Posted on

Our New Site Redesign Benefits You

Thank you for your interest in We have been committed to providing great software for forensics and eDiscovery professionals for over 10 years.

To continue our service to the law enforcement, eDiscovery professionals, and Macintosh communities, we have redesigned our web site — bringing a whole new look, as well as support for mobile technologies, and a streamlined shopping experience. It is also much easier to share articles, tips, and product information.

If you previously had an account with us, you will need to create a new account on this site. Obviously, you won’t see prior orders — only current and future orders — but don’t worry. We have retained all previous order information. Simply email our Support staff if you need information on older orders.

We did have to trim a few things with the new site. You might have reached this page from an old link to a discontinued product we no longer offer, or looking for an article where the information is no long relevant. These items either didn’t fit with our current product focus, or have lost their usefulness with developments in technology.

Again, thanks for choosing!


Posted on

Security Sites

This resources page contains a list of the 11 security sites.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement. recommended site - Help Net Security

Help Net Security (HNS) is an online portal that covers all the major information security happenings. The portal has been online since 1998 and caters a large number of Information Technology readers specifically interested in computer security. Besides covering news around the globe, HNS focuses on quality technical articles and papers, vulnerabilities, various vendor advisories, latest viruses, malware and hosts the largest security software download area with software for Windows, Linux, Mac OS X and Windows Mobile. recommended site - The Honeynet Project

The Honeynet Project is a non-profit (501c3) volunteer, research organization dedicated to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.


MacForensicsLab Recommended Site - Security Focus

Security Focus – a good source of security information on the Internet.

Quoted from the Security Focus “about” page

Since its inception in 1999, SecurityFocus has been a mainstay in the security community. From original news content to detailed technical papers and guest columnists, we’ve strived to be the community’s source for all things security related. SecurityFocus was formed with the idea that community needed a place to come together and share its collected wisdom and knowledge. At SecurityFocus, the community has always been our primary focus. The SecurityFocus website now focuses on a few key areas that are of greatest importance to the security community.

  • BugTraq is a high volume, full disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities. BugTraq serves as the cornerstone of the Internet-wide security community.
  • The SecurityFocus Vulnerability Database provides security professionals with the most up-to-date information on vulnerabilities for all platforms and services.
  • SecurityFocus Mailing Lists allow members of the security community from around the world to discuss all manner of security issues. There are currently 31 mailing lists; most are moderated to keep posts on-topic and to eliminate spam. Recommended Site - Forensic Science Communications

Forensic Science Communications (FSC) is a peer-reviewed forensic science journal published quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of communication between forensic scientists. Forensic Science Communications supersedes the Crime Laboratory Digest. Online access is free and archives date back to 1999.

Forensic Science Communications premiered in April 1999 and ended in April 2010. These back issues have been archived and made available for your review. Recommended Site - Computer Security Institute

Computer Security Institute serves the needs of Information Security Professionals through membership, educational events, security surveys and awareness tools. Joining CSI provides you with high quality CSI publications, discounts on CSI conferences, access to on-line archives, career development, networking opportunities and more. Recommended Site - The CERT Program

The CERT Program is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought 10 percent of internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. This center was named the CERT Coordination Center (CERT/CC). Recommended Site - (formerly Permanently replenishing information about new viruses. Mechanisms of breeding and operation, detailed analysis of algorithms of viruses. Recommended Site - is an internet security site and the home of the popular NMAP Network Security Scanner tool. Recommended Site - Security Tracker

SecurityTracker is a service that helps you to keep track of the latest security vulnerabilities. They monitor a wide variety of Internet sources for reports of new vulnerabilities in Internet software and/or services. They provide our users with a timely and reliable source for vulnerability notification. Recommended Site - Packet Storm

.:[ packet storm ]:. – Information and computer security full disclosure web site. Recommended Site -

SecuriTeam is a group within Beyond Security dedicated to bringing you the latest news and utilities in computer security. was first launched in 1996 by a handful of Open Source enthusiasts and security experts who recognized a void in the availability of accurate and insightful news relating to open source security issues. Led by Dave Wreski, who currently serves as chief executive officer of Guardian Digital, this group has grown into a global network of collaborators who devote their time to gathering and publicizing the latest security news, advisories and reports relevant to the Linux community. Headquartered in Guardian Digital’s offices in Allendale, New Jersey,’s editorial and web development staff also creates feature articles, commentaries and surveys designed to keep readers informed of the latest Linux advancements and to promote the general growth of Linux around the world.

Posted on

macOS related sites

This resources page contains a list of more technical Mac OS related sites. If you are interested in Macs related technical information, tips and insights, you may want to start with the following list.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.

SecureMac was historically one of the best sites for information on mac security topics. Definitely a recommended read.

Quoted from the site:

Mac security is a more serious problem than most people think. It’s true that Macintosh computers have lower security risks than the average PC, but running security software for Macs is every bit as essential.
SecureMac has operated at the cutting edge of Apple security for over a decade. We produce some of the best security software for Mac computers on the market. And we’ve won the awards to prove it.
If you’re reading this right now, you’ve probably realized that securing your Mac against malware and privacy threats is important. If you want to keep your Mac secure, you’ve come to the right place.



