASCII. Binary formats are still used today but, one will rarely find an ASCII formatted plist. Binary formatted plists will perform faster if the plist is a large collection of data. Figure 1 below shows the XML formatted plist viewed using the program TextEdit, which comes installed on all Macs. It is obviously very hard to read in this format. If you were to open this same file in a plist editor one can clearly see the structure of the file better as seen in Figure 2.



The need for timely identification, interpretation and meaningful analysis of electronic media has never been more critical. The ever-changing threat environment presented by cyber criminals and technological advances has required modern investigative processes to include on scene forensic triage.


Figure 1 TextEdit



Investigators are faced with the challenges of capturing volatile data, preserving potential evidence and maintaining the integrity of the electronic crime scene while ensuring the data remains viable and accessible for further investigative efforts. The success of these operations is measured in minutes not days.


Figure 2 Plist Editor Pro


Plists can be composed of one or two forms of structured data, Core Foundation or Cocoa. Core Foundation is described as follows by Apple Developers, Core Foundation is a procedural C framework that is conceptually modeled on the object-oriented Foundation framework in Cocoa and that uses the abstraction of the opaque type as a procedural analog to an object (Getting Started with Core Foundation, 2006). Cocoa is described as follows by Apple Developers, Cocoa is Apple’s name for the collection of frameworks, APIs, and accompanying runtimes that make up the development layer of Mac OS X (Cocoa). For more information on Cocoa and Core Foundation, please refer to the links in the reference. Figure 3 below shows a table of the plist types and various representations.



MacLockPick II represents a new generation of forensic triage aimed at providing IT professionals, eDiscovery experts, and Law Enforcement officers a single tool that transcends the concerns of a particular operating systems. Whether the suspect (or the investigator) uses Microsoft Windows, or Mac OS X you can perform your field triage in the same way using the same tool.


Figure 3 Taken from:


http://developer.apple.com/documentation/Cocoa/
Conceptual/PropertyLists/AboutPropertyLists/
AboutPropertyLists.html#//apple_ref/doc/
uid/10000048i-CH3-46719-CJBIGFCD


Examination Tools


There are many different tools available to forensic examiners to use for plist examinations. The tools used in this paper to analyze and parse through the plist files are Fat Cat Softwares Plist Edit Pro and Echo Ones File Juicer. Plist EditPro has a free trial period that was used for this research and can be obtained from http://www.fatcatsoftware.com/plisteditpro/. File Juicer also has a free trial period that was used for this research paper. File Juicer can be obtained from http://echoone.com/filejuicer/. Both programs were fully functional during the trials.


Plist Examination


Plist as Logs


In most cases, data is only written to plists on the initial install of a program or when OS X is first installed. In all other cases plists are written each time a program is run. For the purpose of this paper, the plists that are being looked at are updated each time they are used. We will be looking at plist files related to the following: autorun locations, recent items, wireless networks, mounted devices, Internet history, and installed programs, as they relate to their Mac OS X equivalent locations.


Autorun Locations


Derrick Farmer defines autorun locations as Registry keys that launch programs or applications during the boot process (Farmer, D, 2007). This has a very similar meaning in the Mac world. On a Mac, the location of this information is in the loginitems.plist. An examiner should look at this location to see what programs or applications are of any evidentiary value to the case. For the most part, when someone installs a program on a Windows machine, the program has a default setting of starting on boot. For example, AOL Instant Messenger (AIM), when installed, will automatically start on start-up unless told otherwise. On the Mac side of installations, this is not as accurate. If one wants to have a program start on login/boot, they must tell the program to do so. It would be beneficial for examiners to look at the startup items, as it would be proof that the user of that Mac intended for the program to start on login/boot. The loginitems.plist can be found in the following location: /user/Library/Preferences/com.apple.loginitems.plist.


Recent Items


In the Windows environment, the registry contains entries for Most Recently Used (MRU) list, and User Assist. The MRU is a list of recent programs and files accessed. Multiple lists are created throughout the registry. MRUs are similar to the history that one can view in an Internet browser. The sites that have been most recently visited are kept in a list for the user to go back to if needed. In addition to the MRU, Windows has the UserAssist entry. This entry holds information about the most frequent programs used by a user. These entries are actually encrypted using the ROT-13 algorithm. To learn more about ROT-13, please visit the following site: http://en.wikipedia.org/wiki/Rot13.


In the Mac environment, these lists are more limited. During the research for this paper, only one location could be found with recently open items. Within the /user/Library/Preferences/com.apple.recentitems.plist, the last 10 accessed applications, documents, hosts, and servers are listed. Within the settings for each section, a user can increase or decrease the amount of records that are kept. By default, Mac OS X keeps track of the last 10. Figure 4a below shows an entry into the applications section of the plist. Figures 4b and 4c show the most recent files opened and hosts connected to, respectively.



MacLockPick II for Microsoft Windows and Apple Mac OS X is a fully cross platform tool that allows digital forensics professionals and eDiscovery experts to perform field triage on live computers running a wide variety of operating systems. Similarly, once completed, the results of the field triage operation can analyzed on a wide variety of computers.


Figure 4a Most Recent Application Run



Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly; sometimes this is quite literally difference between life and death for the victim.


Figure 4b Most Recent File Opened



MacLockPick II is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspects computer that is running (or sleeping). Once the MacLockPick II software is run it will extract the requisite data providing the examiner fast access to the suspects critical information, that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick II is the only cross platform solution on the market and therefore the best chance of successfully capturing data critical to any investigation involving running computers. In addition, MacLockPick II is minimally evasive, providing results that can hold up in a court of law.


Figure 4c Most Recent Host/Computer Connected to


The information that can be found in this plist, unfortunately is only available as long as it been one of the last items opened in its respective section. Although, it can be beneficial for an examiner, if the user has only connected to a select few hosts.


Wireless Networks


In a forensic investigation, being able to determine if a suspects computer was connected to a wireless network could be of evidentiary value. The SSID or service set identifier is recorded for all wireless networks that are added to the users preferred network connections. This can include connections to Wi-Fi hotspots at Starbucks or similar hotspots. In the Windows Registry, SSIDs are stored in one key and the settings, such as the IP address, subnet mask and other information about a particular network is stored in another key. This is similar on a Mac. The two important plists to look at can be found at the following locations: /hd/Library/Preferences/SystemConfiguration/com.apple.airport.prefrences.plist and /hd/Library/Preferences/SystemConfiguration/com.apple.network.identification.plist. By using the two of these files together, an examiner can see the last date that the computer was connected to that network by looking at the com.apple.airport.preferences.plist. For example, figure 5a shows the SSID of 3dd. Also, you can see that the security type and password are shown. The password is hashed.



MacLockPick II is designed to capture information that might be considered valuable to an IT manager, an E-Discovery professional, or a digital forensics law enforcement officer. Such information includes details about the system, activities of the user of that system, and the online history of that user.


Figure 5a com.apple.airport.preferences.plist


Once the examiner has the timestamp found in the Airport Preferences plist, they can then go to the Network Identification plist. In there they will find the corresponding date on an entry to find out more information about the network including: DNS servers, IP address, the interface used (wired or wireless), subnet mask, and router IP. Figures 5b-5d show the information.



Through the use of a plug-in architecture MacLockPick II can be configured to collect almost any kind of information depending on the needs of the investigator. This information might include files of a specific type, chat logs, phone records, browser history, passwords, accounts, and system state data.


Figure 5b Timestamp Match to figure 5a



The investigator or eDiscovery professional in the field will find MacLockPick II simple to use. The basic steps involved are to insert the USB device into the suspect's computer, locate the MacLockPick application, open the application, allow the software to gather the data, then remove the device from the computer being audited.


