Posted on

MacForensicsLab Tips and Tutorials – Part Three

Part One

Part Two

Part Three

Imaging a Drive via Target Disk Mode

MacForensics.com Tips - Imaging a Drive via Target Disk ModeSometimes an investigator may not have access to a hardware write blocker or may not be able to remove the suspect drive from their Mac (we do not recommend investigators attempt to image a drive without a hardware write blocker but at times situations may necessitate it). In this case the investigator can connect the suspect Mac to their forensic workstation to process the investigation using a process called Target Disk Mode. Target Disk Mode causes the suspect Mac to act like an external drive at which point it can then be connected to a forensic workstation running MacForensicsLab for imaging and examination.

  1. The first and MOST important step in this process is making sure that Disk Arbitration is disabled. You can do this by following the process for disabling Disk Arbitration found here. Make you verify that it is disabled using Disk Utility once you have completed this. This will ensure that the suspect drive stays forensically sound.
  2. Boot the suspect Mac and hold down the “T” key until a diak icon appears on screen. The suspect machine is now in Target Disk Mode.
  3. Connect the suspect machine to your examination workstation. Target Disk Mode supports FireWire, Thunderbolt 2, USB-C, or Thunderbolt 3 (USB-C) ports. Once the suspect drive appears in MacForensicsLab’s Device area, you can proceed with acquiring an image of it (note: the suspect drive will not appear on the desktop as Disk Arbitration is disabled).
  4. Once the image has been created, you can hold down the power button on the suspect machine until it powers itself off. Then disconnect it from the examination machine.
Warning
MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.

 


Starting Points For A Mac OS X Investigation

MacForensics.com Tips - Starting Points For A Mac OS X InvestigationWhen processing an investigation of a suspect’s Mac OS X hard drive using MacForensicsLab there are several places that you may want to start your search. These folders are present on all versions of Mac OS X and contain a great deal of information that will help the investigator to show intent and may also give them a better idea of where they should look next.

A good place to start forensic discovery on any Mac OS X machine is inside the ~Users/“USERNAME”/ folder. Within this folder you can find sub-folders containing large amounts of user data. Many peer-to-peer applications create folders here and many times there are other user-created folders found here.

The ~/Users/“USERNAME”/Library folder and it’s sub-folders have a vast amount of usable forensic material. Some sub-folders of interest in here are; Caches, Calendars, Cookies, Keychains, Logs, Mail, Preferences, Recent Servers, and Safari. Any of these can be examined with MacForensicsLab’s Analyze function or the Salvage function depending on the kind of data discovery you are after.

The ~/Users/“USERNAME”/Documents is the default save-to folder for many applications and many users use this folder to store everything from text documents to pictures and movies.

The ~/Users/“USERNAME”/Pictures folder if the default storage location for Apple’s iPhoto. Photos loaded into iPhoto are stored here in the iPhoto Library folder in iPhoto version before ’08. In iPhoto ’08 the iPhoto Library folder is replaced by a package with the same title. Many users use this folder to store images from other applications also.

The ~/Users/“USERNAME”/Movies folder is the default storage location for many video editing applications including Apple’s iMovie. Many users use this folder to store video files on their system.
 


Turning On Software Write Blocking

MacForensics.com Tips - Turning On Software Write BlockingWhen creating a forensically sound image of a suspect drive, care must be taken to insure that the suspect evidence is not compromised. This is usually done through the use of a hardware write blocker connected to the drive. The write blocker allows information to be read from the suspect drive but will not allow the acquisition computer to write data to the drive, thus preventing the information from being compromised.

Warning
MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.

If you do not have access to a hardware write blocker and need to image a suspect drive, you can use MacForensicsLab’s Disable Disk Arbitration option to disabled writing to the drive.

The process to use MacForensicsLab to disable Disk Arbitration is as follows.

  1. Turn off Disk Arbitration from File menu. You can verify that it is disabled by attempting to launch Disk Utility. If Disk Arbitration is disabled, Disk Utility will not launch.
  2. Plug drive in/power-up or insert media card.
  3. Go back to File Menu and select “Rescan Bus”.
  4. Drive/media will now be visible within MacForensicsLab.
  5. Image drive with the Acquire function.
  6. Disconnect drive BEFORE turning Disk Arbitration back on the same way you turned it off.

MacForensicsLab highly recommends that a hardware write blocker be used when acquiring an image of a suspect drive.
 


Why Won’t My Acquired Disk Image Mount on The Desktop

MacForensics.com Tips - Why Won't My Acquired Disk Image Mount on The DesktopDoes your acquired disk image refuse to mount on the desktop? If you have selected the option to turn off Disk Arbitration when MacForensicsLab launches or disabled Disk Arbitration by selecting the option from the Window menu, Disk Utility will not be able to mount any images until Disk Arbitration is turned back on. This issue can be resolved using either of these options.

Re-enabling Disk Arbitration can be done either by selecting the Disk Arbitration option from the Window menu within MacForensicsLab again and enabling it or by rebooting your Mac. Many times Disk Arbitration can be turned off and forgtten about because of MacForensicsLab’s ability to see drives at the device level. This means you can still work with disk images within MacForensicsLab even without mounting them on the desktop as you normally would. If you’re still having problems mounting disk images after re-enabling Disk Arbitration in MacForensicsLab restart your computer.

Posted on

MacForensicsLab Tips and Tutorials – Part Two

Part One

Part Two

Part Three


MacForensics.com Tips - Erasing a Target Drive

Erasing a Target Drive

This lesson demonstrates how to erase a target drive.

Open Preferences Window

Securely erasing a drive will overwrite the contents of the device to insure that no data can be recovered. This process involves overwriting every block of data on the drive one or more times to insure that no trace of the previous information on the device remains. Simply deleting the data on a drive does not actually erase it but rather only frees that space to be overwritten by new data.

Before imaging a suspect device to a target drive it is necessary for the investigator to first wipe the existing data on the target drive. This insures that the target drive is free of any information from previous investigations and insures the integrity of the suspect evidence. Clearing the target drive can be done either using Apple Disk Utility or MacForensicsLab.
Using Apple Disk Utility to erase your target drive

Locating the Applications folder on Mac OS X

To clear the acquisition drive using Apple Disk Utility, first open the Mac’s hard drive and locate the Applications folder and open it.

Finding the Utilities folder in Mac OS X

Find and open the Utilities folder and open it.

Finding Disk Utility in Mac OS X

Locate and open the application Disk Utility.

Setting up Disk Utility to wipe an aquisition drive.

First select the target drive you wish to wipe by clicking it on the left side. Next click the "Erase" toolbar option at the top of the window. Finally click the Security Options… button at the bottom of the window. If you would like, give the drive a name by entering it in the name area.

Selecting secure erase options in Disk Utility

In the Secure Erase Options the investigator can then select the desired method of erasing. Then click OK.

Secure erasing a drive

Click the Erase button to start erasing the target drive. A progress bar will indicate the status of the device erasure.

Using MacForensicsLab to erase your target drive

Selecting device to erase with MacForensicsLab

First select the target drive you would like to erase in the Device area of MacForensicsLab in the upper left corner.

Selecting Clear Work Drive in MacForensicsLab

With the desired device selected, go to the File menu and select Clear Work Drive.

Selecting secure erase options in MacForensicsLab

Select the number of passes you would like to make when erasing the data on your target drive. This can be done by either using the slider or entering the desired number in the box. When you have set the desired number of passes, click the Start button.

Operation cannot be undone

MacForensicsLab will inform you that the operation cannot be undone. Make sure you have selected the correct device and then click the OK button.

MacForensicsLab secure erase status

The shred process will begin and a status window will show the current progress of the task. When the device has been erased the software will notify the user that the process has completed.

 


Finding Child Pornography with the Skin Tone Analyzer

This lesson demonstrates how to use the skin tone analyzer feature of MacForensicsLab.
MacForensics.com Tips - Finding Child Pornography with the Skin Tone AnalyzerThe distribution of child pornography is one of the most disturbing cyber crimes. With the growth of the internet and the ease of file-sharing these days, child pornography has grown to become a world wide issue. Dealing with the exploitation of children in a sexual manner has become a big issue for law enforcement around the world. These cases sometimes involve thousands of images and finding the right ones can become a huge task.

Finding the digital evidence can be a real headache when it’s mixed in with thousands of unrelated images. To make an investigator’s job easier, MacForensicsLab offers a built-in skin tone analyzer. This feature quickly filters out images of interest based on a number of user entered parameters. The investigator filter their results based on any combination of the following criteria:

  • Percentage of skin tone contained in the image.
  • Minimum and maximum file size.
  • Vertical and horizontal minimum and maximum pixel size.

You can use the browse function to quickly locate and display potential evidence of child pornography.