MacUpdate is an app/software download website that simplifies finding, buying and installing apps for your Macintosh computer. is updated daily and currently carries more than 40,000 Macintosh applications for download.


MacForensicsLab for Mac OS X

Click here to visit a page on this site about MacForensicsLab for Mac OS X. The software is a complete forensics suite that is fully cross platform and available on Mac OS X, Microsoft Windows, as well as Linux.

This product is owned and produced by the owners of this website and the page you will be linking to is inside this website. is a news aggregator site for Mac OS X news sites. A handy site to find links to all things happening in the mac world.


Stuffit Expander

In earlier days – the Mac OS stored compressed files using a program called ‘Stuffit’, you may have seen these files around with a suffix of .sit or .sitx. Since OS X version 10.3, zip compression has been built in but occasionally you will still see legacy files around using this format.

The decompression tool is available for free download and runs mac and other platforms. You can download the expander by clicking here.




Perhaps the most powerful tool for working with graphic formats. This program can open almost every graphic format ever made, and is well known for it’s ability to handle “less than perfect” files. Try it for free and see the great features. We recommend this product to all mac users.


Apple Product Specifications

An official and comprehensive list of specifciations for all Apple products. Use this list to get details on past and present features for iPods, Mac computers, iPhones, and much more.


Apple Computer

An official source for security updates on Mac OS X. Users of Mac OS X can also get all their updates by selecting ‘Software update…’ from the Apple menu on the top left corner of the screen, or simply by waiting for the process to be performed automatically.

Quoted from the Apple site:

This document outlines security updates for Apple products. For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.


MacFixIt of Cnet

MacFixIt, now part of CNET provides latest news, reviews of software and hardware products, and the latest workarounds and solutions to technical roadblocks and frustrating barriers.



MacInTouch is an independent journal providing timely, reliable news, information and analysis about Apple Macintosh and iPhone/iOS platforms.


Mac OS X Hints

The Mac OS X Hints site gives handy tips and tricks for all things Apple.

Quoted from the Mac OS X Hints website:

I should first say that OS X public beta was my first real exposure to UNIX, and that’s probably one of the bigger reasons for this site — a good friend of mine is a UNIX wizard, and I’m sure he was getting tired of my calls! While trying to learn the system, I was getting somewhat frustrated at having to jump all over the web to find answers to OS X questions. There are some excellent sites out there (make sure you check out the links pages here), but none that seemed to focus specifically on providing how-to’s in a quick, easy-to-use format.

So in November of 2000, I launched … and in the last five-plus, it has grown into a collection of thousands of hints regarding OS X and related applications, with multiple thousands of comments from experienced users providing even more information. It’s truly a one-stop-shop for OS X hints and how-to’s, and I’m amazed at just how intelligent and friendly the macosxhints community is!

Update — Mac OS X Hints is now a read-only site. There’s still a wealth of great information there the many will find useful.

Posted on

MacForensicsLab Tips and Tutorials – Part Three

Part One

Part Two

Part Three

Imaging a Drive via Target Disk Mode Tips - Imaging a Drive via Target Disk ModeSometimes an investigator may not have access to a hardware write blocker or may not be able to remove the suspect drive from their Mac (we do not recommend investigators attempt to image a drive without a hardware write blocker but at times situations may necessitate it). In this case the investigator can connect the suspect Mac to their forensic workstation to process the investigation using a process called Target Disk Mode. Target Disk Mode causes the suspect Mac to act like an external drive at which point it can then be connected to a forensic workstation running MacForensicsLab for imaging and examination.

  1. The first and MOST important step in this process is making sure that Disk Arbitration is disabled. You can do this by following the process for disabling Disk Arbitration found here. Make you verify that it is disabled using Disk Utility once you have completed this. This will ensure that the suspect drive stays forensically sound.
  2. Boot the suspect Mac and hold down the “T” key until a diak icon appears on screen. The suspect machine is now in Target Disk Mode.
  3. Connect the suspect machine to your examination workstation. Target Disk Mode supports FireWire, Thunderbolt 2, USB-C, or Thunderbolt 3 (USB-C) ports. Once the suspect drive appears in MacForensicsLab’s Device area, you can proceed with acquiring an image of it (note: the suspect drive will not appear on the desktop as Disk Arbitration is disabled).
  4. Once the image has been created, you can hold down the power button on the suspect machine until it powers itself off. Then disconnect it from the examination machine.
MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.


Starting Points For A Mac OS X Investigation Tips - Starting Points For A Mac OS X InvestigationWhen processing an investigation of a suspect’s Mac OS X hard drive using MacForensicsLab there are several places that you may want to start your search. These folders are present on all versions of Mac OS X and contain a great deal of information that will help the investigator to show intent and may also give them a better idea of where they should look next.

A good place to start forensic discovery on any Mac OS X machine is inside the ~Users/“USERNAME”/ folder. Within this folder you can find sub-folders containing large amounts of user data. Many peer-to-peer applications create folders here and many times there are other user-created folders found here.

The ~/Users/“USERNAME”/Library folder and it’s sub-folders have a vast amount of usable forensic material. Some sub-folders of interest in here are; Caches, Calendars, Cookies, Keychains, Logs, Mail, Preferences, Recent Servers, and Safari. Any of these can be examined with MacForensicsLab’s Analyze function or the Salvage function depending on the kind of data discovery you are after.