Figure 5c DNS servers connected to



To gather data from a suspect's system using MacLockPick II simply double-click the MacLockPick application in the 'Applications - OS X' or 'Applications - Windows' folder corresponding to the type of operating system the suspect is using. MacLockPick will launch and run automatically. MacLockPick will notify the user when the process has finished and inform you that the acquired information has been stored in the MacLockPick Output folder on your specified device.


Figure 5d IP address obtained, router IP and Subnet Mask


Based on the above information, an examiner can determine if or when a suspect was connected to a network. An examiner can use the DNS Servers to find out the Internet Service Provider (ISP) to which the suspect connected to the Internet with. Many ISPs keep record of the hardware address that is obtaining an IP address from them. By getting a subpoena, an examiner can get log histories for the owner of the network.


Mounted Devices


USB devices and other mounted devices, such as CD/DVD installers, are almost an everyday occurrence now. A feature of the USB devices registry key found on a Windows machine is that the serial number for the USB device is recorded, making it easier to prove that a certain USB was connected to the suspects computer. Some USB devices dont have a serial number so a random string is created in place of the serial number. On a Mac, this is not true. While a Mac does recorded that a USB device was connected to a machine, it does not record the serial number of that device. On the Mac, the plist /user/Library/Preferences/com.apple.finder.plist, shows all devices, whether it is a USB device, image, CD, DVD, or iPod, that are connected to the computer while logged in as a certain user. In this plist, the location of where the Finder opened the item is recorded under the FXDesktopVolumesPositions Key. The Finder is Macs version of Explorer in Windows. If a USB device or CD has an unique name, this plist is useful to show that at some point, the device was mounted on the suspects computer. In figure 6a you can see Volumes that were mounted. Volumes can include USB devices, CDs, DVDs, and iPods.



MacLockPick is designed to do all the field work as an automated task. The operator should simply wait for the completion of the process then eject the drive and move onto the next task (either return to the lab or perform further investigations on other systems.


Figure 6a Volumes Mounted


When a user downloads a program on a Mac, a .dmg file is opened in order to install the program. This is equivalent to an installed .exe in Windows. On the Mac, these files are mounted in order for the user to see the install program. These files are also noted in this plist. Figure 6b shows an example of some .dmg files that have been mounted.



The MacLockPick Reader program is your primary tool for viewing and analyzing the data collected in the field. You can use it to open MacLockPick database files, search through the data for items of interest, and to create customized reports.


Figure 6b Software DMG’s


An examiner can use this list to see if software was ever downloaded onto the computer. For example, if an examiner is looking through a Mac to see if any kind of encryption software has been installed, it can be seen here that TrueCrypt was downloaded and mounted at some point. If the suspect says they have never looked into encryption software, the examiner can prove that they have.


iPods


In todays music loving world, many people now have some form of MP3 player. With the advancement of technology, criminals are starting to hide information on iPods. On the Mac, the following plist can be informative to an examiner: /user/Library/Preferences/com.apple.iPod.plist. With this file, the examiner can verify if an iPod has been connected to that computer. In figure 7 you can see that an iPod has been connected to the computer.



Once back in the lab, the data collected by MacLockPick from a suspects system can be analyzed with the use of the MacLockPick Reader. Versions of MacLockPick Reader for Mac OS X and Microsoft Windows are included on the MacLockPick USB device and stored in the folder corresponding to their respective operating systems.


Figure 7 iPod Information /user/Library/Preferences/com.apple.iPod.plist


With the information found in the above plist, an examiner can check the serial number to an iPod to see if it has been connected. If, in a case, a suspect states that they do not have an iPod, this file can show that an iPod has been used. The connected date shown above, shows the last date the iPod was in use on the suspects computer. The examiner can also prove how many times the iPod has been connected to that computer by the use count variable shown above.


Internet History


Safari


Safari is the native Internet browser on a Mac. This is similar to Internet Explorer on a Windows machine. In Windows, the Internet Explorer Registry key has three subkeys, which include: main, typedURLs and download directory. On a Mac, Safari has a similar setup. Plists related to browsing history, download history, and cookies, each have their own location. In Internet Explorer, temporary internet files are stored as cache files, which is similar in Safari. These file are located in /user/Library/Caches/Safari. Using File Juicer, an examiner can view the contents of the caches files. File Juicer will take the Cache.db file found in the locations previously mentioned and parse through it, breaking cached items into folders of similar extensions. Figure 8a shows the folder created once File Juicer has processed the caches data.



MacLockPick Reader can generate professionally formatted reports using userselected data from the keylog. Creating a report is simple and only requires a few clicks.


Figure 8a File Juicer Results


The above listed index.html file, is a webpage created by File Juicer that contains all images found in the Safari Cache. This program makes it easier for an examiner to parse through potential evidence.


Another great place to look for evidence is the browser history. The plist found at /user/Library/Safari/History.plist provides an examiner with the Safari browser history. Figure 8b shows an example of the record in the plist.



MacLockPick Setup allows the user the ability to create their own custom plug-ins These plug-ins can copy specific files or folders on a suspect system, execute a terminal line command and record the results, or execute a user-made CLI. Adding your own plug-ins allows the user to be able to fully customize MacLockPick for all of their needs and makes it an even more powerful tool for digital forensics professionals and eDiscovery experts.


Figure 8b Browser History


From the information found in this entry, an examiner can tell that the user visited this site nine times. The value found in lastVistedDate is formatted in absolute time and date. This can easily be converted using a program such as CFAbsoluteTimeConverter. This program can be downloaded from the following link: http://www.hsoi.com/hsoishop/software/. All that needs to be done is copy and paste the value into the program. The above value is converted to tell the examiner that the page was last visited on Sunday 07 September 2008 10:41:04 am. Time and dates are always great supporting evidence to help prove a suspect committed an act.


The downloads.plist file is another file for the examiner to look at for evidentiary information. This file provides an examiner with files that were downloaded using Safari. This plist can be found in the /user/Library/Safari/ directory as well. When looking at the information found in this plist, an examiner can prove that a program, such as Limewire, has been downloaded on the suspects computer. Figure 8c shows the entry in the downloads.plist that can prove that Limewire was indeed downloaded.



MacLockPick Archives are created to increase the speed of copying files to a FAT32 formatted device. The hash values of all files within the MacLockPick Archive are recorded to insure the integrity of the file. We recommend using the MLP Archive option when creating plug-ins for MacLockPick that will copy files to a FAT32 formatted device such as the MacLockPick II flash drive.


Figure 8c Download.plist


These files are great places to look for evidence. In Safari 3.2.1, similar to Internet Explorer 7, users can now clear all cookies, download history, cache, and all the great information examiners look for. If the user is smart enough to do this, the above plists get cleared and are of no use to an examiner.


Firefox


When looking at alternative web browsers, such as Firefox, Opera, and Netscape, on a Windows machine, the information is recorded differently. On a Mac, this is similar. Since Firefox is not the native browser, information is stored differently. This folder can be found at /user/Library/Application Support/Firefox/Profiles. An examiner can take the profile folder and run it through File Juicer. File Juicer will again parse through all the files and provide the examiner with a folder with items in their respective folders. One difference here is when a user tells Firefox 2.0 or higher to clear its history, caches, etc., the typed URLs are not cleared. A list of these URLs can be found in File Juicers subfolder named URLs. If an examiner looks at the HTML page created, they will see a list of all URLs that the enter key has been hit for. An example can be found in figure 8d.



The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic principles, and does not negate the ability that once the initial field triage is concluded, the system(s)/storage media be transported back to a lab environment for a more thorough examination and analysis.


Figure 8d URL’s


Other browser, such as Opera and Netscape, are similar to Firefox. They have a folder in the application support, which can be found to contain all information needed.