By using these simple parameters an investigator can narrow a search for suspect images down from hundreds of thousands to just a couple hundred (or even less). This can save the investigator hours of time that would have been spent manually searching through images that had no relevance to their case.


Forensic Image Hash Validation

MacForensics.com Tips - Forensic Image Hash Validation>The ability to obtain a valid forensic image is critical to the successful completion of a forensic examination. Therefore, as with all forensic tools, it is encumbant upon the examiner to validate their current tools against well documented and validated tools; this should be done every time there is an update to your softwware.

As an example, to validate a forensic image acquired under MacForensicsLab, open a terminal window and type: openssl md5 (path and device name – i.e. /dev/rdisk1) now compare the output with that of MacForensicsLab, they should match.


Forensic Imaging of the Amazon Kindle

MacForensics.com Tips - Forensic Imaging of the Amazon KindleThe Amazon Kindle is currently the most popular ebook reader on the market. With expected sales of 5 million Kindles in 2010 and up to 11.5 million in 2012, the popularity looks to continue to increase. The Kindle can store a wealth of information, not only limited to ebooks but also notes, music, search information, and other items of interest to a forensic investigator. It can also be used as a USB storage device. With 4GB of internal storage, the Kindle 3 can hold a wealth of data. Other Kindle models have less internal storage but can still valuable suspect data.

Examining the Amazon Kindle

Connecting the Kindle

Amazon Kindle 3 connected is USB

The Kindle uses a standard Micro USB cable (not to be confused with Mini USB which looks similar but is slightly larger). Attach a Micro USB to USB cable to the USB port on the Kindle and plug the standard USB end into a USB write blocker, such as the WiebeTech USB WriteBlocker, then connect the write blocker to the forensic workstation (first making sure to disable Disk Arbitration on the Mac first, for an extra layer of protection against accidental mounting of the device).

Imaging the Kindle

Selecting the Kindle device for forensic imagine in MacForensicsLab

Once the Kindle has been connected to a USB write blocker and connected to the forensic workstation, the device should appear in the MacForensicsLab Device/Volume area. Select the "Kindle Internal Storage" device from the Device/Volume area and then click Acquire at the bottom of the window. Set your imaging options and then run the acquisition. Once the imaging is complete (should take only a couple minutes), detach the Kindle device using the Detach option in the ‘File’ menu of MacForensicsLab and then physically detach the device from the forensic workstation.

Examining the contents of the image

Once the device is detached, re-enable Disk Arbitration using the Disk Arbitration… option in the ‘Window’ menu. Next, select Attach Disk Image… from the ‘File’ menu. Select the Kindle image. You may now use MacForensicsLab to examine the contents of the Kindle for items of forensic interest.

Contents of the Amazon Kindle for forensic examination.

 


Hardware and Software Write Blocking

MacForensics.com Tips - Hardware and Software Write BlockingWhen creating an image of a suspect drive, the investigator needs to insure that the evidence is not altered and it remains forensically sound. This can be done through the use of a hardware write blocker, software write blocking, or a combination of the two. It is highly recommended that all acquisitions are done using a combination of the two.

If you are using a hardware write blocker attached to your suspect drive to be acquired or examined, remembering to check the jumper settings. In most cases and with most hardware, the jumpers on the drive must be set to Master (consult the drive manufacturer’s website for information on jumper settings for your specific drive model). If the drive does not appear in the device window of MacForensicsLab after a rescan (you can manually rescan the bus by selecting “Rescan” from the File menu), check to make sure that the jumper settings are set to Master on the drive/device.

To enable software write blocking, inside MacForensicsLab turn Disk Arbitration off under the popup menu that appears at the start of the application or you can select Disk Arbitration from the Window menu and disable it there. Disk Arbitration is a background application in Mac OS X that is always running. When Disk Arbitration detects a new storage device it automatically mounts it with write access if available. By disabling it you prevent the suspect drive from being mounted and insure that it cannot be written to. Disk Arbitration will be off until you enabled it again from the Window menu or you reboot.

Warning
MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.
Posted on

MacForensicsLab Tips and Tutorials – Part One

Tips and Lessons – MacForensicsLab

Part One

Part Two

Part Three


Adding a Case in MacForensicsLab

This lesson demonstrates how to add a case using MacForensicsLab
Open Preferences Window
Open Preferences

Select MacForensicsLab from the Main Window and select Preferences (or from the Main Window use the keyboard shortcut of Command + , ).
Select Cases
Select Cases

Select the Cases Tab from the Preferences Window.
Add a Case
Add a Case

In the lower left corner, select the “+” button to add a new case.
Give the Case a Name
Give the case a name

Delete the default Case ID 1 and give the new case a name (1) , then fill out the Description field (2) to give additional case details.
Complete Case Information
Complete case information

Complete the case information (1 and 2) and then select “Save” (3).
Confirm the New Case was created in the Preferences Pane
Confirm the new case was created in the Preferences pane

 

Confirm the new case was created by reviewing the Preferences Pane (which automatically displays when you selected Save in the previous step.


Adding a Disk Image in MacForensicsLab

This lesson demonstrates how to add a disk image to a case.
Attach a Disk Image
Attach a disk image

 

From the Main Window, select “File” (1) and from the drop down list “Attach Disk Image” (2).
Navigate to Disk Image
Navigate to disk image

From the Navigation Window that appears, navigate to and select the desired disk image.
Select Open to Attach the Disk Image
Select Open to attach the disk image

Once you have selected the desired disk image select “Open” to attach the disk image.
Confirm Disk Image has been attached
Confirm Disk Image has been attached

Confirm the disk image has been attached from MacForensicsLab’s Main Window, which appears automatically after selecting the disk image.


Adding Exported Files into a Report in MacForensicsLab

This lesson demonstrates how to add exported files back into the case so they can be bookmarked and added into the report.
Navigate to exported folder containing the exported files
Navigate to the Export folder

Open a navigation window (Finder) and navigate to the location of the exported files folder. In this example, I have Salvaged JPEG files onto the Desktop (1) and (2) into a subfolder named "JPEG" (3).
Open Disk Utility
Open Disk Utility

Open the Disk Utility application located in the Applications -> Utilities folder.
Create a “Disk Image from Folder” using the exported folder
Create Disk Image from Folder using the exported folder
From within Disk Utility select "File" from the Main Window and "New -> Disk Image from Folder" from the drop down list.
Navigate the the Exported Folder
Navigate the the Exported Folder

Navigate to the location where the exported folder is located (1) select it and select "Image" (2).
Name the new disk image
Name the new disk image

Name the new disk image (1), leave all the defaults in place (image format and encryption) (2), then select "Save" (3).
Enter your password
Enter your password

Enter your password to create the disk image.
Quit Disk Utility
Quit Disk Utility

Once the disk image is created (1), quit the Disk Utility application (2).
Navigate to new disk image
Navigate to new disk image

Open a navigation window (Finder) and navigate to the new disk image.
Lock the new disk image
Lock the new disk image

Once you have navigated to the new disk image, use Get Info (command + i) to see the properties (1). From within the Get Info window, select the "Locked" checkbox to lock the image (2), preventing changes to the disk image.
Attach Disk Image to Case
Attach disk image to case

From the MacForensicsLab Main Window, select "File" (1) and "Attach Disk Image …" (2) from the drop down list.
Navigate to the Disk Image
Navigate to the Disk Image

When the navigation box opens, navigate to your newly created and locked disk image (1) and select "Open" (2).
Highlight Volume of new disk image
Highlight Volume of new disk image

From with MacForensicsLab’s Main Window, select the Volume of the new disk image (1), then select the Browse function at the bottom of the Window (2).
Configure the Browse Window
Configure the Browse window

Be sure that only the "Images Only" checkbox is marked (1), then select Browse (2).
Select all Files for Bookmarking
Select all files for bookmarking

Select all the files by highlighting one and selecting (Command + A).
Add Bookmark
Add bookmark

From MacForensicsLab’s Main Window, select "Bookmarks" (1) and "Add Bookmark" from the drop down list (2).
Select Bookmark Folder
Select bookmark folder

Select the appropriate bookmark folder from the drop down list. In this example, I bookmarked all the files into the "suspicious images" bookmark folder.
Create the Bookmark
Create the bookmark

Once the appropriate bookmark folder is selected (1), select "Bookmark" (2).
Open Bookmarks
Open bookmarks

From MacFornensicsLab’s Main Window select "Bookmarks" (1) and "Show All Bookmarks" from the drop down list (2).
Review new bookmarks
Review new bookmarks

Select the appropriate bookmark folder (1) and review the newly created bookmarks (2).
Generate a report
Generate a report

From MacForensicsLab’s Main Window, select "File" (1) and "Write Report" from the drop down list (2).
Select the “Bookmarks” type checkbox
Select the bookmarks type checkbox

Select the Bookmarks type check box (1) to include the new bookmarks in your report, then select: "Start" (2).
Save Report
Save report

Select a location to save your report to (1) and select "Choose" (2).
Review Bookmarks
Review bookmarks

From within the newly created report, review the newly created bookmarks.