The ~/Users/“USERNAME”/Documents is the default save-to folder for many applications and many users use this folder to store everything from text documents to pictures and movies.

The ~/Users/“USERNAME”/Pictures folder if the default storage location for Apple’s iPhoto. Photos loaded into iPhoto are stored here in the iPhoto Library folder in iPhoto version before ’08. In iPhoto ’08 the iPhoto Library folder is replaced by a package with the same title. Many users use this folder to store images from other applications also.

The ~/Users/“USERNAME”/Movies folder is the default storage location for many video editing applications including Apple’s iMovie. Many users use this folder to store video files on their system.

Turning On Software Write Blocking Tips - Turning On Software Write BlockingWhen creating a forensically sound image of a suspect drive, care must be taken to insure that the suspect evidence is not compromised. This is usually done through the use of a hardware write blocker connected to the drive. The write blocker allows information to be read from the suspect drive but will not allow the acquisition computer to write data to the drive, thus preventing the information from being compromised.

MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.

If you do not have access to a hardware write blocker and need to image a suspect drive, you can use MacForensicsLab’s Disable Disk Arbitration option to disabled writing to the drive.

The process to use MacForensicsLab to disable Disk Arbitration is as follows.

  1. Turn off Disk Arbitration from File menu. You can verify that it is disabled by attempting to launch Disk Utility. If Disk Arbitration is disabled, Disk Utility will not launch.
  2. Plug drive in/power-up or insert media card.
  3. Go back to File Menu and select “Rescan Bus”.
  4. Drive/media will now be visible within MacForensicsLab.
  5. Image drive with the Acquire function.
  6. Disconnect drive BEFORE turning Disk Arbitration back on the same way you turned it off.

MacForensicsLab highly recommends that a hardware write blocker be used when acquiring an image of a suspect drive.

Why Won’t My Acquired Disk Image Mount on The Desktop Tips - Why Won't My Acquired Disk Image Mount on The DesktopDoes your acquired disk image refuse to mount on the desktop? If you have selected the option to turn off Disk Arbitration when MacForensicsLab launches or disabled Disk Arbitration by selecting the option from the Window menu, Disk Utility will not be able to mount any images until Disk Arbitration is turned back on. This issue can be resolved using either of these options.

Re-enabling Disk Arbitration can be done either by selecting the Disk Arbitration option from the Window menu within MacForensicsLab again and enabling it or by rebooting your Mac. Many times Disk Arbitration can be turned off and forgtten about because of MacForensicsLab’s ability to see drives at the device level. This means you can still work with disk images within MacForensicsLab even without mounting them on the desktop as you normally would. If you’re still having problems mounting disk images after re-enabling Disk Arbitration in MacForensicsLab restart your computer.

Posted on

MacForensicsLab Tips and Tutorials – Part Two

Part One

Part Two

Part Three Tips - Erasing a Target Drive

Erasing a Target Drive

This lesson demonstrates how to erase a target drive.

Open Preferences Window

Securely erasing a drive will overwrite the contents of the device to insure that no data can be recovered. This process involves overwriting every block of data on the drive one or more times to insure that no trace of the previous information on the device remains. Simply deleting the data on a drive does not actually erase it but rather only frees that space to be overwritten by new data.

Before imaging a suspect device to a target drive it is necessary for the investigator to first wipe the existing data on the target drive. This insures that the target drive is free of any information from previous investigations and insures the integrity of the suspect evidence. Clearing the target drive can be done either using Apple Disk Utility or MacForensicsLab.
Using Apple Disk Utility to erase your target drive

Locating the Applications folder on Mac OS X

To clear the acquisition drive using Apple Disk Utility, first open the Mac’s hard drive and locate the Applications folder and open it.

Finding the Utilities folder in Mac OS X

Find and open the Utilities folder and open it.

Finding Disk Utility in Mac OS X

Locate and open the application Disk Utility.

Setting up Disk Utility to wipe an aquisition drive.

First select the target drive you wish to wipe by clicking it on the left side. Next click the "Erase" toolbar option at the top of the window. Finally click the Security Options… button at the bottom of the window. If you would like, give the drive a name by entering it in the name area.

Selecting secure erase options in Disk Utility

In the Secure Erase Options the investigator can then select the desired method of erasing. Then click OK.

Secure erasing a drive

Click the Erase button to start erasing the target drive. A progress bar will indicate the status of the device erasure.

Using MacForensicsLab to erase your target drive

Selecting device to erase with MacForensicsLab

First select the target drive you would like to erase in the Device area of MacForensicsLab in the upper left corner.

Selecting Clear Work Drive in MacForensicsLab

With the desired device selected, go to the File menu and select Clear Work Drive.

Selecting secure erase options in MacForensicsLab

Select the number of passes you would like to make when erasing the data on your target drive. This can be done by either using the slider or entering the desired number in the box. When you have set the desired number of passes, click the Start button.

Operation cannot be undone

MacForensicsLab will inform you that the operation cannot be undone. Make sure you have selected the correct device and then click the OK button.

MacForensicsLab secure erase status

The shred process will begin and a status window will show the current progress of the task. When the device has been erased the software will notify the user that the process has completed.