Applications


Similar to the Windows world, when a user installs a program, a folder is then created for that piece of software. In Windows, the folder is usually created in the program files folder, and contains executable and other important files. Some files may also be placed in other directories. On a Mac, the executable is placed in the applications folder, and all other important files needed to run the program are placed in the application support folder found at /user/Library/. In Windows, for the most part, when a user uninstalls a program, all files and folders related to that program are subsequently deleted as well. On a Mac, this is not true. When a user uninstalls or deletes a program, all they are doing is removing the executable from the applications folder. The application support folder will still contain all of the files associated with that program. The examiner can now go in and see what programs have been installed on the machine even if the program has been deleted.


Just to show what some of the information that can be found in the application support folder, we will take a look at the folder for the program Adium. Figure 9a shows the Adium Folder.



The CFFTPM has been successfully used in various real world cases, and its investigative importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence from these cases has not been challenged in the court proceedings where it has been introduced. The current article describes the CFFTPM in detail, discusses the models forensic soundness, investigative support capabilities and practical considerations.


Figure 9a Adium Application Folder


An examiner should be interested in the usernames that are associated with an instant messaging program like Adium. When the users folder is opened, the default user is the only one listed. When that folder is opened, an examiner has access to all of the settings and accounts that have been setup. Figure 9b shows the account setup under the default user account.



You may customize the report for your department or agency by editing the index.html file and pictures within the images folder located in the MacLockPick Report Template folder on the MacLockPick USB device.


Figure 9b AIM user account


With the program Adium, a user can setup accounts for Facebook, MSN, Jabber, Yahoo and many others. If a user has setup multiple accounts, they would all be listed in the account.plist.


Within this users folder, there is another folder for logs. This log folder contains chat logs for every screen name the user has talked to. The chat logs are formatted as XML sites. Figure 9c shows part of a chat log.



If you have a specific need to determine an alternative output device in the field you can do so by holding down the control key during the launch of the MacLockPick application. You will be prompted to select a folder to create the output in. MacLockPick will only use this output folder for the duration of a single instance of the program, so if you need a more permanent selection then it is recommended you use the MacLockPick setup program to do so. For more information on how to select a different output device please click here.


Figure 9c Chat log


An examiner can use these logs to see the time and date of when a message was sent. Also by looking at the above figure, the examiner can see the user who sent the message and if the user has setup an alias for the screen name they are talking to.


Overview


The following list includes all of the plist entries that were discussed in this paper.

  • user folder
    /Library/Preferences/com.apple.loginitems.plist
  • user folder
    /Library/Preferences/com.apple.recentitems.plist
  • root
    /Library/Preferences/SystemConfiguration/
    com.apple.airport.preferences.plist
  • root
    /Library/Preferences/SystemConfiguration/
    com.apple.network.indentification.plist
  • user folder
    /Library/Preferences/com.apple.finder.plist
  • user folder
    /Library/Preferences/com.apple.iPod.plist
  • user folder
    /Library/Caches/Safari
  • user folder
    /Library/Safari/

    • History.plist
    • Downloads.plist
  • user folder
    Library/Application Support/Firefox/Profiles
  • user folder
    /Library/Application Support/Adium 2.0/Profiles


Conclusion


With the growing popularity of Macs in todays technological world, it is important that Forensic Examiners have the knowledge of the location of potential evidentiary information on a Mac. Having a basic knowledge of the Mac OS X file structure and Linux file structure will only help an examiner comprehend what they are looking at. By knowing where the information is and how to interpret that information, an examiner can be confident when going into an investigation that involves a Mac. The files discussed in this paper are only a few of the many possible evidentiary locations that an examiner should look at.


References


Cocoa. (n.d.). Retrieved April 5, 2009, from http://developer.apple.com/cocoa/

Farmer, D. (2007.). Computer Forensics – A Forensic Analysis Of The Windows Registry. Retrieved March 1, 2009, from http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

Fat Cat Software – PlistEdit Pro. (n.d.). Retrieved March 6, 2009, from http://www.fatcatsoftware.com/plisteditpro/

Getting Started with Core Foundation. (2006, November 7). Retrieved April 5, 2009, from http://developer.apple.com/referencelibrary/GettingStarted/
GS_CoreFoundation/index.html#//apple_ref/doc/uid/TP30001089

Hsoi’s Shop: Software . (n.d.). Retrieved April 5, 2009, from http://www.hsoi.com/hsoishop/software/

Mac OS X Manual Page For plist(5). (2003.). Retrieved March 6, 2009, from http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/plist.5.html

Property List Programming Guide: About Property Lists. (2008.). Retrieved March 6, 2009, from http://developer.apple.com/documentation/Cocoa/Conceptual/
PropertyLists/AboutPropertyLists/chapter_3_section_1.html#/
/apple_ref/doc/uid/10000048i-CH3-SW2

Property List Programming Topics for Core Foundation: Introduction to Property List Programming Topics for Core Foundation. (2008.). Retrieved March 6, 2009, from http://developer.apple.com/documentation/
CoreFoundation/Conceptual/CFPropertyLists/CFPropertyLists.html

Read Me – File Juicer for Mac OS X. (2008, December 30). Retrieved March 2, 2009, from http://echoone.com/filejuicer/ReadMe

ROT13 – Wikipedia, the free encyclopedia. (n.d.). Retrieved April 5, 2009, from http://en.wikipedia.org/wiki/Rot13

(2008). Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit. US: Syngres


Appendix:


Below you will find a table showing the Windows Registry Key location and the Mac OS X plist location of the information discussed in this paper.

Info Windows Mac OS X
AutoRun
  • -HKLM\
    Software\
    Microsoft\
    Windows\
    CurrentVersion\
    Runonce
  • -HKLM\
    Software\
    Microsoft\
    Windows\
    CurrentVersion\
    policies\
    Explorer\
    Run
  • -HKLM\
    Software\
    Microsoft\
    Windows\
    CurrentVersion\
    Run
  • -HKCU\
    Software\
    Microsoft\
    WindowsNT\
    CurrentVersion\
    Windows\
    Run
  • -HKCU\
    Software\
    Microsoft\
    Windows\
    CurrentVersion\
    Run
  • -HKCU\
    Software\
    Microsoft\
    Windows\
    CurrentVersion\
    RunOnce
  • -(ProfilePath)\
    Start Menu\
    Programs\
    Startup
user folder
Library/
Preferences/
com.apple.loginitems.plist
Recently Items
  • -HKCU\
    Software\
    Microsoft\
    Windows\
    CurrentVersion\
    Explorer\
    RunMRU
  • -HKCU\
    Software\
    Microsoft\
    Windows\
    CurrentVersion\
    Explorer\
    UserAssist
user folder
Library/
Preferences/
com.apple.recentitems.plist
Wireless
  • -HKLM\
    Software\
    Microsoft\
    WZCSVC\
    Parameters\
    Interfaces
  • -HKLM\
    System\
    ControlSet001\
    Services\
    Tcpip\
    Parameters\
    Interfaces\
root
Library/
Preferences/
SystemConfiguration/
com.apple.airport.preferences.plist

root
Library/
Preferences/
SystemConfiguration/
com.apple.network.indentification.plist

USB and Mounted Devices
  • -HKLM\
    System\
    ControlSet00x\
    Enum\
    USBSTOR
  • -HKLM\
    System\
    MountedDevices
user folder
Library/
Preferences/
com.apple.finder.plist
Native Browser
  • -HKCU\
    Software\
    Microsoft\
    Internet Explorer
  • -HKCU\
    Software\
    Microsoft\
    Internet Explorer\
    Main
  • -HKCU\
    Software\
    Microsoft\
    Internet Explorer\
    TypedURLs
  • -HKCU\
    Software\
    Microsoft\
    Internet Explorer\
    Download Directory
user folder
Library/
Caches/
Safari

user folder
Library/
Safari/

Software
  • -HKCU\
    Software\
user folder
Library/
Application Support/
Posted on

Quick Tips – MacLockPick

On this Page:

This page contains useful tips on how to use MacLockPick not found in the manual.