Creating a Custom Bookmarks Folder in MacForensicsLab

Open Bookmarks Window
Open Bookmarks window

From MacForensicsLab Main Window select “Bookmarks” (1) and from the drop down list “Show All Bookmarks” (2).
Add a Custom Bookmark Folder
Add custom bookmark folder

To add a custom bookmark folder select the “+” button at the bottom of the screen.
Name the Custom Bookmark Folder
Name the custom bookmark folder

After selecting the “+” button, a text box opens, enabling you to enter a name for the custom bookmark folder.
Add the Name of the Custom Bookmark Folder
Add the name of the custom bookmark folder

Type in the name of the Custom Bookmark Folder and press “Enter.”
Add a description to the Custom Bookmark Folder
Add a description to the custom bookmark folder

With the newly created Custom Bookmark highlighted (1), enter a description of the bookmark folder contents in the text box at the bottom of the screen (2).


Credit Card and Social Security Number Searching

MacForensics.com Tips - Credit Card and Social Security Number SearchingIdentity theft is a growing issue. With phishing scams and corporate theft, it’s an issue that can affect everyone, even those not online. MacForensicsLab has a built in credit card and social security number (SSN) scanner. This powerful feature allows investigators to zero in on identity theft information. Not only does it search for what appears to be credit card numbers imbedded within files, it also validates them to make sure they are true credit card numbers. No other tool offers this feature.

Credit card number and social security number searching to track down fraud evidence can be done easily with MacForensicsLab

Select the device, folder, or file you’d like to scan and click the “Search” function button. At the bottom of the Search wind at two check boxes. One for Credit Cards and the other for SSN. Check one or both of these and click the "Search" button to scan the selected data. MacForensicsLab will then scan and show you any files containing credit card or social security numbers.


Customize the Report within MacForensicsLab

This lesson will demonstrate how to customize the Report by altering default files and adding files that the examiner wants to be added to every case thereafter.
The MacForensicsLab Templates Folder
MacForensicsLab templates folder

The first time a report is generated using MacForensicsLab, a folder called "MacForensicsLab Templates" folder is created in the same location that the MacForensicsLab application was installed.
The Supplementary Files Folder
Supplementary Files folder

Contained within the MacForensicsLab Template folder is a folder named the Supplementary Files folder. This folder, by default contains three template files; Agency, Investigator and Software Tool. These files are designed to be customized by the user.
Customizing a Default File
Customizing a Default File

To customize a default file located within the Supplementary Files folder, simply double click on the file to open it and make changes to the file, then save your changes. In this example, the "Agency.rtf" file has been customized.
Write a Report
Write a report

To generate a report in MacForensicsLab, select "File" from the Main Window and "Write Report …" from the subsequent drop down list.
Setting up the Report
Setting up the report

A report dialogue box opens and the user selects the items they want to appear in the report by selecting the appropriate checkbox (1) and then select "Start" (2).
Select a Location for the Report
Select a location for the report

Once the "Start" button is selected in the previous step, a navigation window opens, select the location for the report to be written to (1) and select "Choose" (2).
Default Supplementary Files in the Report
Default Supplementary Files in the Report

There are three default files in the Supplementary Files section, which are designed to be customized by the user; these files are: Agentcy.rtf, Investigator.rtf and Software Tool.rtf.
Adding Additional Files to Supplementary Files folder
Adding Additional Files to Supplementary Files folder

In MacForensicsLab you can add as many files as you like to the Supplementary Files folder. These files will remain resident in every case thereafter. This is a great way to reduce the time it takes to continually generate documentation that does not change from case to case. In this example, I would like to add a file called "Glossary of Computer Related Terms" into all of my reports. The first step is to open a navigation window (Finder) and navigate to the desired file.
Add File to Supplementary Files folder
Add File to Supplementary Files folder

Copy or move the desired file into the MacForensicsLab Templates -> Supplementary Files folder.
Generate the New Report
Generate the New Report

Once the report is written it will automatically launch. Observe the new file "Glossary of Computer Related Terms.pdf has been added into the report.
Open new file
Open new file

Select on the hyperlink to the newly copied file to open the file.

Posted on

General Forensics Tips for Windows Platform

On this Page:

Disabling Windows BitLocker Encryption

MacForensics.com Tips - Disabling Windows BitLocker EncryptionBitLocker is a new drive encryption technology introduced with the Vista operating system. With BitLocker enabled, all files on a personal computers hard disk drive are automatically encrypted. BitLocker is included in the Enterprise and Ultimate editions of Vista and is disabled by default. Disk encryption can pose a problem for forensic investigators and additional steps must be taken to insure access to suspect data.

When an investigator come across a running Windows Vista system they should first determine which version of Windows Vista the suspect system is running. As only Vista Enterprise and Ultimate offer BitLocker drive encryption, investigators can disregard further steps on other versions.

Once an investigator has determined that the system is running either Windows Vista Enterprise or Ultimate, the next step is to determine if BitLocker is running. The easiest way to determine this is through the BitLocker configuration in the Control Panel. If BitLocker encryption is running, use the following steps to disable it.

Disabling BitLocker does not decrypt the suspect data which would alter each file. Instead it stores the encryption key on the disk so that it can be decrypted when it is booted or accessed without the need for the startup key or numerical password.

The following command shows how to disable Bitlocker from the command line:

cscript manage-bde.wsf -protectors -disable c:

The above command will disable Bitlocker (not decrypt). It can then later be attached to another Vista machine using a hardware write blocker and all the data will be visible. The investigator can then image the suspect drive.

The investigator should also obtain the BitLocker numeric recovery password to ensure later access to the drive for imaging should it be needed.

The following command will display the BitLocker numerical recovery password:

cscript manage-bde.wsf -protectors -get c:


Disabling Windows Autorun

MacForensics.com Tips - Disabling Windows AutorunCare needs to be taken when examining suspect USB thumb drives and CDs. These types of media may contain autorun viruses and malware that could potentially infect the investigators workstation. Steps should be taken to disable autorun on Windows computers and decrease the chance of damage by malware. By disabling autorun on a Windows machine the investigator stops programs that may attempt to run when suspect media is attached. Disabling autorun will also stop MacLockPick from accidentally being run on an investigator’s forensic examination station. It may still be run manually.

To protect your Windows forensic workstations, follow these steps:

Copy and paste the following into a .reg file and merge it into the registry.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist&quit;

More information on disabling Windows Autorun can be found here:

http://support.microsoft.com/kb/953252


FireFox Artifacts

MacForensics.com Tips - Firefox ArtifactsMozilla Firefox is fast becoming one of the most popular browsers on the internet today. Current estimates as of June 2007 believe Firefox makes up 14.55% of the world’s web browsers. Being free, cross-platform, and updated regularly is just some of the many reasons many users have made the switch to it. Firefox also allows the user to easily install add-ons to enhance the functionality of the browser. Here are some Firefox files that may be of interest during an investigation with MacForensicsLab.

Firefox stores the user data in the following places:
Mac OS X: ~/Library/Application Support/Firefox/Profiles//
Windows XP & 2000: C:Documents and SettingsApplication DataMozillaFirefoxProfiles
Windows 98 & ME: C:WindowsApplication DataMozillaFirefoxProfiles
or
C:WindowsProfilesApplication DataMozillaFirefoxProfiles
Windows NT 4.x: C:WinntProfilesApplication DataMozillaFirefoxProfiles
Unix: ~/.mozilla/firefox//

Website History
File name: history.dat
By default Firefox stores the browsing history for 9 days.
Side note: “history.dat” is written in a complex format called “Mork”.

Encrypted Saved Passwords
File name: signons.txt
This file also stores a list of sites to never save the passwords for. The encryption key is contained in the file called key3.db

More information about specific files in the user profile can be found at MozillaZine’s Knowledge Base article on the Profile Folder.

Update!

If you need a tool in extracting FireFox’s cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.


Viewing Recently Accessed Windows Files

MacForensics.com Tips - Viewing Recently Accessed Windows FilesThe Windows Registry stores a wealth of information that can be helpful to a forensic investigator during an examination. Knowing which documents were recently accessed on a suspects Windows machine can point an investigator to files of interest along with helping to show proof of intent.

The following key and it’s associated sub-keys contain a fairly comprehensive list of files that were opened while that account was logged in:

HKEY_USERS\’username’\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs


Flash Drive Registry Information

MacForensics.com Tips - Flash Drive Registry InformationUSB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They’re small, portable, and often contain evidence that can be helpful to an investigation.