Finding Child Pornography with the Skin Tone Analyzer

This lesson demonstrates how to use the skin tone analyzer feature of MacForensicsLab. Tips - Finding Child Pornography with the Skin Tone AnalyzerThe distribution of child pornography is one of the most disturbing cyber crimes. With the growth of the internet and the ease of file-sharing these days, child pornography has grown to become a world wide issue. Dealing with the exploitation of children in a sexual manner has become a big issue for law enforcement around the world. These cases sometimes involve thousands of images and finding the right ones can become a huge task.

Finding the digital evidence can be a real headache when it’s mixed in with thousands of unrelated images. To make an investigator’s job easier, MacForensicsLab offers a built-in skin tone analyzer. This feature quickly filters out images of interest based on a number of user entered parameters. The investigator filter their results based on any combination of the following criteria:

  • Percentage of skin tone contained in the image.
  • Minimum and maximum file size.
  • Vertical and horizontal minimum and maximum pixel size.

You can use the browse function to quickly locate and display potential evidence of child pornography.

By using these simple parameters an investigator can narrow a search for suspect images down from hundreds of thousands to just a couple hundred (or even less). This can save the investigator hours of time that would have been spent manually searching through images that had no relevance to their case.

Forensic Image Hash Validation Tips - Forensic Image Hash Validation>The ability to obtain a valid forensic image is critical to the successful completion of a forensic examination. Therefore, as with all forensic tools, it is encumbant upon the examiner to validate their current tools against well documented and validated tools; this should be done every time there is an update to your softwware.

As an example, to validate a forensic image acquired under MacForensicsLab, open a terminal window and type: openssl md5 (path and device name – i.e. /dev/rdisk1) now compare the output with that of MacForensicsLab, they should match.

Forensic Imaging of the Amazon Kindle Tips - Forensic Imaging of the Amazon KindleThe Amazon Kindle is currently the most popular ebook reader on the market. With expected sales of 5 million Kindles in 2010 and up to 11.5 million in 2012, the popularity looks to continue to increase. The Kindle can store a wealth of information, not only limited to ebooks but also notes, music, search information, and other items of interest to a forensic investigator. It can also be used as a USB storage device. With 4GB of internal storage, the Kindle 3 can hold a wealth of data. Other Kindle models have less internal storage but can still valuable suspect data.

Examining the Amazon Kindle

Connecting the Kindle

Amazon Kindle 3 connected is USB

The Kindle uses a standard Micro USB cable (not to be confused with Mini USB which looks similar but is slightly larger). Attach a Micro USB to USB cable to the USB port on the Kindle and plug the standard USB end into a USB write blocker, such as the WiebeTech USB WriteBlocker, then connect the write blocker to the forensic workstation (first making sure to disable Disk Arbitration on the Mac first, for an extra layer of protection against accidental mounting of the device).

Imaging the Kindle

Selecting the Kindle device for forensic imagine in MacForensicsLab

Once the Kindle has been connected to a USB write blocker and connected to the forensic workstation, the device should appear in the MacForensicsLab Device/Volume area. Select the "Kindle Internal Storage" device from the Device/Volume area and then click Acquire at the bottom of the window. Set your imaging options and then run the acquisition. Once the imaging is complete (should take only a couple minutes), detach the Kindle device using the Detach option in the ‘File’ menu of MacForensicsLab and then physically detach the device from the forensic workstation.

Examining the contents of the image

Once the device is detached, re-enable Disk Arbitration using the Disk Arbitration… option in the ‘Window’ menu. Next, select Attach Disk Image… from the ‘File’ menu. Select the Kindle image. You may now use MacForensicsLab to examine the contents of the Kindle for items of forensic interest.

Contents of the Amazon Kindle for forensic examination.


Hardware and Software Write Blocking Tips - Hardware and Software Write BlockingWhen creating an image of a suspect drive, the investigator needs to insure that the evidence is not altered and it remains forensically sound. This can be done through the use of a hardware write blocker, software write blocking, or a combination of the two. It is highly recommended that all acquisitions are done using a combination of the two.

If you are using a hardware write blocker attached to your suspect drive to be acquired or examined, remembering to check the jumper settings. In most cases and with most hardware, the jumpers on the drive must be set to Master (consult the drive manufacturer’s website for information on jumper settings for your specific drive model). If the drive does not appear in the device window of MacForensicsLab after a rescan (you can manually rescan the bus by selecting “Rescan” from the File menu), check to make sure that the jumper settings are set to Master on the drive/device.

To enable software write blocking, inside MacForensicsLab turn Disk Arbitration off under the popup menu that appears at the start of the application or you can select Disk Arbitration from the Window menu and disable it there. Disk Arbitration is a background application in Mac OS X that is always running. When Disk Arbitration detects a new storage device it automatically mounts it with write access if available. By disabling it you prevent the suspect drive from being mounted and insure that it cannot be written to. Disk Arbitration will be off until you enabled it again from the Window menu or you reboot.

MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.
Posted on

MacForensicsLab Tips and Tutorials – Part One

Tips and Lessons – MacForensicsLab

Part One

Part Two

Part Three

Adding a Case in MacForensicsLab

This lesson demonstrates how to add a case using MacForensicsLab
Open Preferences Window
Open Preferences

Select MacForensicsLab from the Main Window and select Preferences (or from the Main Window use the keyboard shortcut of Command + , ).
Select Cases
Select Cases

Select the Cases Tab from the Preferences Window.
Add a Case
Add a Case

In the lower left corner, select the “+” button to add a new case.
Give the Case a Name
Give the case a name

Delete the default Case ID 1 and give the new case a name (1) , then fill out the Description field (2) to give additional case details.
Complete Case Information
Complete case information

Complete the case information (1 and 2) and then select “Save” (3).
Confirm the New Case was created in the Preferences Pane
Confirm the new case was created in the Preferences pane


Confirm the new case was created by reviewing the Preferences Pane (which automatically displays when you selected Save in the previous step.

Adding a Disk Image in MacForensicsLab

This lesson demonstrates how to add a disk image to a case.
Attach a Disk Image
Attach a disk image


From the Main Window, select “File” (1) and from the drop down list “Attach Disk Image” (2).
Navigate to Disk Image
Navigate to disk image

From the Navigation Window that appears, navigate to and select the desired disk image.
Select Open to Attach the Disk Image
Select Open to attach the disk image

Once you have selected the desired disk image select “Open” to attach the disk image.
Confirm Disk Image has been attached
Confirm Disk Image has been attached

Confirm the disk image has been attached from MacForensicsLab’s Main Window, which appears automatically after selecting the disk image.

Adding Exported Files into a Report in MacForensicsLab

This lesson demonstrates how to add exported files back into the case so they can be bookmarked and added into the report.
Navigate to exported folder containing the exported files
Navigate to the Export folder

Open a navigation window (Finder) and navigate to the location of the exported files folder. In this example, I have Salvaged JPEG files onto the Desktop (1) and (2) into a subfolder named "JPEG" (3).
Open Disk Utility
Open Disk Utility

Open the Disk Utility application located in the Applications -> Utilities folder.
Create a “Disk Image from Folder” using the exported folder
Create Disk Image from Folder using the exported folder
From within Disk Utility select "File" from the Main Window and "New -> Disk Image from Folder" from the drop down list.
Navigate the the Exported Folder
Navigate the the Exported Folder

Navigate to the location where the exported folder is located (1) select it and select "Image" (2).
Name the new disk image
Name the new disk image

Name the new disk image (1), leave all the defaults in place (image format and encryption) (2), then select "Save" (3).
Enter your password
Enter your password

Enter your password to create the disk image.
Quit Disk Utility
Quit Disk Utility

Once the disk image is created (1), quit the Disk Utility application (2).
Navigate to new disk image
Navigate to new disk image

Open a navigation window (Finder) and navigate to the new disk image.
Lock the new disk image
Lock the new disk image

Once you have navigated to the new disk image, use Get Info (command + i) to see the properties (1). From within the Get Info window, select the "Locked" checkbox to lock the image (2), preventing changes to the disk image.
Attach Disk Image to Case
Attach disk image to case

From the MacForensicsLab Main Window, select "File" (1) and "Attach Disk Image …" (2) from the drop down list.
Navigate to the Disk Image
Navigate to the Disk Image

When the navigation box opens, navigate to your newly created and locked disk image (1) and select "Open" (2).
Highlight Volume of new disk image
Highlight Volume of new disk image

From with MacForensicsLab’s Main Window, select the Volume of the new disk image (1), then select the Browse function at the bottom of the Window (2).
Configure the Browse Window
Configure the Browse window

Be sure that only the "Images Only" checkbox is marked (1), then select Browse (2).
Select all Files for Bookmarking
Select all files for bookmarking

Select all the files by highlighting one and selecting (Command + A).
Add Bookmark
Add bookmark

From MacForensicsLab’s Main Window, select "Bookmarks" (1) and "Add Bookmark" from the drop down list (2).
Select Bookmark Folder
Select bookmark folder

Select the appropriate bookmark folder from the drop down list. In this example, I bookmarked all the files into the "suspicious images" bookmark folder.
Create the Bookmark
Create the bookmark

Once the appropriate bookmark folder is selected (1), select "Bookmark" (2).
Open Bookmarks
Open bookmarks

From MacFornensicsLab’s Main Window select "Bookmarks" (1) and "Show All Bookmarks" from the drop down list (2).
Review new bookmarks
Review new bookmarks

Select the appropriate bookmark folder (1) and review the newly created bookmarks (2).
Generate a report
Generate a report

From MacForensicsLab’s Main Window, select "File" (1) and "Write Report" from the drop down list (2).
Select the “Bookmarks” type checkbox
Select the bookmarks type checkbox

Select the Bookmarks type check box (1) to include the new bookmarks in your report, then select: "Start" (2).
Save Report
Save report

Select a location to save your report to (1) and select "Choose" (2).
Review Bookmarks
Review bookmarks

From within the newly created report, review the newly created bookmarks.

Creating a Custom Bookmarks Folder in MacForensicsLab

Open Bookmarks Window
Open Bookmarks window

From MacForensicsLab Main Window select “Bookmarks” (1) and from the drop down list “Show All Bookmarks” (2).
Add a Custom Bookmark Folder
Add custom bookmark folder

To add a custom bookmark folder select the “+” button at the bottom of the screen.
Name the Custom Bookmark Folder
Name the custom bookmark folder

After selecting the “+” button, a text box opens, enabling you to enter a name for the custom bookmark folder.
Add the Name of the Custom Bookmark Folder
Add the name of the custom bookmark folder

Type in the name of the Custom Bookmark Folder and press “Enter.”
Add a description to the Custom Bookmark Folder
Add a description to the custom bookmark folder

With the newly created Custom Bookmark highlighted (1), enter a description of the bookmark folder contents in the text box at the bottom of the screen (2).