Choosing a USB Port for MacLockPick

MacForensics.com Tips - Choosing a USB Port for MacLockPickUp until the release of Apple’s aluminum keyboard, all Apple branded keyboards featured USB 1.1 ports. Because of the much higher data transfer speed of USB 2.0, we recommend that investigators plug the MacLockPick thumb-drive into the Mac computer itself, instead of into the keyboard. This will insure the fastest auditing speeds.
 


Filtering with MacLockPick

This lesson is designed to demonstrate how to use the filter feature in MacLockPick.

1. Insert MacLockPick into USB Port

Insert MacLockPick into the USB port

This demo is done using Mac OS X as the base system, however the process, with slight modification applies to other operating systems as well. Insert the MacLockPick into a USB port on the computer. The device will automount as depicted above.

2. Select for Configuration

Select MacLockPick for configuration

There are two icons mounted on the Desktop associated with MacLockPick, one named MACLOCKPICK and the other depicted above MacLockPick (OS X). Double click on the icon MacLockPick (OS X).

3. Locate the Setup Application

Locate the MacLockPick Setup application

The iconic representation of the contents of the MacLockPick (OS X) icon appear above. Select the Applications – OS X folder by double clicking on it.

4. Launch the Setup Application

Launch the MacLockPick Setup application

Select the MacLockPick Setup.app (depicted with the number 1 above) by double clicking on it to launch the application.

5. Create a Customized Plug-In

Create a customized plug-in for MacLockPick

The Setup application will open providing a list of all current plug-ins. To add a plug-in, select the “+” in the lower right corner.

6. The Plug-in Window

MacLockPick Plugin window

Once the “+” button is selected, the Plug-in window opens.

7. Name the Plug-in

Name the new plug-in within MacLockPick

The Plug-in window allows the user to name the plug-in (1) and define its type (2).

8. Design the Plug-in

Design the MacLockPick plug-in

The Plug-in design window is divided into three parts: The Plu-gin Name, the Data and the Operating System. To create a custom filter, allowing the user to sort through a folder and return only the findings with a .pdf extension we will fill out the information depicted above. First, describe the plug-in (1), then enter the filter (in this case the .pdf extension), since we will be finding a folder relative to the user, we will select buttons (3 and 4). Since we are expecting a relatively small output, we will keep the files and folders in the native format (5), (meaning they will be exported directly as opposed to using the built-in MacLockPick Archive tool). Next enter the path to the folder (6), select the operating system the new plu-gin pertains to (7) and select “Save” (8).

9. Checking the Plug-in

Checking the new MacLockPick plug-in

When you save the custom built plug-in, the Setup window opens again, allowing you to review all the plugins, to include your new one. Make sure your new plugin is selected as indicated by the checkbox to the right (1), then select “Quit” (2).

10. Run MacLockPick

Run MacLockPick

Once you quit the Setup window, you will be at the MacLockPick applications window. Select the MacLockPick application by double clicking on it to invoke MacLockPick.

11. MacLockPick Completion

MacLockPick has completed running

Once MacLockPick completes its operations, the above dialogue box will open informing the user that the results are located in the “MacLockPick Output Folder” (1) select “OK” (2).

12. Locating the MacLockPick Output Folder

Locating the MacLockPick Output folder

From the Desktop, select the “MACLOCKPICK” icon (1) by double clicking on it.

13. Open the MacLockPick Output Folder

Opening the MacLockPick Output folder

As the volume opens, locate the MacLockPick Output Folder, double click on the MacLockPick Output Folder and select the appropriate result (the results are arranged by username and date/time stamp).

14. Reviewing the Results

Reviewing the MacLockPick results

Locate the folder containing the MacLockPick output and open it by double clicking on it.

15. Reviewing the Filter Results

Reviewing the MacLockPick filter results

The MacLockPick Output will contain, by default several files, the .bash_history file (1), the Log Database (2) and a Screenshot (3) of the computer screen from which MacLockPick was run. In addtion to these files will be any number of additonal elements the user selected or created, in this case the results of the custom .pdf filter we created (4). Open the folder containing the .pdf filter results by double clicking on the appropriate folder (4).

16. Review the Custom Filter Results

Reviewing the custom MacLockPick filter results

Contained within the customized filter folder are the results of the search, in this case, only the .pdf files were exported from the folder (Dog_Training).
 


Searching MacLockPick Logs

MacForensics.com Tips - Searching MacLockPick Logs.MacLockPick extracts a wide range of valuable data from suspect machines. The information is presented in an easy to view format for the investigator to view. Even with the suspect information clearly formatted, there can be a very large amount of suspect data to sort through to find what you are looking for. If you are looking for something specific, you can use MacLockPick’s Search feature to find specific information. Simply click the “Find” button, enter your query and click the “Find” button. All entries containing the searched term will be grouped together and highlighted at the top of the listing.
 


Exporting Data from the MacLockPick Logs

MacForensics.com Tips - Exporting Data from the MacLockPick LogsMacLockPick acquires lots of detailed information about a suspect. Much of the data it finds can be very helpful in an investigation. When viewing the MacLockPick log file, the investigator can export all or a portion of the log data to a plain text file through the use of the “Export” button. Simply highlight the information you would like exported (choose “Select All” from the Edit menu if you would like to export everything in the log file) and then click the “Export” button. Name your exported text file and select the desired location to save it to.

Posted on

General Forensics Tips for Mac Platform

On this Page:

Find the Last Server a User was Connected to in Mac OS X

MacForensics.com Tips - Find the Last Server a User was Connected to in Mac OS XMac OS X makes connecting to remote servers very easy. Retrieving information about servers a suspect has connected to will help an investigator find other resources they should be investigating or to prove intent. Mac OS X logs these connections along with other information that may be of interest to an investigator.

You can use the MacForensicsLab’s Analyze function explore the following file: ~/Library/Preferences/com.apple.finder.plist Within that file you will find “FXConnectToLastURL”. This entry shows the last file servers your suspect connected to. The entry “CFURLAliasData” will have the names of file servers accessed, disk images mounted, and sometimes names of DVDs (although they seem to be Apple authored only) that have been mounted on within the Finder. The entry “recent-folders” will show the last batch of folders that were accessed.
 


Resetting the Admin Password in Mac OS X

MacForensics.com Tips - Resetting the Admin Password in Mac OS XThe easiest way to bypass the administrator password is to remove the drive and attach it to another machine or a forensic station, then use MacForensicsLab to image the drive. That being said if you need to for some reason keep the drive inside the machine, you can reset the system administrator password using the Mac OS X installation CD/DVD.

An easy way to reset passwords is to boot from the original OS install CD/DVD and select Password Reset from the Utilities menu after booting from the installer CD/DVD.

On Macs without CD/DVD drives, you can reboot the Mac into OS X Utilities mode by restarting the machine and holding down the “command-r” keys. Once OS X Utilities appears on-screen, select Terminal from the Utilities menu. At the prompt enter resetpassword and then hit enter.

A Reset Password window will appear. You can select the volume you would like to have the Admin password reset, and then enter a new password for the selected volume.

Doing this will destroy the forensic integrity of the suspect drive so make sure you do this on a copy of the suspect drive.
 


