Posted on

Plugins for MacLockPick

The following is a list of plugins that come as standard with MacLockPick:

AddressBook

MacLockPick plugin to extract address book contents

The Address Book plugin for MacLockPick extracts items stored in the Address Book caches on a Mac OS X system. This includes most buddies and email correspondent’s details used by a Mac OS X user as well as items that have been deleted from the main addressbook storage file.

Adium

The Adium plugin for MacLockPick captures the chat logs from Adium on a Mac OS X operating system.Adium is a popular free software instant messaging client for Mac OS X that supports multiple protocols through the libezv (for Bonjour) and the libpurple (all other protocols) libraries.

Apple Mobile

The Apple iPhone has become a popular cell phone for many due to the mass market appeal and the easy of use. It’s feature rich and has become much more then just a cell phone for many. This also means it’s full of artifacts that are of interest to forensic investigators. By using MacLockPick II, an investigator can acquire a wealth of information about a suspect and their activities. Some of the useful information available to an investigator includes:

  • Call history with time and date information.
  • Incoming and outgoing SMS messages including the sender/recipient with time and date information.
  • Speed dial favorites including name and phone number.
  • Email account set to sync.
  • Pictures taken with and stored on the phone.
  • Safari (web browser) search history.
  • History of pages viewed with Safari (web browser).
  • Address book contents including each entries name, number, address and any other information entered about the contact.
  • Notes created within the iPhones Notes application.
  • And much more.

Apple Mobile Pictures

The Apple Mobile Pictures plugin for MacLockPick gathers information stored by the Apple iPhone and other devices using the Apple Mobile Sync system on Windows and Mac OS X computers.

The iPhone is an Internet-enabled multimedia mobile phone designed and marketed by Apple Inc. It has a multi-touch screen with virtual keyboard and buttons, but a minimal amount of hardware input. The iPhone’s functions include those of a camera phone and portable media player (equivalent to the iPod) in addition to text messaging and visual voicemail. It also offers Internet services including e-mail, web browsing, and local Wi-Fi connectivity. The first generation phone hardware was quad-band GSM with EDGE; the second generation uses UMTS and HSDPA.

Bluetooth

The Bluetooth plugin for MacLockPick captures the dates and addresses of bluetooth devices that have been paired with a Mac OS X system.

Bluetooth is a wireless protocol utilizing short-range communications technology facilitating data transmission over short distances from fixed and/or mobile devices, creating wireless personal area networks (PANs). The intent behind the development of Bluetooth was the creation of a single digital wireless protocol, capable of connecting multiple devices and overcoming issues arising from synchronization of these devices.

Clipboard

The Clipboard plugin for MacLockPick captures any text contents or graphics found in the clipboard on Mac, Windows, and Linux platforms.

The clipboard is a software program that is used for short-term storage of data as it is transferred between documents or applications, via copy and paste operations. It is most commonly a part of a GUI environment and is usually implemented as an anonymous, temporary block of memory that can be accessed from most or all programs within the environment.

Disk Utility

The Disk Images plugin for MacLockPick extracts the dates and paths of disk images that have been attached to a Mac OS X system using Disk Utility. OS X users can often use disk images when downloading installers from the internet or when trying to encrypt information into virtual volumes.

Firefox

The Firefox plugin for MacLockPick creates a summary of the bookmarks, form autofill settings, cookies, and history records made by the suspect using Firefox on Mac OS X, Microsoft Windows, or Linux operating systems.

Mozilla Firefox (abbreviated officially as Fx, but also commonly as FF), is a web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation.

Google Chrome

The Google Chrome plugin for MacLockPick creates a summary of the bookmarks, cookies, and history records made by the suspect using Google Chrome on Microsoft Windows operating systems.

Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.

iChat

The iChat plug for MacLockPick captures the account details and buddy lists for iChat on a Mac OS X system.

iChat AV is an AOL Instant Messenger (AIM), .Mac, ICQ and XMPP client by Apple Inc. for their Mac OS X operating system. Using a Jabber-like protocol and Bonjour for user discovery, it also allows for LAN communication. iChat’s AIM support is fully endorsed by AOL, and uses their official implementation of the AIM OSCAR protocol. Using a Jabber transport, iChat users may also integrate their MSN, Yahoo! and Google Talk contacts into the Jabber pane.

Internet Explorer

The Internet Explorer plugin for MacLockPick creates a summary of the bookmarks, cookies, and history records made by the suspect using Microsoft Internet Explorer on Micrsoft Windows operating systems.

Windows Internet Explorer (formerly Microsoft Internet Explorer abbreviated MSIE), commonly abbreviated to IE, is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. It has been the most widely used web browser since 1999, attaining a peak of about 95% usage share during 2002 and 2003 with IE5 and 6 but steadily declining since, despite the introduction of IE7.

ifconfig

The ifconfig plugin for MacLockPick will collect network adapter information on Mac OS X and Linux machines using the ifconfig command.

The Unix command ifconfig serves to configure and control TCP/IP network interfaces from a command line interface (CLI). The name ifconfig expresses the purpose of the command: an interface configurator. ifconfig originally appeared in 4.2BSD as part of the BSD TCP/IP suite so in effect it formed part of the original internet toolkit.

IO Registry

The IO Registry plugin for MacLockPick will extract the “ioregistry” on a Mac OS X system. This includes all devices connected to the system.

iPod

The iPod plugin for MacLockPick extracts dates and serial numbers of iPods and iPhones that have been connected to a Mac OS X system.

iPod is a popular brand of portable media players designed and marketed by Apple Inc and launched on October 23, 2001. The current product line-up includes the touchscreen iPod Touch, the video-capable iPod Nano, the screenless iPod Shuffle and the iPhone. Former products include the compact iPod Mini, the hard drive-based iPod Classic, and the spin-off iPod Photo (later re-integrated into the main iPod Classic line). iPod Classic models store media on an internal hard drive, while all other models use flash memory to enable their smaller size (the long discontinued mini used a Microdrive miniature hard drive). As with many other digital music players, iPods, excluding the iPod Touch, can also serve as external data storage devices. Storage capacity varies by model.

OS X – Keychain Extractor

The OS X Keychain Extractor plugin for MacLockPick is available to law enforcement only. This module will extract all available passwords stored in an unlocked keychain on Mac OS X System (lower than OS X 10.11) then use this data to perform a dictionary attack on the system password.

Mail

The Mail plugin for MacLockPick captures account preferences and the date of opening and the path to the saved file for attachments opened by Mail.app on a Mac OS X system. This information can be used to see what email files and attachments a suspect has accessed.

Network

The Network plugin for MacLockPick does an analysis of the network activity on the suspect’s computer. This information includes ARP tables, interfaces, and netstat activity. This plugin will run on suspect machines running Microsoft Windows, Mac OS X, and Linux operating systems.

ARP converts an Internet Protocol (IP) address to its corresponding physical network address. ARP is a low-level network protocol, operating at Layer 2 of the OSI model.

From a forensics point of view the ARP table shows what computers were connected to the suspect’s machine on their local area network at the time of analysis.

Interface tables describe what interfaces are in use on the system and what the individual MAC address is for each of them. The Media Access Control (MAC) address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number.

Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems.

It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.

Network Interfaces

The Network Interfaces plugin for MacLockPick II will extract a list of network interfaces as well as their MAC addresses a Mac OS X system. This information can be used to identify the suspect system.

Processes

The Processes plugin for MacLockPick uses the OS to list all active applications running on the suspect’s computer at the time of analysis. This module is important in determining if malware is present as well as any active tools used by the suspect.

Note: This will not show background and system processes. OS Specific plugins are included for this purpose.