When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Also there is an entry that is keyed to the mounted device volume letter. The letter is not that important but I think there is a date associated with the last time the device was written. This would be of value during a forensic exam.

USB thumb drives sometimes have a registry entry indicating that they are CD-ROM drives to be aware of that.

Thanks to Tim Clark for this information.

Posted on

General Forensics Tips

Recognizing Potential Evidence

MacForensics.com Tips - Recognizing Potential EvidenceThe following was taken from the United States Secret Service’s Best Practices For Seizing Electronic Evidence. We highly recommend you read the entire article located here as it contains lots of good information regarding electronic evidence.
 

Recognizing Potential Evidence

Computers and digital media are increasingly involved in unlawful activities. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence range from the mainframe computer to the pocket-sized personal data assistant to the floppy diskette, CD or the smallest electronic chip device. Images, audio, text and other data on these media are easily altered or destroyed. It is imperative that law enforcement officers recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices and guidelines.

Answers to the following questions will better determine the role of the computer in the crime:

  • Is the computer contraband of fruits of a crime?
    For example, was the computer software or hardware stolen?

  • Is the computer system a tool of the offense?
    For example, was the system actively used by the defendant to commit the offense? Were fake IDs or other counterfeit documents prepared using the computer, scanner, and color printer?

  • Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?
    For example, is a drug dealer maintaining his trafficking records in his computer?
  • Is the computer system both instrumental to the offense and a storage device for evidence?
    For example did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?

Once the computer’s role is understood, the following essential questions should be answered:

  • Is there probable cause to seize hardware?
  • Is there probable cause to seize software?
  • Is there probable cause to seize data?
  • Where will this search be conducted?
    • For example, is it practical to search the computer system on site or must the examination be conducted at a field office or lab?
    • If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized date, to its owner/user before trial?
    • Considering the incredible storage capacities of computers, how will experts search this data in an efficient, timely manner?

Source: US Secret Service

Posted on

Quick Tips – MacLockPick

On this Page:

This page contains useful tips on how to use MacLockPick not found in the manual.


Choosing a USB Port for MacLockPick

MacForensics.com Tips - Choosing a USB Port for MacLockPickUp until the release of Apple’s aluminum keyboard, all Apple branded keyboards featured USB 1.1 ports. Because of the much higher data transfer speed of USB 2.0, we recommend that investigators plug the MacLockPick thumb-drive into the Mac computer itself, instead of into the keyboard. This will insure the fastest auditing speeds.
 


Filtering with MacLockPick

This lesson is designed to demonstrate how to use the filter feature in MacLockPick.

1. Insert MacLockPick into USB Port

Insert MacLockPick into the USB port

This demo is done using Mac OS X as the base system, however the process, with slight modification applies to other operating systems as well. Insert the MacLockPick into a USB port on the computer. The device will automount as depicted above.

2. Select for Configuration

Select MacLockPick for configuration

There are two icons mounted on the Desktop associated with MacLockPick, one named MACLOCKPICK and the other depicted above MacLockPick (OS X). Double click on the icon MacLockPick (OS X).

3. Locate the Setup Application

Locate the MacLockPick Setup application

The iconic representation of the contents of the MacLockPick (OS X) icon appear above. Select the Applications – OS X folder by double clicking on it.

4. Launch the Setup Application

Launch the MacLockPick Setup application

Select the MacLockPick Setup.app (depicted with the number 1 above) by double clicking on it to launch the application.

5. Create a Customized Plug-In

Create a customized plug-in for MacLockPick

The Setup application will open providing a list of all current plug-ins. To add a plug-in, select the “+” in the lower right corner.

6. The Plug-in Window

MacLockPick Plugin window

Once the “+” button is selected, the Plug-in window opens.

7. Name the Plug-in

Name the new plug-in within MacLockPick

The Plug-in window allows the user to name the plug-in (1) and define its type (2).

8. Design the Plug-in

Design the MacLockPick plug-in

The Plug-in design window is divided into three parts: The Plu-gin Name, the Data and the Operating System. To create a custom filter, allowing the user to sort through a folder and return only the findings with a .pdf extension we will fill out the information depicted above. First, describe the plug-in (1), then enter the filter (in this case the .pdf extension), since we will be finding a folder relative to the user, we will select buttons (3 and 4). Since we are expecting a relatively small output, we will keep the files and folders in the native format (5), (meaning they will be exported directly as opposed to using the built-in MacLockPick Archive tool). Next enter the path to the folder (6), select the operating system the new plu-gin pertains to (7) and select “Save” (8).

9. Checking the Plug-in

Checking the new MacLockPick plug-in

When you save the custom built plug-in, the Setup window opens again, allowing you to review all the plugins, to include your new one. Make sure your new plugin is selected as indicated by the checkbox to the right (1), then select “Quit” (2).

10. Run MacLockPick

Run MacLockPick

Once you quit the Setup window, you will be at the MacLockPick applications window. Select the MacLockPick application by double clicking on it to invoke MacLockPick.

11. MacLockPick Completion

MacLockPick has completed running

Once MacLockPick completes its operations, the above dialogue box will open informing the user that the results are located in the “MacLockPick Output Folder” (1) select “OK” (2).

12. Locating the MacLockPick Output Folder

Locating the MacLockPick Output folder

From the Desktop, select the “MACLOCKPICK” icon (1) by double clicking on it.

13. Open the MacLockPick Output Folder

Opening the MacLockPick Output folder

As the volume opens, locate the MacLockPick Output Folder, double click on the MacLockPick Output Folder and select the appropriate result (the results are arranged by username and date/time stamp).

14. Reviewing the Results

Reviewing the MacLockPick results

Locate the folder containing the MacLockPick output and open it by double clicking on it.

15. Reviewing the Filter Results

Reviewing the MacLockPick filter results

The MacLockPick Output will contain, by default several files, the .bash_history file (1), the Log Database (2) and a Screenshot (3) of the computer screen from which MacLockPick was run. In addtion to these files will be any number of additonal elements the user selected or created, in this case the results of the custom .pdf filter we created (4). Open the folder containing the .pdf filter results by double clicking on the appropriate folder (4).

16. Review the Custom Filter Results

Reviewing the custom MacLockPick filter results

Contained within the customized filter folder are the results of the search, in this case, only the .pdf files were exported from the folder (Dog_Training).
 


Searching MacLockPick Logs

MacForensics.com Tips - Searching MacLockPick Logs.MacLockPick extracts a wide range of valuable data from suspect machines. The information is presented in an easy to view format for the investigator to view. Even with the suspect information clearly formatted, there can be a very large amount of suspect data to sort through to find what you are looking for. If you are looking for something specific, you can use MacLockPick’s Search feature to find specific information. Simply click the “Find” button, enter your query and click the “Find” button. All entries containing the searched term will be grouped together and highlighted at the top of the listing.
 


Exporting Data from the MacLockPick Logs

MacForensics.com Tips - Exporting Data from the MacLockPick LogsMacLockPick acquires lots of detailed information about a suspect. Much of the data it finds can be very helpful in an investigation. When viewing the MacLockPick log file, the investigator can export all or a portion of the log data to a plain text file through the use of the “Export” button. Simply highlight the information you would like exported (choose “Select All” from the Edit menu if you would like to export everything in the log file) and then click the “Export” button. Name your exported text file and select the desired location to save it to.

Posted on

General Forensics Tips for Mac Platform

On this Page:

Find the Last Server a User was Connected to in Mac OS X

MacForensics.com Tips - Find the Last Server a User was Connected to in Mac OS XMac OS X makes connecting to remote servers very easy. Retrieving information about servers a suspect has connected to will help an investigator find other resources they should be investigating or to prove intent. Mac OS X logs these connections along with other information that may be of interest to an investigator.

You can use the MacForensicsLab’s Analyze function explore the following file: ~/Library/Preferences/com.apple.finder.plist Within that file you will find “FXConnectToLastURL”. This entry shows the last file servers your suspect connected to. The entry “CFURLAliasData” will have the names of file servers accessed, disk images mounted, and sometimes names of DVDs (although they seem to be Apple authored only) that have been mounted on within the Finder. The entry “recent-folders” will show the last batch of folders that were accessed.
 


Resetting the Admin Password in Mac OS X

MacForensics.com Tips - Resetting the Admin Password in Mac OS XThe easiest way to bypass the administrator password is to remove the drive and attach it to another machine or a forensic station, then use MacForensicsLab to image the drive. That being said if you need to for some reason keep the drive inside the machine, you can reset the system administrator password using the Mac OS X installation CD/DVD.

An easy way to reset passwords is to boot from the original OS install CD/DVD and select Password Reset from the Utilities menu after booting from the installer CD/DVD.