Finding Recent Google Searches

MacForensics.com Tips - Finding Recent Google SearchesGoogle is the most popular search engine on the planet. Safari, the default web browser in Mac OS X, has a built in Google search bar in the upper right corner of it’s window. This makes it very easy to conduct a search and also means it’s very likely that search information can be found if a suspect uses Safari. Knowing what a suspect recently searched for can be helpful to an investigator or help prove intent.

You can use the MacForensicsLab Analyze function to explore the following file: ~/Library/Preferences/com.apple.Safari.plist This is the main plist that needs to be trashed if Safari crashes upon opening or pages refuse to load. This file contains a section titled "RecentSearchStrings". These are the last 10 items that have been searched for in the Google toolbar of Safari. Clearing the browser history in Safari does not clear this information. The same file also shows the most recent files downloaded from Apple and the last search made on the Apple website.
 


Finding Disk Images that Have Been Burnt to CD/DVD

MacForensics.com Tips - Finding Disk Images that Have Been Burnt to CD-DVDDisk Images (.dmg) are very common on Mac OS X. Disk Images allow both compression and password protection so they are very common for the distribution of software over the internet. When opened Disk Images mount as a drive in the Finder.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.DiskUtility.plist Inside this file is a section called “DUSavedDiskImageList” that shows the most recent disk images that have been used and burned by Disk Utility, including pathname locations. It also gives the device name that burned them and serial number of that device.
 


Finding the Last iPod Connected to Mac OS X

MacForensics.com Tips - Finding the Last iPod Connected to Mac OS XiPods are popular devices for suspects to store information other then just MP3s on thanks to their ability to be used as a mass storage device. Every time an iPod is attached to a Mac, the serial number of the iPod is recorded by the system. Being able to prove a specific iPod was connected to a suspect machine can be beneficial to an investigation.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.iPod.plist This file shows the serial number, firmware, and model of the last Apple iPod connected to the suspect drive. This will allow the investigator to track down the iPod used and see if there may be further evidence contained on it
 


Finding Recently Viewed Pictures in Mac OS X

MacForensics.com Tips - Finding Recently Viewed Pictures in Mac OS XThe default image browsing application in Mac OS X is Preview. It is a popular program for viewing images as it supports a large number of file formats and provides a simple user interface. Finding recently browsed images can help direct an investigator to files of interest or help prove intent.

Use MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.Preview.bookmarks.plist This file shows files recently viewed using Preview (files opened in the program Preview.app with newest on top) including path to file on local drives and network file servers.
 


Recently Accessed Items in Mac OS X

MacForensics.com Tips - Recently Accessed Items in Mac OS XShowing applications, documents, and severs a user most recently accessed can help direct an investigator to files of interest or help show intent. By default, Mac OS X keeps track of the last 10 applications, documents, and servers used. The user can increase of decrease this number but most leave it set to the default state.

You can use the MacForensicsLab Analyze function to explore the following file: ~/Library/Preferences/com.apple.recentitems.plist Inside this file you will find recent applications, documents, and servers accessed on the suspect computer. The lists includes applications and documents on local and network drives and include the user that accessed the file (sometimes the user is different if it was accessed on remote server). It also shows PC shared files accessed through a Workgroup and the access path used to open the files. Some of the file pathnames could be the most forensically useful as well as applications used and documents opened.
 


Recently Opened QuickTime Files

MacForensics.com Tips - Recently Opened QuickTime FilesQuickTime is the default movie player in Mac OS X. Because of it’s ability to play a wide range of video and audio media, QuickTime Player is a convenient tool for most users. Being able to show the last file played using QuickTime Player can help an investigator show intent.

You can use the MacForensicsLab analyze function to explore the following file: ~/Library/Preferences/com.apple.quicktimeplayer.plist This file shows recently viewed movies and audio clips (any files opened in the program QuickTime Player.app). This file also shows “NSNavLastRootDirectory” the default directory (last accessed) that was used for opening each movie. The pathnames and document name inside this file could be useful for your forensic investigation.
 


Finding Remote Desktop Connections

MacForensics.com Tips - Finding Remote Desktop ConnectionsApple Remote Desktop (sometime abbreviated ARD) allows users to control or monitor another computer over a network or internet connection.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.RemoteDesktop.plist This file shows all the machines this Mac has had control of or viewed with Apple Remote Desktop. This file also includes information about the connection such as, the machine’s MAC address, IP, name, and the time and date. This file also stores information that could have other forensic interest. It can also store saved tasks for Apple Remote Desktop. You can find more information on stored task data here.
 


View Web Cache Data on Mac OS X

MacForensics.com Tips - View Web Cache Data on Mac OS XWeb caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent.

You can use MacForensicsLab’s Salvage function to salvage the contents of these folders and show the cached information. This will show you websites that have been browsed who’s files have not been over-written as well as present cache files that have not been flushed

  • The default web browser in Mac OS X is Safari. The Safari web cache is located: ~/Library/Caches/Safari
  • The default storage location for Firefox’s web cache is: ~/Users/“USERNAME”/Library/Caches/Firefox/
    Profiles/”COMPUTERCODE.default”/Cache

There are a large number of other folders contained within the ~/Users/“USERNAME”/Library/Cache folder that may be of interest for investigators also. They can be viewed using the same process as the web caches.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.
 


Unfreezing A FireWire Bus That Has Hung

MacForensics.com Tips - Unfreezing A FireWire Bus That Has HungOn occasion FireWire buses can hang and stop responding. Should you run into this issue, here’s are the suggested steps to resolve it.

If you have a hard drive freeze your FireWire bus and hang your machine, you can cause the system to reset the bus by plugging in a second device in the chain. The Mac will immediately rescan the bus and this will sometimes unfreeze the bus. If these steps fail to unfreeze the FireWire bus you will need to shut the machine down and restart the computer. You can resume your drive acquisition in MacForensicsLab after unfreezing the bus by checking the “Resume a previous recover.” box under the Acquire function and selecting the previous image when prompted.
 


Sleepimage in Mac OS X

MacForensics.com Tips - Sleepimage in Mac OS XThe sleepimage is a file that Mac OS X uses to store the contents of the active RAM when a machine is put to sleep. This information is stored to allow the OS to restore the pre-sleep state of the computer should the batter or power be interupted while the computer is sleeping.

For an investigator, the sleepimage may contain information that could be valuble to an investigation. This information may show what a suspect was doing before they put their computer to sleep and may include incriminating evidence that could lead to a conviction.
The sleepimage file can be found in the following location in the Mac OS X system:
/private/var/vm/sleepimage

Please note that this is an hidden file that isn’t normally visible from the Finder. Computer forensics programs such as MacForensicsLab can be used to view the sleepimage location and the contents of the sleepimage file.
 


Finding the system time and date on a Mac


MacForensics.com Tips - Finding the system time and date on a MacAcquiring the computer time from a Mac is a common task for many investigators. Having the computer time allows and investigator to correlate computer events to actual time frames and may help secure a conviction.

Macs sold after March of 2001 will most likely have Mac OS X loaded on them and all Intel Macs run Mac OS X only. PowerPC Macs run Open Firmware from Sun. Intel Macs use EFI (Extensible Firmware Interface).

Determining if a firmware password is set

Before you can boot info Single User Mode, you must first determine if the user has set an firmware password on the system. A firmware password would prevent the investigator from booting into Single User Mode to determine the system’s time and date. The firmware password can be reset but doing do also resets the system time also. To determine if there is a firmware password set, do the following:

  • Power on the Mac while holding down the Option key.
    • If you are presented with a screen showing the bootable partitions on the system then there is no firmware password set.
    • If you are presented with a password screen then there is an firmware password and you will not be able to boot into Single User Mode.
  • Once you have determined if there is an firmware password, power the Mac down by holding power button until the system powers off.