Recent items

The Recent Items plugin for MacLockPick will extract paths and details for recent applications, recent documents, and recent servers on a Mac OS X system. This information will show the items a suspect has recently accessed and can help prove intent.

Registry – Explorer

The Registry – Explorer plugin for MacLockPick will extract various keys from the CurrentUser:Software:Microsoft:Windows:CurrentVersion:Explorer hive in the registry database on Microsoft Windows systems.

The keys include recent items executed by Explorer and the names of network servers that have been visible to the system being audited.

Registry – Full Tree (Classes Root

The Registry – Full Tree (Classes Root) plugin for MacLockPick will extract all settings from the classes root hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Current Config)

The Registry – Full Tree (Current Config) plugin for MacLockPick will extract all settings from the current config hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Current User)

The Registry – Full Tree (Current User) plugin for MacLockPick will extract all settings from the current user hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Local Machine

The Registry – Full Tree (Local Machine) plugin for MacLockPick will extract all settings from the local machine hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Full Tree (Users)

The Registry – Full Tree (Users) plugin for MacLockPick will extract all settings from the Users hive registry on Microsoft Windows systems. This module is separated from the other registry plugins to allow the investigator to disable the hive separately from the others since this hive requires the most time to audit.

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

Registry – Internet Explorer

The Registry – Internet Explorer plugin for MacLockPick will collate lists of URLs that have been typed by the user and the main Internet Explorer settings in the Microsoft Windows registry database.

Registry – Most Recently Used Lists

The Registry – Most Recent Used Lists plugin for MacLockPick will collate MRU (most recently used) lists from various applications in the Microsoft Windows registry database.

Registry – SSID

The Registry – SSID plugin for MacLockPick will gather a list of all SSID records for wifi base stations that the system has discovered from the Microsoft Windows registry database.

Registry – USB Flash Drive History

The Registry – USB Flash Drive History plugin for MacLockPick will grab information about USB drives that have been connected to a Microsoft Windows machine. USB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They’re small, portable, and often contain evidence that can be helpful to an investigation.

When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Registry – User Assist

The Registry – User Assist plugin for MacLockPick will find and decode the settings for the UserAssist key, HCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist, contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs). Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, programs, etc. These values then decoded using a ROT-13 decryption algorithm, sometimes known as a Caesar cipher.

Registry – VNC

The Registry – VNC plugin for MacLockPick will collate server lists for VNC from the Microsoft Windows registry database. This information may be useful to show other systems that a suspect may have connected to or has control of.

Remote Desktop

The Remote Desktop plugin for MacLockPick will extract account names and server addresses used by Remote Desktop on a Mac OS X system.

Apple Remote Desktop (ARD) is a Macintosh application produced by Apple Inc., first released on March 14, 2002, that replaced a similar product called Apple Network Assistant. Aimed at computer administrators responsible for large numbers of computers and teachers who need to assist individuals or perform group demonstrations, Apple Remote Desktop allows users to remotely control or monitor other computers over a network.

Safari

The Safari plugin for MacLockPick will extract search strings, bookmarks, cookies, downloads, and history stored by Apple Safari on a Mac OS X or Microsoft Windows system.

Safari is a web browser developed by Apple Inc. and included in Mac OS X. It was first released as a public beta on January 7, 2003, and is the default browser in Mac OS X v10.3 and later. It is also the native browser on the Apple iPhone and iPod touch. Safari for Windows was released on June 11, 2007. Windows XP and Windows Vista are supported.

Screenshot

The Screenshot plugin for MacLockPick will capture and save a screenshot of the main screen on the suspect’s system. The plugin will temporarily hide MacLockPick during the process and save the file to your output folder along side the captured logs database. This plug works on systems running Microsoft Windows, Mac OS X, and Linus operating systems.

Skype

The Skype plugin for MacLockPick creates transcripts of instant messaging, VoIP calls, buddies, and chat logs created by Skype on Mac OS X and Microsoft Windows operating systems.