On Macs without CD/DVD drives, you can reboot the Mac into OS X Utilities mode by restarting the machine and holding down the “command-r” keys. Once OS X Utilities appears on-screen, select Terminal from the Utilities menu. At the prompt enter resetpassword and then hit enter.

A Reset Password window will appear. You can select the volume you would like to have the Admin password reset, and then enter a new password for the selected volume.

Doing this will destroy the forensic integrity of the suspect drive so make sure you do this on a copy of the suspect drive.
 


Finding Recent Google Searches

MacForensics.com Tips - Finding Recent Google SearchesGoogle is the most popular search engine on the planet. Safari, the default web browser in Mac OS X, has a built in Google search bar in the upper right corner of it’s window. This makes it very easy to conduct a search and also means it’s very likely that search information can be found if a suspect uses Safari. Knowing what a suspect recently searched for can be helpful to an investigator or help prove intent.

You can use the MacForensicsLab Analyze function to explore the following file: ~/Library/Preferences/com.apple.Safari.plist This is the main plist that needs to be trashed if Safari crashes upon opening or pages refuse to load. This file contains a section titled "RecentSearchStrings". These are the last 10 items that have been searched for in the Google toolbar of Safari. Clearing the browser history in Safari does not clear this information. The same file also shows the most recent files downloaded from Apple and the last search made on the Apple website.
 


Finding Disk Images that Have Been Burnt to CD/DVD

MacForensics.com Tips - Finding Disk Images that Have Been Burnt to CD-DVDDisk Images (.dmg) are very common on Mac OS X. Disk Images allow both compression and password protection so they are very common for the distribution of software over the internet. When opened Disk Images mount as a drive in the Finder.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.DiskUtility.plist Inside this file is a section called “DUSavedDiskImageList” that shows the most recent disk images that have been used and burned by Disk Utility, including pathname locations. It also gives the device name that burned them and serial number of that device.
 


Finding the Last iPod Connected to Mac OS X

MacForensics.com Tips - Finding the Last iPod Connected to Mac OS XiPods are popular devices for suspects to store information other then just MP3s on thanks to their ability to be used as a mass storage device. Every time an iPod is attached to a Mac, the serial number of the iPod is recorded by the system. Being able to prove a specific iPod was connected to a suspect machine can be beneficial to an investigation.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.iPod.plist This file shows the serial number, firmware, and model of the last Apple iPod connected to the suspect drive. This will allow the investigator to track down the iPod used and see if there may be further evidence contained on it
 


Finding Recently Viewed Pictures in Mac OS X

MacForensics.com Tips - Finding Recently Viewed Pictures in Mac OS XThe default image browsing application in Mac OS X is Preview. It is a popular program for viewing images as it supports a large number of file formats and provides a simple user interface. Finding recently browsed images can help direct an investigator to files of interest or help prove intent.

Use MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.Preview.bookmarks.plist This file shows files recently viewed using Preview (files opened in the program Preview.app with newest on top) including path to file on local drives and network file servers.
 


Recently Accessed Items in Mac OS X

MacForensics.com Tips - Recently Accessed Items in Mac OS XShowing applications, documents, and severs a user most recently accessed can help direct an investigator to files of interest or help show intent. By default, Mac OS X keeps track of the last 10 applications, documents, and servers used. The user can increase of decrease this number but most leave it set to the default state.

You can use the MacForensicsLab Analyze function to explore the following file: ~/Library/Preferences/com.apple.recentitems.plist Inside this file you will find recent applications, documents, and servers accessed on the suspect computer. The lists includes applications and documents on local and network drives and include the user that accessed the file (sometimes the user is different if it was accessed on remote server). It also shows PC shared files accessed through a Workgroup and the access path used to open the files. Some of the file pathnames could be the most forensically useful as well as applications used and documents opened.
 


Recently Opened QuickTime Files

MacForensics.com Tips - Recently Opened QuickTime FilesQuickTime is the default movie player in Mac OS X. Because of it’s ability to play a wide range of video and audio media, QuickTime Player is a convenient tool for most users. Being able to show the last file played using QuickTime Player can help an investigator show intent.

You can use the MacForensicsLab analyze function to explore the following file: ~/Library/Preferences/com.apple.quicktimeplayer.plist This file shows recently viewed movies and audio clips (any files opened in the program QuickTime Player.app). This file also shows “NSNavLastRootDirectory” the default directory (last accessed) that was used for opening each movie. The pathnames and document name inside this file could be useful for your forensic investigation.
 


Finding Remote Desktop Connections

MacForensics.com Tips - Finding Remote Desktop ConnectionsApple Remote Desktop (sometime abbreviated ARD) allows users to control or monitor another computer over a network or internet connection.

You can use the MacForensicsLab’s Analyze function to explore the following file: ~/Library/Preferences/com.apple.RemoteDesktop.plist This file shows all the machines this Mac has had control of or viewed with Apple Remote Desktop. This file also includes information about the connection such as, the machine’s MAC address, IP, name, and the time and date. This file also stores information that could have other forensic interest. It can also store saved tasks for Apple Remote Desktop. You can find more information on stored task data here.
 


View Web Cache Data on Mac OS X

MacForensics.com Tips - View Web Cache Data on Mac OS XWeb caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent.

You can use MacForensicsLab’s Salvage function to salvage the contents of these folders and show the cached information. This will show you websites that have been browsed who’s files have not been over-written as well as present cache files that have not been flushed

  • The default web browser in Mac OS X is Safari. The Safari web cache is located: ~/Library/Caches/Safari
  • The default storage location for Firefox’s web cache is: ~/Users/“USERNAME”/Library/Caches/Firefox/
    Profiles/”COMPUTERCODE.default”/Cache

There are a large number of other folders contained within the ~/Users/“USERNAME”/Library/Cache folder that may be of interest for investigators also. They can be viewed using the same process as the web caches.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.
 


Unfreezing A FireWire Bus That Has Hung

MacForensics.com Tips - Unfreezing A FireWire Bus That Has HungOn occasion FireWire buses can hang and stop responding. Should you run into this issue, here’s are the suggested steps to resolve it.

If you have a hard drive freeze your FireWire bus and hang your machine, you can cause the system to reset the bus by plugging in a second device in the chain. The Mac will immediately rescan the bus and this will sometimes unfreeze the bus. If these steps fail to unfreeze the FireWire bus you will need to shut the machine down and restart the computer. You can resume your drive acquisition in MacForensicsLab after unfreezing the bus by checking the “Resume a previous recover.” box under the Acquire function and selecting the previous image when prompted.
 


Sleepimage in Mac OS X

MacForensics.com Tips - Sleepimage in Mac OS XThe sleepimage is a file that Mac OS X uses to store the contents of the active RAM when a machine is put to sleep. This information is stored to allow the OS to restore the pre-sleep state of the computer should the batter or power be interupted while the computer is sleeping.

For an investigator, the sleepimage may contain information that could be valuble to an investigation. This information may show what a suspect was doing before they put their computer to sleep and may include incriminating evidence that could lead to a conviction.
The sleepimage file can be found in the following location in the Mac OS X system:
/private/var/vm/sleepimage

Please note that this is an hidden file that isn’t normally visible from the Finder. Computer forensics programs such as MacForensicsLab can be used to view the sleepimage location and the contents of the sleepimage file.
 


Finding the system time and date on a Mac


MacForensics.com Tips - Finding the system time and date on a MacAcquiring the computer time from a Mac is a common task for many investigators. Having the computer time allows and investigator to correlate computer events to actual time frames and may help secure a conviction.

Macs sold after March of 2001 will most likely have Mac OS X loaded on them and all Intel Macs run Mac OS X only. PowerPC Macs run Open Firmware from Sun. Intel Macs use EFI (Extensible Firmware Interface).

Determining if a firmware password is set

Before you can boot info Single User Mode, you must first determine if the user has set an firmware password on the system. A firmware password would prevent the investigator from booting into Single User Mode to determine the system’s time and date. The firmware password can be reset but doing do also resets the system time also. To determine if there is a firmware password set, do the following:

  • Power on the Mac while holding down the Option key.
    • If you are presented with a screen showing the bootable partitions on the system then there is no firmware password set.
    • If you are presented with a password screen then there is an firmware password and you will not be able to boot into Single User Mode.
  • Once you have determined if there is an firmware password, power the Mac down by holding power button until the system powers off.

Finding the system date and time via Single User Mode

  1. Press the Power button and immediately hold down the Command (Apple) and S key. Doing so will make the Mac boot up in Single User Mode.
  2. Once booted into Single User Mode, you will see text across the top of the screen along with a command prompt. Type date and press the Enter key. The Mac will return the computer’s current date and time along with the user configured time zone.
  3. You can then power down the computer safely.
Another option for finding the Mac’s system time is to boot from the Mac OS X install CD/DVD. Once booted from the CD/DVD, select Terminal from the Utilities menu. In the Terminal type date and then press Enter. The system time and date will be shown. You may also boot from a Linux Live CD and get the system time using the terminal within Linux.