Credit Card and Social Security Number Searching Tips - Credit Card and Social Security Number SearchingIdentity theft is a growing issue. With phishing scams and corporate theft, it’s an issue that can affect everyone, even those not online. MacForensicsLab has a built in credit card and social security number (SSN) scanner. This powerful feature allows investigators to zero in on identity theft information. Not only does it search for what appears to be credit card numbers imbedded within files, it also validates them to make sure they are true credit card numbers. No other tool offers this feature.

Credit card number and social security number searching to track down fraud evidence can be done easily with MacForensicsLab

Select the device, folder, or file you’d like to scan and click the “Search” function button. At the bottom of the Search wind at two check boxes. One for Credit Cards and the other for SSN. Check one or both of these and click the "Search" button to scan the selected data. MacForensicsLab will then scan and show you any files containing credit card or social security numbers.

Customize the Report within MacForensicsLab

This lesson will demonstrate how to customize the Report by altering default files and adding files that the examiner wants to be added to every case thereafter.
The MacForensicsLab Templates Folder
MacForensicsLab templates folder

The first time a report is generated using MacForensicsLab, a folder called "MacForensicsLab Templates" folder is created in the same location that the MacForensicsLab application was installed.
The Supplementary Files Folder
Supplementary Files folder

Contained within the MacForensicsLab Template folder is a folder named the Supplementary Files folder. This folder, by default contains three template files; Agency, Investigator and Software Tool. These files are designed to be customized by the user.
Customizing a Default File
Customizing a Default File

To customize a default file located within the Supplementary Files folder, simply double click on the file to open it and make changes to the file, then save your changes. In this example, the "Agency.rtf" file has been customized.
Write a Report
Write a report

To generate a report in MacForensicsLab, select "File" from the Main Window and "Write Report …" from the subsequent drop down list.
Setting up the Report
Setting up the report

A report dialogue box opens and the user selects the items they want to appear in the report by selecting the appropriate checkbox (1) and then select "Start" (2).
Select a Location for the Report
Select a location for the report

Once the "Start" button is selected in the previous step, a navigation window opens, select the location for the report to be written to (1) and select "Choose" (2).
Default Supplementary Files in the Report
Default Supplementary Files in the Report

There are three default files in the Supplementary Files section, which are designed to be customized by the user; these files are: Agentcy.rtf, Investigator.rtf and Software Tool.rtf.
Adding Additional Files to Supplementary Files folder
Adding Additional Files to Supplementary Files folder

In MacForensicsLab you can add as many files as you like to the Supplementary Files folder. These files will remain resident in every case thereafter. This is a great way to reduce the time it takes to continually generate documentation that does not change from case to case. In this example, I would like to add a file called "Glossary of Computer Related Terms" into all of my reports. The first step is to open a navigation window (Finder) and navigate to the desired file.
Add File to Supplementary Files folder
Add File to Supplementary Files folder

Copy or move the desired file into the MacForensicsLab Templates -> Supplementary Files folder.
Generate the New Report
Generate the New Report

Once the report is written it will automatically launch. Observe the new file "Glossary of Computer Related Terms.pdf has been added into the report.
Open new file
Open new file

Select on the hyperlink to the newly copied file to open the file.

Posted on

MacForensicsLab Version History

MacForensicsLab version 4.0

  • Redesigned main window interface.
  • Button panel replaced by the Action menu and context sensitive menus.
  • User can now select which plugins are run by the Audit function.
  • Acquisition information can be added to or deleted.
  • Users can now move bookmarks between folders.
  • Totally revamped search window.
  • Updated device and volume navigation.
  • Better bookmark management.
  • Rewritten backend code for faster functionality.
  • Mac OS X 10.7 Lion compatibility.
  • User addable and creatable audit plugins.
  • Bug fixes.

MacForensicsLab version 3.0

  • Redesigned main window divided into Device and File views.
  • System drive is noted in the shortcuts view in the Files tab.
  • Hash button added to main screen.
  • Analyze hits tracked when viewed.
  • New Analyze window interface. Now defaults to ACSII view and is larger to allow viewing of a block at a time.
  • Ability to highlight data area for carving.
  • Ability to scroll blocks to select areas for carving.
  • New counter reports number of search items found for each keyword within Analyze function.
  • Skin Tone Analyzer now has a sliding bar to dynamically view results of any percentage of Skin Tone on the fly.
  • Browsing search results now allows examiner to apply Skin Tone Analysis to the results.
  • Audit results are now reportable in a separate HTML and/or text document.
  • Audit results can be saved or exported out.
  • Speed improvements with some tasks up to 12 times faster then 2.5.5.
  • Mac OS X 10.6 Snow Leopard compatibility.
  • Resolved all previously known bugs.
  • Redesigned allocation of memory, preventing system freezes due to memory leaks and/or inefficient memory allocation.
  • Now displays system information at the bottom of the main window.
  • “Flying” location bar has been removed.
  • Acquire function window has been redesigned for an easier, more intuitive look and feel.
  • Acquire functions Golden Master option now allows the target save locations to be different for each image.
  • Acquire function now has 64-bit engine.
  • Limit on size and number of keywords has been increased to 128 in the Analyze function.
  • Analyze function is now 64-bit.
  • Attach disk image function now has Shadow File option.
  • Attach disk image function now has Ignore Permissions option.