Skype is a software program that allows users to make telephone calls over the Internet. Calls to other users of the service are free of charge, while calls to landlines and cell phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing.

System Information

The System Information plugin for MacLockPick will gather information about the hardware, the current user, the configuration of the system and general system information. This plugin works with systems running Mac OS X, Microsoft Windows, and Linus operating systems.

UNIX – Process List

The UNIX – Process List plugin for MacLockPick will execute the terminal command “ps -axww” to show all processes including root processes on suspect systems running Linux and Mac OS X operating systems.

In most Unix-like operating systems, the ps program displays the currently-running processes. A related Unix utility named top provides a real-time view of the running processes.

Uptime

The Uptime plugin for MacLockPick displays the current time, the length of time the system has been up, the number of users, and the load average of the system over the last 1, 5, and 15 minutes. This plugin works on Linux and Mac OS X operating systems.

User Folder Dates

The User Folder Dates plugin for MacLockPick will traverse the active users home folder and list the creation and modification dates for the contents. This plugin works on systems running Microsoft Windonws, Mac OS X and Linux operating systems.

Volume Dates

The Voume Dates plugin for MacLockPick lists the name, creation date, and modification dates for all mounted volumes in Mac OS X or Linux (this plugin is not supported in MS Windows).

Wi-Fi

The WiFi plugin for MacLockPick will list all of the wifi connections historically made on a Mac OS X system. This includes the date and MAC address of each base station. This information can be used to show the location of a suspect at a specific time and may be helpful to generate further leads and steer the investigation.

Windows – DNS Dump

The Windows – DNS Dump plugin for MacLockPick dumps the contents of the DNS cache in Microsoft Windows. The DNS cache stores information from DNS queries.

Windows – ipconfig

The Windows ipconfig plugin for MacLockPick will collect network adapter information on Windows machines using the ipconfig.exe command.

ipconfig (Internet Protocol Configuration) in Microsoft Windows is a console application that displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol DHCP and Domain Name System DNS settings. Similar GUI tools named winipcfg and wntipcfg also exist. The former pre-dates ipconfig.

Windows – Net User

The Windows – Net User plugin for MacLockPick will get a list of all user accounts on the host machine using the “net.exe” command.

Posted on

Quick Tips – MacLockPick

On this Page:

This page contains useful tips on how to use MacLockPick not found in the manual.


Choosing a USB Port for MacLockPick

MacForensics.com Tips - Choosing a USB Port for MacLockPickUp until the release of Apple’s aluminum keyboard, all Apple branded keyboards featured USB 1.1 ports. Because of the much higher data transfer speed of USB 2.0, we recommend that investigators plug the MacLockPick thumb-drive into the Mac computer itself, instead of into the keyboard. This will insure the fastest auditing speeds.
 


Filtering with MacLockPick

This lesson is designed to demonstrate how to use the filter feature in MacLockPick.

1. Insert MacLockPick into USB Port

Insert MacLockPick into the USB port

This demo is done using Mac OS X as the base system, however the process, with slight modification applies to other operating systems as well. Insert the MacLockPick into a USB port on the computer. The device will automount as depicted above.

2. Select for Configuration

Select MacLockPick for configuration

There are two icons mounted on the Desktop associated with MacLockPick, one named MACLOCKPICK and the other depicted above MacLockPick (OS X). Double click on the icon MacLockPick (OS X).

3. Locate the Setup Application

Locate the MacLockPick Setup application

The iconic representation of the contents of the MacLockPick (OS X) icon appear above. Select the Applications – OS X folder by double clicking on it.

4. Launch the Setup Application

Launch the MacLockPick Setup application

Select the MacLockPick Setup.app (depicted with the number 1 above) by double clicking on it to launch the application.

5. Create a Customized Plug-In

Create a customized plug-in for MacLockPick

The Setup application will open providing a list of all current plug-ins. To add a plug-in, select the “+” in the lower right corner.