 


Finding the Original Registrant of Mac OS X


MacForensics.com Tips - Finding the Original Registrant of Mac OS XWhen Mac OS X is run for the first time after installation, the user is prompted to enter their registration information such as name, address, email, and phone number. This information is then sent to Apple (if an internet connection is present) and also used to populate the administrators information within the Address Book and used for auto-fill forms within Safari.

When attempting to locate original registered owner of a Mac OS X installation with MacForensicsLab, look for the file titled “Sendregistration.setup” in ~Users/“USERNAME”/Library/Assistants/ In certain situations (eg: when there is no internet connection present at the time of registration) the file “Sendregistration.setup” is still within this directory and can contain the original registered content.

Secondary location for information of original registrant of a computer running Mac OS X is the file titled AddressBookMe.plist located in ~Users/“USERNAME”/Library/Preferences/ Using MacForensicsLabs’ Analyze function (ASCII view within that section) on that file will reveal the original owners registration.
 


Firefox Artifacts

MacForensics.com Tips - Firefox ArtifactsMozilla Firefox is fast becoming one of the most popular browsers on the internet today. Being free, cross-platform, and updated regularly is just some of the many reasons many users have made the switch to it. Firefox also allows the user to easily install add-ons to enhance the functionality of the browser. Here are some Firefox files that may be of interest during an investigation with MacForensicsLab.

Firefox stores the user data in the following places:
Mac OS X: ~/Library/Application Support/Firefox/Profiles//
Windows XP & 2000: C:Documents and SettingsApplication DataMozillaFirefoxProfiles
Windows 98 & ME: C:WindowsApplication DataMozillaFirefoxProfiles
or
C:WindowsProfilesApplication DataMozillaFirefoxProfiles
Windows NT 4.x: C:WinntProfilesApplication DataMozillaFirefoxProfiles
Unix: ~/.mozilla/firefox//

Website History
File name: history.dat
By default Firefox stores the browsing history for 9 days.
Side note: “history.dat” is written in a complex format called “Mork”.

Encrypted Saved Passwords
File name: signons.txt
This file also stores a list of sites to never save the passwords for. The encryption key is contained in the file called key3.db

More information about specific files in the user profile can be found at MozillaZine’s Knowledge Base article on the Profile Folder.

Update!

If you need a tool in extracting FireFox’s cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.

 


iPhone Artifacts

MacForensics.com Tips - iPhone ArtifactsiPhones and iPod Touch with firmware version 2.0 or later will call home periodicly to see if any applications have been blacklisted by Apple. This allows Apple to disable malicious applications from iPhone and iPod Touch users phones. The iPhone and iPod Touch will check the following URL for any blacklisted applications:

https://iphone-services.apple.com/clbl/unauthorizedApps

 


Recovering Email from Mac OS X Mail

MacForensics.com Tips - Recovering Email from Mac OS X MailSince the release of Mac OS X, Mail.app has been the default email application. Mail stored emails in .mbox files up until the release of Mac OS X Tiger 10.4, at which point Apple changed the default file type to .emlx. The instructions below outline the process used to recover and investigate the contents of these formats.

When looking for email on suspect Mac OS X drive, the standard location for the stored email is ~/Users/“USERNAME”/Library/Mail

You can use either the Analyze or Salvage functions of MacForensicsLab to examine Mail files.

  • To use the Analyze function, use search query of “.mbox” for systems from Mac OS X 10.0-10.3 and “.emlx” for Mac OS X 10.4 Tiger and higher.
  • When using the Salvage function, direct the search to ~/Users/“USERNAME”/Library/Mail and do a Salvage of that location. Both .mbox and .emlx files will automatically be found.
Posted on

Tips – Field Triage (M – Z)

Here’s part two of our Field Triage Tips (from M – Z).

Forensic triage is the practice of searching and analyzing a digital device (computer, smart phone, and tablets) in the field or at the crime scene. In many investigations crucial digital evidence is essential while at the scene. The traditional method of seizing a device(s), transferring it to the forensics lab, acquiring an image, and then analyzing the image for potential evidence, may no longer be appropriate in cases such as child abductions, pedophiles, or missing persons, when every second counts.

As one of the pioneers in computer triage tool, we have gathered here a set of tips for references.

 


MacLockPick

MacForensics.com Tips - MacLockPickMacLockPick adheres to commonly held forensic principals and does not negate the ability to transfer systems/storage media back to the lab for more detailed investigation after field triage has been concluded.

Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly, sometimes this is quite literally difference between life and death for the victim.

MacLockPick is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspects computer that is running. Once the MacLockPick software is run it will extract the requisite data providing the examiner fast access to the suspects critical information, that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick is the only cross platform solution on the market and therefore the best chance of successfully capturing data critical to any investigation involving running computers. In addition, MacLockPick is minimally evasive, providing results that can hold up in a court of law.
 


Maintain the Validity of Evidence

MacForensics.com Tips - Maintain the Validity of EvidenceTriage tools are a powerful addition to any forensic investigators toolbox. One important aspect of a triage tool is that it minimize the chances of costly mistakes and the potential of altering a suspects system that may cause loss of evidence. First responder triage tools like MacLockPick are designed to minimize the footprint left on the suspect system and insure that the validity of the suspect evidence is maintained.
 


Modification of Suspect Systems

MacForensics.com Tips - Modification of Suspect SystemsOne concern some have with live forensics is the risk of modifying data on the suspect machine and there-by making the suspect evidence inadmissible in court. A good live forensics tool should be designed to minimize the footprint on the suspects system and the footprint left by the tool should be verifiable and reproducible. This allows the investigation to show that no modifications were made to the evidence through use of the live forensics tool. Verifying MAC times (modify, access, and create times) can help establish the time context also.
 


Network Artifacts

MacForensics.com Tips - Network ArtifactsIn these increasingly connected times, most computers are connected to some sort of network. The information about current network connections can help direct an investigation or show examiners new areas that may be of interest to the investigation. Using a triage tool like MacLockPick can show an examiner a suspects ARP tables, open interfaces, and netstat activity.
 


Often Overlooked but Beneficial Artifacts

MacForensics.com Tips - Often Overlooked but Beneficial ArtifactsAny information that allows an investigator to paint a better picture of a suspects activities can be beneficial to an investigation. The clipboard can often contain contents showing what a suspect was recently doing on their system. A screen shot of the suspect system in it’s current state of the machine when investigators first came in contact with the system. MacLockPick can capture both of these items for later examination.
 


Order of Volatility

MacForensics.com Tips - Order of VolatilityWhen collecting data for a computer forensic investigation you want to collect the most volatile data first as it will be lost the quickest. The order of volatility shows which data will be lost first.
 
 

Order of Volatility

  1. Memory contents
  2. Swap files
  3. Network processes
  4. System processes
  5. File system information
  6. Raw disk blocks

Memory contents, swap files, network processes, and system processes will all be lost when the suspect system is shut down.
 


Scripted Incident Response

MacForensics.com Tips - Scripted Incident ResponseKeeping track of what has been done is an important part of the first responders job. By scripting the procedures required an investigator can make sure no steps were missed. Scripting the processes run on a suspect computer can also help authenticate any changes made to the machine during a live forensic investigation.
 


Stop Drug Crimes

MacForensics.com Tips - Stop Drug CrimesDrug trafficking has reached epidemic levels in some countries. These criminals are also more commonly using digital means to organize their criminal networks. Through the use of specialize forensic tools like MacLockPick and MacForensicsLab, an investigator can search for evidence common to drug crimes. Spreadsheet files, documents and databases can easily be located using keyword searches.
 


Target Child Pornography

MacForensics.com Tips - Target Child PornographyChild pornography is a serious crime plaguing our society and one of the most commonly investigated crimes for many agencies. Through the use of specialized tools built to target imaged based crimes, like MacLockPick, an investigator can quickly zero in on critical evidence. When time is of the essence, specialized tools can make a big difference.
 


The Focus of Computer Forensic Triage

MacForensics.com Tips - The Focus of Computer Forensic TriageComputer forensic triage is usually defined as the process by which projects or activities are prioritized to determine which should be attempted first, second, etc. and which projects or activities should never be done at all. This process applies to the forensic examination process to determine which data should be investigated first, second, etc. and which data should not be investigated at all. Triage considers the value of investigating, the complexity and the cost and the order in which the investigation should be accomplished.