MacForensicsLab version 2.5.2

  • Mac OS X 10.5 Leopard compatibility.

MacForensicsLab version 2.5

  • Added Microsoft Windows and Linux beta versions.
  • Function buttons laid out in more logical order.
  • Added email alert when operation is complete.
  • Speed increases for processor intensive operations.
  • Increased keyword limits for Search and Analyze functions.
  • More powerful acquisition engine.

MacForensicsLab version 2.0

  • Added Skin Tone analyzer.
  • Added Social Security number and credit card number filtering.
  • Added multi-threaded operations.
  • Added filtering by image size and dimensions.
  • Added ability to create additional file types to salvage.
  • Added pattern matching for hash lists.
  • Added built-in SQL database engine.
  • Added ability to select information included or excluded from a report.
  • Added bookmark manager for adding, deleting, and commenting.
  • Added ability to comment on individual files.

MacForensicsLab version 1.6

  • Added Universal Binary support for Intel and PowerPC Macs.
  • Coding optimizations.
  • Added Audit function.

MacForensicsLab version 1.5

  • Added dual-bootable DVD for Intel and PowerPC based Macs.
  • Added auto report generation function.
  • Added Browse function.
  • Improved bookmark function to allow bookmarking of files across multiple functions.
  • Improved Salvage function to allow resuming of halted salvage process.
  • Streamlined Salvage function.

MacForensicsLab version 1.0

  • Initial release of MacForensicsLab.
Posted on

Windows Related Sites

This resources page contains a list of Windows centric security and forensics related sites.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.


Access Data

Access Data are the producers of ForensicToolKit (aka FTK) as well as other tools for the Microsoft Windows Platform.

Quoted from the AccessData website:

AccessData Group has pioneered digital forensics and litigation support for more than twenty years. Over that time, the company has grown to provide both stand-alone and enterprise-class solutions that can synergistically work together to enable both criminal and civil E-Discovery of any kind, including digital investigations, computer forensics, legal review, compliance, auditing and information assurance. More than 130,000 customers in law enforcement, government agencies, corporations and law firms around the world rely on AccessData software solutions, and its premier digital investigations products and services. AccessData Group is also a leading provider of digital forensics training and certification, with our much sought after AccessData Certified Examiner® (ACE®) and Mobile Phone Examiner Certification AME programs. Recommended Site -Guidance Software

Guidance Software are the producers of Encase – a venerable forensics tool for the Microsoft Windows Platform.

Quoted from the Encase website:

At Guidance, we exist to turn chaos and the unknown into order and the known–so that companies and their customers can go about their daily lives as usual without worry or disruption, knowing their most valuable information is safe and secure.

Makers of EnCase®, the gold standard in digital investigations and endpoint data security, Guidance provides a mission-critical foundation of applications that have been deployed on an estimated 33 million endpoints and work in concert with other leading enterprise technologies from companies such as Cisco, Intel, Box, Dropbox, Blue Coat Systems, and LogRhythm.

Our field-tested and court-proven solutions are used with confidence by 78 of the Fortune 100 and hundreds of agencies worldwide. Recommended Site - Information Week

Information Week Security provides the latest updates on sercurity news from around the web.


Microsoft Security Central

Microsoft Security Central contains information on the latest security updates for all Microsoft products.


Windows IT Pro

WindowsITPro is the leading independent, impartial source of practical, technical information to help IT professionals better understand and manage the Windows and Server enterprise. Each month, they help over millions of IT professionals overcome the same issues you struggle with every day. contains latest Windows security articles and tutorials on the following topics:

  • Authentication, Access Control & Encryption
  • Cloud Computing
  • Content Security (Email & FTP)
  • Firewalls & VPNs
  • Intrusion Detection
  • Misc Network Security
  • Mobile Device Security
  • Viruses, trojans and other malware
  • Web Application Security
  • Web Server Security
  • Windows 10 Security
  • Windows 2003 Security
  • Windows Networking
  • Windows OS Security
  • Windows Server 2008 Security
  • Windows Server 2012 Security
  • Windows Server 2016 Security
  • Wireless Security


Posted on

General Forensics Tips for Windows Platform

On this Page:

Disabling Windows BitLocker Encryption Tips - Disabling Windows BitLocker EncryptionBitLocker is a new drive encryption technology introduced with the Vista operating system. With BitLocker enabled, all files on a personal computers hard disk drive are automatically encrypted. BitLocker is included in the Enterprise and Ultimate editions of Vista and is disabled by default. Disk encryption can pose a problem for forensic investigators and additional steps must be taken to insure access to suspect data.

When an investigator come across a running Windows Vista system they should first determine which version of Windows Vista the suspect system is running. As only Vista Enterprise and Ultimate offer BitLocker drive encryption, investigators can disregard further steps on other versions.

Once an investigator has determined that the system is running either Windows Vista Enterprise or Ultimate, the next step is to determine if BitLocker is running. The easiest way to determine this is through the BitLocker configuration in the Control Panel. If BitLocker encryption is running, use the following steps to disable it.