Finding the system date and time via Single User Mode

  1. Press the Power button and immediately hold down the Command (Apple) and S key. Doing so will make the Mac boot up in Single User Mode.
  2. Once booted into Single User Mode, you will see text across the top of the screen along with a command prompt. Type date and press the Enter key. The Mac will return the computer’s current date and time along with the user configured time zone.
  3. You can then power down the computer safely.
  4. Another option for finding the Mac’s system time is to boot from the Mac OS X install CD/DVD. Once booted from the CD/DVD, select Terminal from the Utilities menu. In the Terminal type date and then press Enter. The system time and date will be shown. You may also boot from a Linux Live CD and get the system time using the terminal within Linux.

     


    Finding the Original Registrant of Mac OS X


    MacForensics.com Tips - Finding the Original Registrant of Mac OS XWhen Mac OS X is run for the first time after installation, the user is prompted to enter their registration information such as name, address, email, and phone number. This information is then sent to Apple (if an internet connection is present) and also used to populate the administrators information within the Address Book and used for auto-fill forms within Safari.

    When attempting to locate original registered owner of a Mac OS X installation with MacForensicsLab, look for the file titled “Sendregistration.setup” in ~Users/“USERNAME”/Library/Assistants/ In certain situations (eg: when there is no internet connection present at the time of registration) the file “Sendregistration.setup” is still within this directory and can contain the original registered content.

    Secondary location for information of original registrant of a computer running Mac OS X is the file titled AddressBookMe.plist located in ~Users/“USERNAME”/Library/Preferences/ Using MacForensicsLabs’ Analyze function (ASCII view within that section) on that file will reveal the original owners registration.
     


    Firefox Artifacts

    MacForensics.com Tips - Firefox ArtifactsMozilla Firefox is fast becoming one of the most popular browsers on the internet today. Being free, cross-platform, and updated regularly is just some of the many reasons many users have made the switch to it. Firefox also allows the user to easily install add-ons to enhance the functionality of the browser. Here are some Firefox files that may be of interest during an investigation with MacForensicsLab.

    Firefox stores the user data in the following places:
    Mac OS X: ~/Library/Application Support/Firefox/Profiles//
    Windows XP & 2000: C:Documents and SettingsApplication DataMozillaFirefoxProfiles
    Windows 98 & ME: C:WindowsApplication DataMozillaFirefoxProfiles
    or
    C:WindowsProfilesApplication DataMozillaFirefoxProfiles
    Windows NT 4.x: C:WinntProfilesApplication DataMozillaFirefoxProfiles
    Unix: ~/.mozilla/firefox//

    Website History
    File name: history.dat
    By default Firefox stores the browsing history for 9 days.
    Side note: “history.dat” is written in a complex format called “Mork”.

    Encrypted Saved Passwords
    File name: signons.txt
    This file also stores a list of sites to never save the passwords for. The encryption key is contained in the file called key3.db

    More information about specific files in the user profile can be found at MozillaZine’s Knowledge Base article on the Profile Folder.

    Update!

    If you need a tool in extracting FireFox’s cache files, consider SubRosaSoft Cache Detective.

    SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.

     


    iPhone Artifacts

    MacForensics.com Tips - iPhone ArtifactsiPhones and iPod Touch with firmware version 2.0 or later will call home periodicly to see if any applications have been blacklisted by Apple. This allows Apple to disable malicious applications from iPhone and iPod Touch users phones. The iPhone and iPod Touch will check the following URL for any blacklisted applications:

    https://iphone-services.apple.com/clbl/unauthorizedApps

     


    Recovering Email from Mac OS X Mail

    MacForensics.com Tips - Recovering Email from Mac OS X MailSince the release of Mac OS X, Mail.app has been the default email application. Mail stored emails in .mbox files up until the release of Mac OS X Tiger 10.4, at which point Apple changed the default file type to .emlx. The instructions below outline the process used to recover and investigate the contents of these formats.

    When looking for email on suspect Mac OS X drive, the standard location for the stored email is ~/Users/“USERNAME”/Library/Mail

    You can use either the Analyze or Salvage functions of MacForensicsLab to examine Mail files.

    • To use the Analyze function, use search query of “.mbox” for systems from Mac OS X 10.0-10.3 and “.emlx” for Mac OS X 10.4 Tiger and higher.
    • When using the Salvage function, direct the search to ~/Users/“USERNAME”/Library/Mail and do a Salvage of that location. Both .mbox and .emlx files will automatically be found.
Posted on

Tips – Field Triage (M – Z)

Here’s part two of our Field Triage Tips (from M – Z).

Forensic triage is the practice of searching and analyzing a digital device (computer, smart phone, and tablets) in the field or at the crime scene. In many investigations crucial digital evidence is essential while at the scene. The traditional method of seizing a device(s), transferring it to the forensics lab, acquiring an image, and then analyzing the image for potential evidence, may no longer be appropriate in cases such as child abductions, pedophiles, or missing persons, when every second counts.

As one of the pioneers in computer triage tool, we have gathered here a set of tips for references.

 


MacLockPick

MacForensics.com Tips - MacLockPickMacLockPick adheres to commonly held forensic principals and does not negate the ability to transfer systems/storage media back to the lab for more detailed investigation after field triage has been concluded.

Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly, sometimes this is quite literally difference between life and death for the victim.

MacLockPick is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspects computer that is running. Once the MacLockPick software is run it will extract the requisite data providing the examiner fast access to the suspects critical information, that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick is the only cross platform solution on the market and therefore the best chance of successfully capturing data critical to any investigation involving running computers. In addition, MacLockPick is minimally evasive, providing results that can hold up in a court of law.
 


Maintain the Validity of Evidence

MacForensics.com Tips - Maintain the Validity of EvidenceTriage tools are a powerful addition to any forensic investigators toolbox. One important aspect of a triage tool is that it minimize the chances of costly mistakes and the potential of altering a suspects system that may cause loss of evidence. First responder triage tools like MacLockPick are designed to minimize the footprint left on the suspect system and insure that the validity of the suspect evidence is maintained.
 


Modification of Suspect Systems

MacForensics.com Tips - Modification of Suspect SystemsOne concern some have with live forensics is the risk of modifying data on the suspect machine and there-by making the suspect evidence inadmissible in court. A good live forensics tool should be designed to minimize the footprint on the suspects system and the footprint left by the tool should be verifiable and reproducible. This allows the investigation to show that no modifications were made to the evidence through use of the live forensics tool. Verifying MAC times (modify, access, and create times) can help establish the time context also.
 


Network Artifacts

MacForensics.com Tips - Network ArtifactsIn these increasingly connected times, most computers are connected to some sort of network. The information about current network connections can help direct an investigation or show examiners new areas that may be of interest to the investigation. Using a triage tool like MacLockPick can show an examiner a suspects ARP tables, open interfaces, and netstat activity.
 


Often Overlooked but Beneficial Artifacts

MacForensics.com Tips - Often Overlooked but Beneficial ArtifactsAny information that allows an investigator to paint a better picture of a suspects activities can be beneficial to an investigation. The clipboard can often contain contents showing what a suspect was recently doing on their system. A screen shot of the suspect system in it’s current state of the machine when investigators first came in contact with the system. MacLockPick can capture both of these items for later examination.
 


Order of Volatility

MacForensics.com Tips - Order of VolatilityWhen collecting data for a computer forensic investigation you want to collect the most volatile data first as it will be lost the quickest. The order of volatility shows which data will be lost first.
 
 

Order of Volatility

  1. Memory contents
  2. Swap files
  3. Network processes
  4. System processes
  5. File system information
  6. Raw disk blocks

Memory contents, swap files, network processes, and system processes will all be lost when the suspect system is shut down.
 