The focus of forensic triage is to:

  1. Find useable evidence quickly
  2. Identify possible victims that may be at risk
  3. Direct the ongoing investigation
  4. Identify potential charges
  5. Assess the possible danger the suspect poses to society


The Triage Phase

MacForensics.com Tips - The Triage PhaseThe triage phase of the investigation is the foundation on which the other phases after it will be built. All potential evidence must be considered (computer systems, disks, CD/DVDs, PDAs, etc) and then prioritized based on the likely hood they contain potential evidence reliant to the investigation. An investigator will still need to review the evidence collected in the triage phase at a later time in the lab.
 


Time Considerations

MacForensics.com Tips - Time ConsiderationsMaking considerations for the time each process will take within an investigation is important. The time cost of every activity in an examination must be weighed against the potential return of the results of that activity. In general it is best to perform tasks that can be done quickly first.
 


Timing is Critical

MacForensics.com Tips - Timing is CriticalTiming is critical throughout an investigation and even more so at the beginning of an investigation. During the early stages of the investigation it is critical to the investigator to have a detailed knowledge of the crime or involvement of the suspect and possible triggers that may increase the willingness of the suspect to cooperate or confess. It has been shown that suspects are more vulnerable and more likely to cooperate within the first several hours of their initial contact with police. By using triage tools to quickly acquire critical suspect data during the early stages of an investigation, an investigator can increase the likelihood of an arrest and confession.
 


Triage is Proven in the Field

MacForensics.com Tips - Triage is Proven in the FieldThe benefits of field triage have been proven. It has been shown that quick and effective analysis of suspect evidence can be critical to a case. The evidence found through live forensics can provide investigative leads that lead to an arrest and conviction. The information found may also protect others from becoming future victims of crime.
 


Triage Provides Direction for Investigations

MacForensics.com Tips - Triage Provides Direction for InvestigationsTriage at the scene helps to provide time sensitive investigative and interview leads. It also helps to provide helpful direction for later investigation back at the lab. The information acquired through the use of triage tools can help direct investigators in the lab to information of relevance to the case.
 


USB Device History

MacForensics.com Tips - USB Device HistoryUSB has become one of the main standards to connecting all types of devices to computers these days. With the dropping prices of personal flash drives, they’ve become a popular way to transfer information from computer to computer. With MacLockPick an investigator can quickly gather information about the various USB devices that have been connected to a suspects Windows machine. This may point them to other potential evidence in their case.
 


Verification of System Information

MacForensics.com Tips - Verification of System InformationBeing able to confirm that there have been no change made to a suspects system or evidence between the time of seizure and the lab investigation can be important should the integrity of evidence be called into question on trial. By using MacLockPick to record the suspect systems configuration including; username, computer name, operating system, processor, RAM, model, UUID and more, an investigator can have verifiable proof that no changes have been made during the investigation.
 


What is Live Forensics?

MacForensics.com Tips - What is Live Forensics?Live forensics considers the value of the data that may be lost by powering down a system and collect it while the system is still running. The other objective of live forensics is to minimize impacts to the integrity of data while collecting evidence from the suspect system.
 


Click here for part one of our Field Triage Tips (from A – L).

Posted on

Tips – Field Triage (A – L)

Forensic triage is the practice of searching and analyzing a digital device (computer, smart phone, and tablets) in the field or at the crime scene. In many investigations crucial digital evidence is essential while at the scene. The traditional method of seizing a device(s), transferring it to the forensics lab, acquiring an image, and then analyzing the image for potential evidence, may no longer be appropriate in cases such as child abductions, pedophiles, or missing persons, when every second counts.

As one of the pioneers in computer triage tool, we have gathered here a set of tips for references.


Adhere to Commonly Held Forensic Practices

MacForensics.com Tips - Adhere to Commonly Held Forensic PracticesHaving a computer forensic triage model in place for first responders is important. It is also important that the model adheres to commonly held forensic practices and does not interfere with the ability to later analyze the suspect computer more thoroughly back at the lab. Integrity of the suspect data must be insured at all times during the process.
 


Assess the Danger a Suspect Poses

MacForensics.com Tips - Assess the Danger a Suspect PosesThrough the use of field triage and live forensics tools, an investigator can not only gather evidence against a suspect but also use the data gathered to access the possible risk that an offender poses to others in society. By evaluating the evidence of crimes committed they can ascertain the possibility of the offender committing further crimes against others.
 


Automate When Possible

MacForensics.com Tips - Automate When PossibleEven small errors in the investigative process of a suspects machine may mean the difference between a conviction and a criminal going free. To minimize the risk of errors, automation should be used whenever possible. Products like MacLockPick allow the investigator to choose from many automated tasks to be carried out. This helps to insure that the results will be consistent and verifiable should they be challenged in court at a later time.
 


Automated Triage

MacForensics.com Tips - Automated TriageTime is a important factor in any criminal investigation. Both in time critical cases such as child abduction, kidnapping, death threats, missing and exploited children, etc and in dealing with the backlog of evidence that many agencies are experiencing in this increasingly digital-based age.

Automated triage tools allow forensic examiners and investigators to focus on other critical tasks while the triage process is taking place. Automation also decreases the risk of human error and insures that all bases are covered with regards to the data acquired for the investigation. By using "set it and forget it" automation, triage tools can be capturing important suspect information while leaving investigators free to deal with other important investigative tasks.
 


Browser Artifacts

MacForensics.com Tips - Browser ArtifactsWeb browsers create a number of artifacts that can be of interest to an investigator during the triage state of an investigation and later on during the formal lab investigation. While different browser applications vary, they all create cookies, caches, and other temporary internet files that can contain a wealth of information about the history of a suspects online activities. Searching these files can be very beneficial to an investigation but can also take a lot of time. Applications like MacLockPick can significantly cut down on the time required to analyze these files and find relative evidence to the investigation.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective. SubRosaSoft Cache Detective is an easy-to-use utility for reading the cache of many browsers/chat applications and extracting the files currently stored in their cache folders.
 


Capture Running Processes

MacForensics.com Tips - Capture Running ProcessesKnowing what a suspect was doing on their computer before an investigation begins can be helpful to most examinations. All running applications open processes on the suspects system. MacLockPick can capture a list of the processes running on a suspect system to show an investigator exactly what the suspect was doing at the time.
 


Cases where Less Traditional Workflows are Required

MacForensics.com Tips - Cases where Less Traditional Workflows are RequiredWhile more traditional workflow’s may work for most cases, when it comes to time critical cases such as child abduction, kidnapping, missing persons, death threats, etc, a different approach is needed. These situations require quick acquisition and analysis of the available evidence to give investigators as much information as possible in the shortest period of time when it really matters. Cases like this require fast working triage tools to get the evidence to the investigators in the shortest time possible.
 


Catching a Murderer

MacForensics.com Tips - Catching a MurdererCriminals always leave a trail for investigators to find. Zeroing in on this critical data can be difficult at times but the use of specialize tools can make the search quicker and easier. In cases like murder the investigators may find contents such as the suspects Google search and email history to be of interest. MacLockPick can quickly analyze and display this information to speed the investigative process.
 


Computer Forensic Field Triage Process Model

MacForensics.com Tips - Computer Forensic Field Triage Process ModelThe Computer Forensic Field Triage Process Model (Rogers, Goldman, Mislan, Wedge, Debrota, 2006) outlines the process and phases of a triage investigation. This process model is a general outline for the field triage process. It is important to qualify the needs of the investigations first as this model isn’t appropriate for every investigative situation.

  • Planning
  • Triage
  • User Usage Profiles
    • Home Directory
    • File Properties
    • Registry
    • Passwords
  • Chronology Timeline
  • Internet
    • Browser Artifacts
    • Email
    • Instant Messages
  • Case Specific

 


Consideration for Common Practices

MacForensics.com Tips - Consideration for Common PracticesWhile time is critical in many investigations, it’s important to insure that investigation procedures used to minimize the time required to find evidence don’t interfere with other important considerations of any investigation. The procedures must still adhere to common forensic principals such as minimizing the contamination of the original scene and the evidence, complying with rules of evidence to insure that it is admissible in court on the Federal and State levels, and maintaining the chain of custody. Well designed field procedures should have considerations for all of these commonly held practices.
 


Departure from The Norm

MacForensics.com Tips - Departure from The NormThe Computer Forensic Field Triage Process Model may be a bit difficult for some investigators to get use to at first as it is a bit backwards from what they have been taught to do in most investigations. In many cases investigators have been taught never to touch a suspect computer and simply unplug it to prevent any alterations to any evidence on the machine. In cases where time is critical, it may be necessary to depart from the commonly held forensic principals in order to get the evidence in time to make a difference.
 


Email Artifacts

MacForensics.com Tips - Email ArtifactsEmail is a valuable tool for all online users. It’s also a common tool used by criminals. The information found in the email messages of a suspect can help to direct an investigation and may help secure a conviction. The procedure to examine email evidence can be time consuming. The use of tools like MacLockPick and MacForensicsLab can significantly cut down on the amount of time it takes to examine email evidence and zero in on suspect data.
 


