MacForensicsLab Field Agent

Spread the love

01: Overview of MacForensicsLab Field Agent

This section provides an overview of MacForensicsLab Field Agent and its features, functionality and design.

About MacForensicsLab Field Agent

Welcome to MacForensicsLab Field Agent. If this is your first time using SubRosaSoft.com Inc’s software, be assured you made the right decision. SubRosaSoft.com Incorporated is the world-wide leader in Macintosh-based forensics, with many federal, state and local law enforcement organizations around the globe using our software. In addition, our lines of forensic software is used by the military, intelligence community, and many privately owned and operated organizations seeking a powerful and innovative forensic solution.

As a company, SubRosaSoft.com Incorporated is dedicated to providing forensic solutions that not only meet and exceed your expectations but that change the way modern computer forensics are performed. Traditional computer forensic software development has mirrored the needs of traditional law enforcement by developing a solution only as a problem presented itself. In doing so, law enforcement is left without a timely answer to their technological dilemma. When the momentum of an investigation suffers due to a purely reactive development cycle, criminals go unpunished and victims are left needing resolution or worse, new victims are created. SubRosaSoft.com Inc. seeks to change that paradigm by offering expandable and scalable solutions that can adapt to an organization’s needs and anticipate problems through use of intelligent proactive development.

SubRosaSoft.com Inc. understands how difficult it has become to keep pace with technology. All too often, forensic examiners are understaffed and overworked, making the environment ripe for case backlogs and an increasing potential for errors. In an effort to minimize these conditions, SubRosaSoft.com Inc. leverages technology and its advancements to allow for fewer mistakes. By doing so, our forensic solutions aid in maximizing the efficiency and effectiveness of its users, thereby getting more done with less mistakes.

SubRosaSoft.com Inc. is dedicated to our mission of providing powerful, easy-to-use, cost-effective forensic solutions that help you achieve your organization’s forensic goals. To this end, we offer products that cover the entire spectrum of computer forensics, not just the static lab-based solution. Modern technologies demand integration throughout the forensic process and SubRosaSoft.com Inc. accounts for this evolution with solutions for incident response, triage, static examinations and reporting. In summary, SubRosaSoft.com Inc. views mission accomplishment as a corporate social responsibility, one we take very seriously and as such we strive to become not only a software development company but a partner to all our customers.

MacForensicsLab Field Agent Overview

MacForensicsLab Field Agent allows forensics examiners and detectives to search for illicit images. With a built-in skin tone analyzer, Field Agent narrows down the search for images of interest. Reporting is a breeze with the customizable HTML format. File locations and hash numbers of the images are generated to ensure the accuracies of the report.

MacForensicsLab Field Agent is a tri-platform tool designed specifically to help combat Crimes Against Children. It offers investigators a powerful yet easy to use tool with a skin tone analyzer that makes finding images of child pornography fast and easy.

The ability to quickly and effectively identify files of interest based on the percentage of skin tone contained therein makes MFL-FA an invaluable tool for law enforcement. In fact, MFL-FA was specifically designed to fill the technological gap that sexual predators have exploited for years; the lack of a fast and accurate way to identify images of evidentiary value amidst the seemingly insurmountable volume of data. Therefore, MFL-FA is perfectly suited for law enforcement agencies such Internet Crimes Against Children (ICAC) Task Force, probation and customs officers and/or any officers dealing with sexual predators. MFL-FA is the answer for all those seeking to gain the advantage over sexual predators who use technology in furtherance of their criminal acts.

MacForensicsLab Field Agent is cross-platform, allowing users to run it natively on Windows XP, Windows Vista, Windows 7, and Linux (RedHat, Ubuntu and SuSe).

System Requirements

This section covers the basic and recommended system requirements for successfully running MacForensicsLab Field Agent. Modern forensic processes require not only powerful systems to process the massive amount of data, but a scalable solution designed to harness the system resources for greater speed and increased functionality. Nevertheless, MacForensicsLab Field Agent has been specifically optimized for efficiency and speed through the use of appropriate memory allocation and a multi-threaded design.

Mac OS X Requirements

  • Apple Macintosh G4 800MHZ or faster (Intel based Mac recommended)
  • Mac OS X (version 10.4 or newer)
  • 1 GB of RAM

Windows Requirements

  • Processor 800MHZ or faster
  • Windows XP/Vista/7
  • 512 MB of RAM

Linux Requirements

  • Processor 800MHZ or faster
  • x86-based Linux distribution with GTK+ 2.0 (or higher), glibc-2.3 (or higher) and CUPS (Common UNIX Printing System)
  • 512 MB of RAM

We officially support the following:

  • SUSE Linux Enterprise Desktop
  • Red Hat Enterprise Linux Desktop

Registration Number

Each user is required to have a registration number, otherwise known as a serial number, in order to complete the full version installation of the software properly. Whether the software has been purchased online or through a third party retail channel, the user needs the registration number when preparing for installation of the software.

Online Purchase

When purchasing the software online at MacForensicsLab.com, the registration number is automatically emailed as part of the purchase confirmation. If a confirmation email is not received, please ensure that it has not mistakenly been placed in the email clients junk folder before requesting technical support. Having received the email, please make a print out and store this in a safe and secure place for future reference.
Note: A serial number is not required for the special Flash Key based version.

Retail Purchase

If the software was purchased through a retail channel, the registration number should be inside the DVD case. Please be sure to keep these details in a safe and secure place.