Scripted Incident Response

MacForensics.com Tips - Scripted Incident ResponseKeeping track of what has been done is an important part of the first responders job. By scripting the procedures required an investigator can make sure no steps were missed. Scripting the processes run on a suspect computer can also help authenticate any changes made to the machine during a live forensic investigation.
 


Stop Drug Crimes

MacForensics.com Tips - Stop Drug CrimesDrug trafficking has reached epidemic levels in some countries. These criminals are also more commonly using digital means to organize their criminal networks. Through the use of specialize forensic tools like MacLockPick and MacForensicsLab, an investigator can search for evidence common to drug crimes. Spreadsheet files, documents and databases can easily be located using keyword searches.
 


Target Child Pornography

MacForensics.com Tips - Target Child PornographyChild pornography is a serious crime plaguing our society and one of the most commonly investigated crimes for many agencies. Through the use of specialized tools built to target imaged based crimes, like MacLockPick, an investigator can quickly zero in on critical evidence. When time is of the essence, specialized tools can make a big difference.
 


The Focus of Computer Forensic Triage

MacForensics.com Tips - The Focus of Computer Forensic TriageComputer forensic triage is usually defined as the process by which projects or activities are prioritized to determine which should be attempted first, second, etc. and which projects or activities should never be done at all. This process applies to the forensic examination process to determine which data should be investigated first, second, etc. and which data should not be investigated at all. Triage considers the value of investigating, the complexity and the cost and the order in which the investigation should be accomplished.

The focus of forensic triage is to:

  1. Find useable evidence quickly
  2. Identify possible victims that may be at risk
  3. Direct the ongoing investigation
  4. Identify potential charges
  5. Assess the possible danger the suspect poses to society


The Triage Phase

MacForensics.com Tips - The Triage PhaseThe triage phase of the investigation is the foundation on which the other phases after it will be built. All potential evidence must be considered (computer systems, disks, CD/DVDs, PDAs, etc) and then prioritized based on the likely hood they contain potential evidence reliant to the investigation. An investigator will still need to review the evidence collected in the triage phase at a later time in the lab.
 


Time Considerations

MacForensics.com Tips - Time ConsiderationsMaking considerations for the time each process will take within an investigation is important. The time cost of every activity in an examination must be weighed against the potential return of the results of that activity. In general it is best to perform tasks that can be done quickly first.
 


Timing is Critical

MacForensics.com Tips - Timing is CriticalTiming is critical throughout an investigation and even more so at the beginning of an investigation. During the early stages of the investigation it is critical to the investigator to have a detailed knowledge of the crime or involvement of the suspect and possible triggers that may increase the willingness of the suspect to cooperate or confess. It has been shown that suspects are more vulnerable and more likely to cooperate within the first several hours of their initial contact with police. By using triage tools to quickly acquire critical suspect data during the early stages of an investigation, an investigator can increase the likelihood of an arrest and confession.
 


Triage is Proven in the Field

MacForensics.com Tips - Triage is Proven in the FieldThe benefits of field triage have been proven. It has been shown that quick and effective analysis of suspect evidence can be critical to a case. The evidence found through live forensics can provide investigative leads that lead to an arrest and conviction. The information found may also protect others from becoming future victims of crime.
 


Triage Provides Direction for Investigations

MacForensics.com Tips - Triage Provides Direction for InvestigationsTriage at the scene helps to provide time sensitive investigative and interview leads. It also helps to provide helpful direction for later investigation back at the lab. The information acquired through the use of triage tools can help direct investigators in the lab to information of relevance to the case.
 


USB Device History

MacForensics.com Tips - USB Device HistoryUSB has become one of the main standards to connecting all types of devices to computers these days. With the dropping prices of personal flash drives, they’ve become a popular way to transfer information from computer to computer. With MacLockPick an investigator can quickly gather information about the various USB devices that have been connected to a suspects Windows machine. This may point them to other potential evidence in their case.
 


Verification of System Information

MacForensics.com Tips - Verification of System InformationBeing able to confirm that there have been no change made to a suspects system or evidence between the time of seizure and the lab investigation can be important should the integrity of evidence be called into question on trial. By using MacLockPick to record the suspect systems configuration including; username, computer name, operating system, processor, RAM, model, UUID and more, an investigator can have verifiable proof that no changes have been made during the investigation.
 


What is Live Forensics?

MacForensics.com Tips - What is Live Forensics?Live forensics considers the value of the data that may be lost by powering down a system and collect it while the system is still running. The other objective of live forensics is to minimize impacts to the integrity of data while collecting evidence from the suspect system.
 


Click here for part one of our Field Triage Tips (from A – L).

Posted on

Tips – Field Triage (A – L)

Forensic triage is the practice of searching and analyzing a digital device (computer, smart phone, and tablets) in the field or at the crime scene. In many investigations crucial digital evidence is essential while at the scene. The traditional method of seizing a device(s), transferring it to the forensics lab, acquiring an image, and then analyzing the image for potential evidence, may no longer be appropriate in cases such as child abductions, pedophiles, or missing persons, when every second counts.

As one of the pioneers in computer triage tool, we have gathered here a set of tips for references.


Adhere to Commonly Held Forensic Practices

MacForensics.com Tips - Adhere to Commonly Held Forensic PracticesHaving a computer forensic triage model in place for first responders is important. It is also important that the model adheres to commonly held forensic practices and does not interfere with the ability to later analyze the suspect computer more thoroughly back at the lab. Integrity of the suspect data must be insured at all times during the process.
 


Assess the Danger a Suspect Poses

MacForensics.com Tips - Assess the Danger a Suspect PosesThrough the use of field triage and live forensics tools, an investigator can not only gather evidence against a suspect but also use the data gathered to access the possible risk that an offender poses to others in society. By evaluating the evidence of crimes committed they can ascertain the possibility of the offender committing further crimes against others.
 


Automate When Possible

MacForensics.com Tips - Automate When PossibleEven small errors in the investigative process of a suspects machine may mean the difference between a conviction and a criminal going free. To minimize the risk of errors, automation should be used whenever possible. Products like MacLockPick allow the investigator to choose from many automated tasks to be carried out. This helps to insure that the results will be consistent and verifiable should they be challenged in court at a later time.
 


Automated Triage

MacForensics.com Tips - Automated TriageTime is a important factor in any criminal investigation. Both in time critical cases such as child abduction, kidnapping, death threats, missing and exploited children, etc and in dealing with the backlog of evidence that many agencies are experiencing in this increasingly digital-based age.

Automated triage tools allow forensic examiners and investigators to focus on other critical tasks while the triage process is taking place. Automation also decreases the risk of human error and insures that all bases are covered with regards to the data acquired for the investigation. By using "set it and forget it" automation, triage tools can be capturing important suspect information while leaving investigators free to deal with other important investigative tasks.
 


Browser Artifacts

MacForensics.com Tips - Browser ArtifactsWeb browsers create a number of artifacts that can be of interest to an investigator during the triage state of an investigation and later on during the formal lab investigation. While different browser applications vary, they all create cookies, caches, and other temporary internet files that can contain a wealth of information about the history of a suspects online activities. Searching these files can be very beneficial to an investigation but can also take a lot of time. Applications like MacLockPick can significantly cut down on the time required to analyze these files and find relative evidence to the investigation.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective. SubRosaSoft Cache Detective is an easy-to-use utility for reading the cache of many browsers/chat applications and extracting the files currently stored in their cache folders.
 


Capture Running Processes

MacForensics.com Tips - Capture Running ProcessesKnowing what a suspect was doing on their computer before an investigation begins can be helpful to most examinations. All running applications open processes on the suspects system. MacLockPick can capture a list of the processes running on a suspect system to show an investigator exactly what the suspect was doing at the time.
 