Evidence has Gone Digital

MacForensics.com Tips - Network ArtifactsThe increase in technology also changes our concept of what constitutes evidence in a criminal investigation. Where previously most evidence was physical document based, the large majority of evidence has now gone electronic and is stored on hard drives, digital media, and web-accounts. Computers and smartphones have become the main source of evidence in many crimes where they use to only be one of the many small parts of the illegal act.

Computer crimes are becoming more common and proper procedures and tools are needed to combat these challenges.
 


Feedback from Triage

MacForensics.com Tips - Feedback from TriageThere are many benifits to field triage such as on site access to evidence.

An additioan benifit to performing triage on the scene is the feedback that can be given to investigators. This allows the computer forensic analyst to modify their search based on feedback from investigators and those that may be in contact with the suspect.
 


Field Triage Tool Benefits

MacForensics.com Tips - Field Triage Tool BenefitsThe use of forensic triage tools can increase the effectiveness of any investigation.

Through the use of forensic triage tools an investigator can quickly:

  • Gain quick access to evidence that may allow them to secure a warrant or confession.
  • Determine if a computer/system requires further analysts.
  • Eliminate or dismiss a computer/system from further analysts.
  • Determine key areas for further investigation.
  • Insure the acquisition of evidence that would be lost by powering the computer/system down.
  • Acquire a snapshot of the suspect systems current state before seizure.

 


Financial Crimes

MacForensics.com Tips - Financial CrimesFinancial crimes such as currency counterfeiting, money laundering, intellectual property crime affect all levels of society. When searching for evidence for a financial crime, a search for documents such as spreadsheets and images of checks or potentially fraudulent financial materials may be high on the list of priorities. Documents for financial applications such as MS Money, Quicken, and QuickBooks may also contain items of interest.
 


Finding Evidence Quickly

MacForensics.com Tips - Finding Evidence QuicklyFinding useable evidence quickly is one of the most important focuses of field triage and live forensics. Being able to zero in on suspect evidence quickly can be very important to an investigation. It may give an investigator new leads, help secure a confession and conviction, or be the difference between life or death for a victim.
 


First Responders

MacForensics.com Tips - First RespondersFirst responders must be very aware of their tasks when first arriving to perform forensic triage. The efforts of the first responder is critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. The initial response to an incident is more important than later technical analysis of the computer system as actions taken by the first responder can greatly impact the subsequent laboratory examinations of the computer/system. The success of evidence recovery and prosecution is dependent on the actions of the individual who initially responders to the scene.
 


Guide an Ongoing Investigation

MacForensics.com Tips - Guide an Ongoing InvestigationField triage and live forensics are key to acquiring critical evidence in an active investigation. This information can be used to guide an investigation. The information obtained through the on site investigation of a suspect computer can give examiners new leads to pursue. The acquired information may also point the investigators to new suspects or victims they were previously unaware of.
 


Identify Criminal Charges

MacForensics.com Tips - Identify Criminal ChargesThe use of triage on scene and live forensic tools can identify evidence that can lead to potential charges. Quickly finding proof of a crime committed can help the investigation secure an arrest warrant and bring forth formal charges against a suspect. Live forensics can play a critical role in this process.
 


Identify Victims of Crime

MacForensics.com Tips - Identify Victims of CrimeThe use of field triage can help to identify current and possible future victims. By quickly examining the evidence on the scene, a forensic examiner may be able to guide the investigation to possible victims of a crime. They may also be able to those that may be at risk to become future victims.
 


Importance of Volatile Data

MacForensics.com Tips - Importance of Volatile Data Capturing information about the current state of a suspect computer before powering it down is important to a forensic investigation. There is a wealth of volatile data that can be lost once the suspect’s computer is powered down. This information may help direct an investigation in the early stages and can be beneficial during other stages of the investigation. First responder triage tools can capture this important data which can play a critical roll in every investigation.

Important information that may be lost when the computer is powered down may include:

  • Clipboard contents
  • Attached device listings
  • Open network ports
  • Current running applications and processes
  • Temporary cache files
  • Active memory contents
  • Connected network drives
  • Active peer-to-peer connections
  • And more…

 


Instant Message (IM) Artifacts

MacForensics.com Tips - Instant Message (IM) ArtifactsInstant messaging is a common method of communication on the internet. Many instant message programs store contact lists along with chat histories. This information can be useful to an investigation as it can provide new leads, help secure a confession, or help to prove intent.
 


Internet Artifacts

MacForensics.com Tips - Internet ArtifactsAlmost every investigation will involve the analysis of internet artifacts. Web browsing caches store records of sites a suspect has visited. Emails may help to prove intent or correlate other events. Instant message conversations can contain evidence that could help to secure a conviction. The investigator must weigh the time costs of investigating such artifacts but with specialized tools, such as MacLockPick, the time requirements to analyze such data can be greatly reduced.

If you need a tool in extracting cache files, consider SubRosaSoft Cache Detective
 


Click here for Part Two (M – Z)

Posted on

Hardware Take Apart Guide

Over the years, MacForensicsLab.com have had many chances to tinkle with various Mac hardware. We have included some of our support crews’ experience below. However, ever since we stumbled on the iFixIt web sites, we believe there is no more reason for us to reinvent the wheel. We have been recommending customers to visit iFixit site for step-by-step instructions on opening up Macs and accessing the disk drives (HDDs or SSDs). If you job includes accessing the data in a forensic manner, I would strongly recommend you to visit iFixit at https://www.ifixit.com/ when the need arises.

 


Removing a Mac Hard Drive

MacForensics.com Tips - Removing a Mac Hard DriveWith the smaller and more compact design of computers these days, it’s becoming increasingly difficult to take them apart to get access to the hard drive for forensic acquisition and examination. Should you choose to take the Mac apart to access the hard drive for forensic investigation, Apple has created service manuals that outline the procedures necessary to remove the hard drive from Apple computers. Mac laptops are very difficult to take apart to access the hard drive because of the compact size and placement of the drive. A much easier option to taking the Mac apart to access the hard drive for forensic acquisition is to use Target Disk Mode. This mounts the suspect Mac as a FireWire device to allow for acquisition without removing the hard drive from the Mac. You can find information on acquiring via Target Disk Mode here on the MacForensicsLab.com web site. Make sure you disable Disk Arbitration using MacForensicsLab before connecting a suspect drive using Target Disk Mode to prevent writing to the device.

Apple Service Manuals for many Macs can be found at this site.

Take apart guides for Apple PowerBooks and MacBooks with full color photos can be found here at PowerBookMedic.com

Take apart guides with full color photos for PowerBooks and iPods can be found here at iFixIt.com

 


MacBook Air Take Apart Guide

MacForensics.com Tips - MacBook Air Take Apart GuideApple’s MacBook Air is a small light-weight laptop for users on the go. It packs lots of features into a small package. The small and compact size means that all the components are tightly squeezed into the MacBook Air. Take apart can be difficult but pictures can be helpful should you choose to venture inside. You can find a detailed take apart of the MacBook Air with lots of pictures here.

 


Mac mini Take Apart Guide

MacForensics.com Tips - Mac mini Take Apart GuideThe Mac mini is a small, low cost Mac that offers a lot of features in a small package. It’s a nice entry level machine for new and old Mac users. The low price along with it’s rich feature set make it an ideal machine for general users.

Although a forensic examiner can connect the Mac mini to their forensic workstation via Target Disk Mode and use software write blocking, the ideal way to image the suspect drive and examine it is to remove the hard drive and connect it with a hardware write blocker. Because of the Mac mini’s small size the internal components are tightly packed inside.

To remove the hard drive you will need a small computer screw driver (Phillips head) and a thin 1.5 inch putty knife. You may want to sharpen the edge using some fie grit sand paper first to make it easier to slide into the Mac mini case.

Instructions:

Place the Mac mini upside down on a cloth or towel.

Slide your putty knife in the seam of the Mac mini as shown. Pull back on the putty knife until the white plastic pops up. Do the same on the other side.

Pull the main unit up and out of the case.

To remove the wireless antenna there are two tabs under it that you can gentely squeeze together. You may want to hold the antenna down a bit as it has a spring below it and the spring may shoot off.

Remove the screws in all four corners of the CD/DVD drive.

Lift the CD/DVD unit and hard drive from the motherboard below. Be careful as the hard drive is still attached to the motherboard via a thin ribbon cable and the Airport antenna is still connected too.

Remove the 2 screws on each side of the hard drive. Then slide the drive out.

You can now connect the 2.5″ SATA drive (IDE in the older Mac mini G4 models) to a hardware write blocker to make a forensically sound aquisition of the suspect drive.