Disabling BitLocker does not decrypt the suspect data which would alter each file. Instead it stores the encryption key on the disk so that it can be decrypted when it is booted or accessed without the need for the startup key or numerical password.

The following command shows how to disable Bitlocker from the command line:

cscript manage-bde.wsf -protectors -disable c:

The above command will disable Bitlocker (not decrypt). It can then later be attached to another Vista machine using a hardware write blocker and all the data will be visible. The investigator can then image the suspect drive.

The investigator should also obtain the BitLocker numeric recovery password to ensure later access to the drive for imaging should it be needed.

The following command will display the BitLocker numerical recovery password:

cscript manage-bde.wsf -protectors -get c:

Disabling Windows Autorun Tips - Disabling Windows AutorunCare needs to be taken when examining suspect USB thumb drives and CDs. These types of media may contain autorun viruses and malware that could potentially infect the investigators workstation. Steps should be taken to disable autorun on Windows computers and decrease the chance of damage by malware. By disabling autorun on a Windows machine the investigator stops programs that may attempt to run when suspect media is attached. Disabling autorun will also stop MacLockPick from accidentally being run on an investigator’s forensic examination station. It may still be run manually.

To protect your Windows forensic workstations, follow these steps:

Copy and paste the following into a .reg file and merge it into the registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

More information on disabling Windows Autorun can be found here:

FireFox Artifacts Tips - Firefox ArtifactsMozilla Firefox is fast becoming one of the most popular browsers on the internet today. Current estimates as of June 2007 believe Firefox makes up 14.55% of the world’s web browsers. Being free, cross-platform, and updated regularly is just some of the many reasons many users have made the switch to it. Firefox also allows the user to easily install add-ons to enhance the functionality of the browser. Here are some Firefox files that may be of interest during an investigation with MacForensicsLab.

Firefox stores the user data in the following places:
Mac OS X: ~/Library/Application Support/Firefox/Profiles//
Windows XP & 2000: C:Documents and SettingsApplication DataMozillaFirefoxProfiles
Windows 98 & ME: C:WindowsApplication DataMozillaFirefoxProfiles
C:WindowsProfilesApplication DataMozillaFirefoxProfiles
Windows NT 4.x: C:WinntProfilesApplication DataMozillaFirefoxProfiles
Unix: ~/.mozilla/firefox//

Website History
File name: history.dat
By default Firefox stores the browsing history for 9 days.
Side note: “history.dat” is written in a complex format called “Mork”.

Encrypted Saved Passwords
File name: signons.txt
This file also stores a list of sites to never save the passwords for. The encryption key is contained in the file called key3.db

More information about specific files in the user profile can be found at MozillaZine’s Knowledge Base article on the Profile Folder.


If you need a tool in extracting FireFox’s cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.

Viewing Recently Accessed Windows Files Tips - Viewing Recently Accessed Windows FilesThe Windows Registry stores a wealth of information that can be helpful to a forensic investigator during an examination. Knowing which documents were recently accessed on a suspects Windows machine can point an investigator to files of interest along with helping to show proof of intent.

The following key and it’s associated sub-keys contain a fairly comprehensive list of files that were opened while that account was logged in:


Flash Drive Registry Information Tips - Flash Drive Registry InformationUSB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They’re small, portable, and often contain evidence that can be helpful to an investigation.

When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Also there is an entry that is keyed to the mounted device volume letter. The letter is not that important but I think there is a date associated with the last time the device was written. This would be of value during a forensic exam.

USB thumb drives sometimes have a registry entry indicating that they are CD-ROM drives to be aware of that.

Thanks to Tim Clark for this information.

Posted on

General Forensics Tips

Recognizing Potential Evidence Tips - Recognizing Potential EvidenceThe following was taken from the United States Secret Service’s Best Practices For Seizing Electronic Evidence. We highly recommend you read the entire article located here as it contains lots of good information regarding electronic evidence.

Recognizing Potential Evidence

Computers and digital media are increasingly involved in unlawful activities. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence range from the mainframe computer to the pocket-sized personal data assistant to the floppy diskette, CD or the smallest electronic chip device. Images, audio, text and other data on these media are easily altered or destroyed. It is imperative that law enforcement officers recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices and guidelines.

Answers to the following questions will better determine the role of the computer in the crime:

  • Is the computer contraband of fruits of a crime?
    For example, was the computer software or hardware stolen?

  • Is the computer system a tool of the offense?
    For example, was the system actively used by the defendant to commit the offense? Were fake IDs or other counterfeit documents prepared using the computer, scanner, and color printer?

  • Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?
    For example, is a drug dealer maintaining his trafficking records in his computer?
  • Is the computer system both instrumental to the offense and a storage device for evidence?
    For example did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?

Once the computer’s role is understood, the following essential questions should be answered:

  • Is there probable cause to seize hardware?
  • Is there probable cause to seize software?
  • Is there probable cause to seize data?
  • Where will this search be conducted?
    • For example, is it practical to search the computer system on site or must the examination be conducted at a field office or lab?
    • If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized date, to its owner/user before trial?
    • Considering the incredible storage capacities of computers, how will experts search this data in an efficient, timely manner?

Source: US Secret Service