6. The Plug-in Window

MacLockPick Plugin window

Once the “+” button is selected, the Plug-in window opens.

7. Name the Plug-in

Name the new plug-in within MacLockPick

The Plug-in window allows the user to name the plug-in (1) and define its type (2).

8. Design the Plug-in

Design the MacLockPick plug-in

The Plug-in design window is divided into three parts: The Plu-gin Name, the Data and the Operating System. To create a custom filter, allowing the user to sort through a folder and return only the findings with a .pdf extension we will fill out the information depicted above. First, describe the plug-in (1), then enter the filter (in this case the .pdf extension), since we will be finding a folder relative to the user, we will select buttons (3 and 4). Since we are expecting a relatively small output, we will keep the files and folders in the native format (5), (meaning they will be exported directly as opposed to using the built-in MacLockPick Archive tool). Next enter the path to the folder (6), select the operating system the new plu-gin pertains to (7) and select “Save” (8).

9. Checking the Plug-in

Checking the new MacLockPick plug-in

When you save the custom built plug-in, the Setup window opens again, allowing you to review all the plugins, to include your new one. Make sure your new plugin is selected as indicated by the checkbox to the right (1), then select “Quit” (2).

10. Run MacLockPick

Run MacLockPick

Once you quit the Setup window, you will be at the MacLockPick applications window. Select the MacLockPick application by double clicking on it to invoke MacLockPick.

11. MacLockPick Completion

MacLockPick has completed running

Once MacLockPick completes its operations, the above dialogue box will open informing the user that the results are located in the “MacLockPick Output Folder” (1) select “OK” (2).

12. Locating the MacLockPick Output Folder

Locating the MacLockPick Output folder

From the Desktop, select the “MACLOCKPICK” icon (1) by double clicking on it.

13. Open the MacLockPick Output Folder

Opening the MacLockPick Output folder

As the volume opens, locate the MacLockPick Output Folder, double click on the MacLockPick Output Folder and select the appropriate result (the results are arranged by username and date/time stamp).

14. Reviewing the Results

Reviewing the MacLockPick results

Locate the folder containing the MacLockPick output and open it by double clicking on it.

15. Reviewing the Filter Results

Reviewing the MacLockPick filter results

The MacLockPick Output will contain, by default several files, the .bash_history file (1), the Log Database (2) and a Screenshot (3) of the computer screen from which MacLockPick was run. In addtion to these files will be any number of additonal elements the user selected or created, in this case the results of the custom .pdf filter we created (4). Open the folder containing the .pdf filter results by double clicking on the appropriate folder (4).

16. Review the Custom Filter Results

Reviewing the custom MacLockPick filter results

Contained within the customized filter folder are the results of the search, in this case, only the .pdf files were exported from the folder (Dog_Training).
 


Searching MacLockPick Logs

MacForensics.com Tips - Searching MacLockPick Logs.MacLockPick extracts a wide range of valuable data from suspect machines. The information is presented in an easy to view format for the investigator to view. Even with the suspect information clearly formatted, there can be a very large amount of suspect data to sort through to find what you are looking for. If you are looking for something specific, you can use MacLockPick’s Search feature to find specific information. Simply click the “Find” button, enter your query and click the “Find” button. All entries containing the searched term will be grouped together and highlighted at the top of the listing.
 


Exporting Data from the MacLockPick Logs

MacForensics.com Tips - Exporting Data from the MacLockPick LogsMacLockPick acquires lots of detailed information about a suspect. Much of the data it finds can be very helpful in an investigation. When viewing the MacLockPick log file, the investigator can export all or a portion of the log data to a plain text file through the use of the “Export” button. Simply highlight the information you would like exported (choose “Select All” from the Edit menu if you would like to export everything in the log file) and then click the “Export” button. Name your exported text file and select the desired location to save it to.