Cases where Less Traditional Workflows are Required

MacForensics.com Tips - Cases where Less Traditional Workflows are RequiredWhile more traditional workflow’s may work for most cases, when it comes to time critical cases such as child abduction, kidnapping, missing persons, death threats, etc, a different approach is needed. These situations require quick acquisition and analysis of the available evidence to give investigators as much information as possible in the shortest period of time when it really matters. Cases like this require fast working triage tools to get the evidence to the investigators in the shortest time possible.
 


Catching a Murderer

MacForensics.com Tips - Catching a MurdererCriminals always leave a trail for investigators to find. Zeroing in on this critical data can be difficult at times but the use of specialize tools can make the search quicker and easier. In cases like murder the investigators may find contents such as the suspects Google search and email history to be of interest. MacLockPick can quickly analyze and display this information to speed the investigative process.
 


Computer Forensic Field Triage Process Model

MacForensics.com Tips - Computer Forensic Field Triage Process ModelThe Computer Forensic Field Triage Process Model (Rogers, Goldman, Mislan, Wedge, Debrota, 2006) outlines the process and phases of a triage investigation. This process model is a general outline for the field triage process. It is important to qualify the needs of the investigations first as this model isn’t appropriate for every investigative situation.

  • Planning
  • Triage
  • User Usage Profiles
    • Home Directory
    • File Properties
    • Registry
    • Passwords
  • Chronology Timeline
  • Internet
    • Browser Artifacts
    • Email
    • Instant Messages
  • Case Specific

 


Consideration for Common Practices

MacForensics.com Tips - Consideration for Common PracticesWhile time is critical in many investigations, it’s important to insure that investigation procedures used to minimize the time required to find evidence don’t interfere with other important considerations of any investigation. The procedures must still adhere to common forensic principals such as minimizing the contamination of the original scene and the evidence, complying with rules of evidence to insure that it is admissible in court on the Federal and State levels, and maintaining the chain of custody. Well designed field procedures should have considerations for all of these commonly held practices.
 


Departure from The Norm

MacForensics.com Tips - Departure from The NormThe Computer Forensic Field Triage Process Model may be a bit difficult for some investigators to get use to at first as it is a bit backwards from what they have been taught to do in most investigations. In many cases investigators have been taught never to touch a suspect computer and simply unplug it to prevent any alterations to any evidence on the machine. In cases where time is critical, it may be necessary to depart from the commonly held forensic principals in order to get the evidence in time to make a difference.
 


Email Artifacts

MacForensics.com Tips - Email ArtifactsEmail is a valuable tool for all online users. It’s also a common tool used by criminals. The information found in the email messages of a suspect can help to direct an investigation and may help secure a conviction. The procedure to examine email evidence can be time consuming. The use of tools like MacLockPick and MacForensicsLab can significantly cut down on the amount of time it takes to examine email evidence and zero in on suspect data.
 


Evidence has Gone Digital

MacForensics.com Tips - Network ArtifactsThe increase in technology also changes our concept of what constitutes evidence in a criminal investigation. Where previously most evidence was physical document based, the large majority of evidence has now gone electronic and is stored on hard drives, digital media, and web-accounts. Computers and smartphones have become the main source of evidence in many crimes where they use to only be one of the many small parts of the illegal act.

Computer crimes are becoming more common and proper procedures and tools are needed to combat these challenges.
 


Feedback from Triage

MacForensics.com Tips - Feedback from TriageThere are many benifits to field triage such as on site access to evidence.

An additioan benifit to performing triage on the scene is the feedback that can be given to investigators. This allows the computer forensic analyst to modify their search based on feedback from investigators and those that may be in contact with the suspect.
 


Field Triage Tool Benefits

MacForensics.com Tips - Field Triage Tool BenefitsThe use of forensic triage tools can increase the effectiveness of any investigation.

Through the use of forensic triage tools an investigator can quickly:

  • Gain quick access to evidence that may allow them to secure a warrant or confession.
  • Determine if a computer/system requires further analysts.
  • Eliminate or dismiss a computer/system from further analysts.
  • Determine key areas for further investigation.
  • Insure the acquisition of evidence that would be lost by powering the computer/system down.
  • Acquire a snapshot of the suspect systems current state before seizure.

 


Financial Crimes

MacForensics.com Tips - Financial CrimesFinancial crimes such as currency counterfeiting, money laundering, intellectual property crime affect all levels of society. When searching for evidence for a financial crime, a search for documents such as spreadsheets and images of checks or potentially fraudulent financial materials may be high on the list of priorities. Documents for financial applications such as MS Money, Quicken, and QuickBooks may also contain items of interest.
 


Finding Evidence Quickly

MacForensics.com Tips - Finding Evidence QuicklyFinding useable evidence quickly is one of the most important focuses of field triage and live forensics. Being able to zero in on suspect evidence quickly can be very important to an investigation. It may give an investigator new leads, help secure a confession and conviction, or be the difference between life or death for a victim.
 


First Responders

MacForensics.com Tips - First RespondersFirst responders must be very aware of their tasks when first arriving to perform forensic triage. The efforts of the first responder is critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. The initial response to an incident is more important than later technical analysis of the computer system as actions taken by the first responder can greatly impact the subsequent laboratory examinations of the computer/system. The success of evidence recovery and prosecution is dependent on the actions of the individual who initially responders to the scene.
 


Guide an Ongoing Investigation

MacForensics.com Tips - Guide an Ongoing InvestigationField triage and live forensics are key to acquiring critical evidence in an active investigation. This information can be used to guide an investigation. The information obtained through the on site investigation of a suspect computer can give examiners new leads to pursue. The acquired information may also point the investigators to new suspects or victims they were previously unaware of.
 


Identify Criminal Charges

MacForensics.com Tips - Identify Criminal ChargesThe use of triage on scene and live forensic tools can identify evidence that can lead to potential charges. Quickly finding proof of a crime committed can help the investigation secure an arrest warrant and bring forth formal charges against a suspect. Live forensics can play a critical role in this process.
 


Identify Victims of Crime

MacForensics.com Tips - Identify Victims of CrimeThe use of field triage can help to identify current and possible future victims. By quickly examining the evidence on the scene, a forensic examiner may be able to guide the investigation to possible victims of a crime. They may also be able to those that may be at risk to become future victims.
 


Importance of Volatile Data

MacForensics.com Tips - Importance of Volatile Data Capturing information about the current state of a suspect computer before powering it down is important to a forensic investigation. There is a wealth of volatile data that can be lost once the suspect’s computer is powered down. This information may help direct an investigation in the early stages and can be beneficial during other stages of the investigation. First responder triage tools can capture this important data which can play a critical roll in every investigation.

Important information that may be lost when the computer is powered down may include:

  • Clipboard contents
  • Attached device listings
  • Open network ports
  • Current running applications and processes
  • Temporary cache files
  • Active memory contents
  • Connected network drives
  • Active peer-to-peer connections
  • And more…

 


Instant Message (IM) Artifacts

MacForensics.com Tips - Instant Message (IM) ArtifactsInstant messaging is a common method of communication on the internet. Many instant message programs store contact lists along with chat histories. This information can be useful to an investigation as it can provide new leads, help secure a confession, or help to prove intent.
 


Internet Artifacts

MacForensics.com Tips - Internet ArtifactsAlmost every investigation will involve the analysis of internet artifacts. Web browsing caches store records of sites a suspect has visited. Emails may help to prove intent or correlate other events. Instant message conversations can contain evidence that could help to secure a conviction. The investigator must weigh the time costs of investigating such artifacts but with specialized tools, such as MacLockPick, the time requirements to analyze such data can be greatly reduced.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective
 


Click here for Part Two (M – Z)