Posted on

MacCompanion review of MacLockPick II

MacLockPick II (2.1) Extract all incriminating info
on any computer (Linux, Mac, Windows) or iPhone

Reviewed by Robert L Pritchett

SubRosaSoft.com Inc.

Phone +1 (510) 870-7883


Fax +1 (510) 868 3407


sales@MacForensicsLab.com

http://www.subrosasoft.com/

http://www.macforensicslab.com/

Originally Released: April 27, 2007

Only sold through the website for $500 USD.

To use this app, you really should be in Law Enforcement.
This is a critical companion for the MacForensicsLab. It has been also made
available for E-Discovery and IT Managers. For doing “forensic
triage”.

Requirements: Mac
OS X 10.4 or later; 32MB RAM; CD/DVD-ROM Drive; USB port. QuickTime 6.5 or
later. Use with MacForensicsLab (comes preconfigured).

Comes with Tutorial CD and 2 GB USB flashdrive
“dongle” in a can, formatted in FAT32.

Strengths: Cross-platform access (it works on accessing passwords from Linux, Mac,
Windows devices and even iPhones). Authentication is required for
registration. Comes with ability to access “everything” including
keychains.

Weaknesses: Requires the dongle to operate. Wait, the tool is the dongle! So ” none
found”.

Introduction

MacLockPick (MLP) is a valuable tool for law enforcement professionals to perform live forensics on Mac OS X systems. The solution is based on a USB Flash drive that can be inserted into a suspect’s Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect’s critical information with as little interaction or trace as possible.

MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep. It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers.

What I Learned

Mark Hurlow loves Computer Forensics and apparently his tool of choice is Mac OS X. The MacForensics Lab is a “single solution for law enforcement professionals”.

We have reviewed other SubRosaSoft apps before, but all were done back in 2007 covering;

MacForensicsLab 2.0 (now up to version 2.5.2)

FileSalvage Data Recovery 5.1 (now up to 6.1.5)

CopyCatX 4.0

Mark and his team have been quite busy with various other computer forensics tools as well and they do have a few Freeware items that might be of interest.

The MLP CD does have a tutorial video that discusses the device. It does come with a keychain so it will have less of a problem getting lost. Perhaps that is symbolic for the KeyChain on Macs that become captured when this device is installed into a USB port.

Plug in the stick, double-click on the program and it collects the passwords from the computer. You can export captured files as well. If a data capture app is not listed, you may add your own, so the device is extensible.

Being able to essentially look into any PC or Mac using captured passwords makes this device either a very dangerous tool in the wrong hands or an excellent tool for access for someone who cannot ever remember the password used to access a program. My guess is the latter one is not the person who would use this device.

Perhaps you can appreciate the power of this little device and now understand why it is called the MacLockPick. Knowing that it can also can “pick” PCs, makes this device extremely valuable.

If you are familiar with Windows registries, MacPickLock goes to the relevant registers and grabs the pertinent information including the retrieved databases.

To read files, the MLP will be needed. If you are capturing large files, an external hard drive can be used to capture the data instead of the MLP device, but the MLP will be needed to read the files, once back at the Forensics lab. If the external drive gets lost, nobody will be able to recover and understand the info located there. The dongle is key, literally, in the success of analysis.

The tools include an archiver, an authenticator, a reader and Setup. There are folders for output, plug-ins and report templates.

Each dongle is secured and cannot be reproduced.

There really isn’t anything that can be hidden from this device on any computer, but you do need to know how to “eject” the USB drive.

The MLP really is a companion to the MacForensicsLab. Use it wisely.

Conclusion

If you are in the business of analyzing data in a law enforcement role, this tool is one you will want in your arsenal. Macs are so much easier to deal with. Why not get the tools that make the job even easier? FI all you have to do is collect the passwords to access the programs on any machine and do it in a matter of seconds, why futz around, right? Get in, get the job done and get out. Quick and easy.