Updates and Upgrades

A single registration number is valid for incremental updates to the purchased version of MacForensicsLab Field Agent. When upgrading between versions the purchase of a new registration number will be required. For information on upgrades, please email sales@subrosasoft.com.

Lost Registration Number

Please ensure that you keep your registration number in a safe and secure place. Print off confirmation emails or back them up. SubRosaSoft Inc. cannot guarantee the ability to re-issue serial numbers for our users.

Site Licenses

Site Licences can be purchased online via https://www.subrosasoft.com/. For volume discounts please contact us directly via email: sales@subrosasoft.com.

Downloading from the Web Site

It is important for any user to ensure that they have the latest version of the MacForensicsLab Field Agent software. The latest version is always freely available for download on our web site at: www.MacForensicsLab.com

A download link, alongside version information, is accessible on the product page of the site. Simply click the respective link and a compressed archive file will automatically begin to download to the desktop, or another specified download location.

MacForensicsLab Field Agent versions are distributed in a ZIP archive format and can be decompressed in the Mac OS X Finder with a simple double-click of file icon. This will place the decompressed application file in the same location as the original ZIP archive, most likely the Downloads folder. With Windows and Linux based systems, you may need to download third party utility to decompress the zip file.

Installation

Having decompressed the folder, copy both the ‘Applications’ and the ‘Shared Resources’ folder from the MacForensicsLab Field Agent folder to your computers ‘Applications’ or the ‘Desktop’ folder. Note that the folder structure with the ‘Shared Resources’ folder being located one directory down from the MacForensicsLab Field Agent application must be maintained although the name of the folder containing the application can be changed. Some users may choose to create a MacForensicsLab Field Agent folder and then store the folder containing the application and the ‘Shared Resources’ folder within that.

Installation of MacForensicsLab Field Agent

Installing From the CD-ROM

Once the CD-ROM has mounted on the users desktop and the CD-ROM volume has been opened into a window, the user should see a folder named Applications. To install MacForensicsLab Field Agent to the host computer, drag & drop MacForensicsLab Field Agent folder to any desired location on the new host computer, though we strongly recommend placing it in the host computers Applications folder. Having done this the user is ready for the initial setup.

Uninstalling MacForensicsLab Field Agent

MacForensicsLab Field Agent is a completely self-contained application and requires no special functionality to uninstall it. The procedure to uninstall MacForensicsLab Field Agent is to navigate to the directory in which the MacForensicsLab Field Agent folder is currently installed, highlight the MacForensicsLab Field Agent folder and either drag and drop it into the Trash or delete it using the delete key.

Initial Setup

The first time the application is launched the user will be asked accept the End User License Agreement (EULA see Appendix C) and then to enter a valid registration number. After the registration number has been entered, the user will then be taken to the Main Window.

Elements of MacForensicsLab Field Agent

Designed for non-technical personnel, Field Agent can be run in three easy steps; there is no rebooting, troubleshooting or complex interfaces. It can run natively on Mac OS X, Microsoft Windows, and Linux to search suspect drives and devices. By quickly providing images relevant to an investigator’s interests (typically in a few minutes), MacForensicsLab Field Agent is an invaluable tool to all law enforcement agencies. Field Agent has the ability to export files of interest or generate an HTML report with thumbnails, locations, and date information of any or all files.

02: Running MacForensicsLab Field Agent

Step 1: Devices

Selecting a device to search with MacForensicsLab Field Agent

After the initial startup splash screen, the Step 1: Devices screen appears. Here the examiner will click on the device they wish to run their search on. Once you select have selected the device to search, click the button labeled Step 2: Shortcuts in the bottom right corner of the window.

Step 2: Shortcuts

Shortcuts available in MacForensicsLab Field Agent

The shortcuts window displays a listing of common suggestions to areas that evidence may be found. These include pictures folders and user folders. The examiner may select one of the short cuts or to search the entire device, leave the device selected at the top of the shortcuts listing. Once the desired option has been selected, click the button labeled Step 3: Explore in the bottom right corner. To go back to choose a different device, simply click the Step 1: Devices button in the bottom left corner.

Step 3: Explore

Explore within MacForensicsLab Field Agent

The Explore step allows the user to transverse the directory structure of the selected device or shortcut to select items to search more specifically. This allows the search to be broad, searching the entire device, or very specific, searching only a specified folder or file. Click the triangle next to a folder to display the contents of that folder. Click on the folder or file you wish to search. To search the entire device, select the device at the top of the listing, then click the Step 4: Browse button in the bottom right corner.

Step 4: Browse

Browsing within MacForensicsLab Field Agent

Clicking the Step 4: Browse button will bring up the Browse window. Here the user can set the perimeters for their search. The browse options contain the following:

  • Check for file size – When this box is checked, the search will only include images between the Minimum and Maximum size in kilobytes (KB) entered. This allows the examiner to leave out small images such as buttons and thumbnails along with overly large images.
  • Images only – Checking this box will limit the search to include only images, leaving out other files.
  • Check for picture size – Checking this box will limit the search to only pictures meeting the size requirements set forth by the user. These requirements include minimum and maximum size (in pixels) for the horizontal and vertical size of the image.

Once the options have been set, click the Browse button and a search status window will appear, showing the progress of the search. Once the search has completed, the Browse window will appear.

Examining the search results

Examining the results of a search in MacForensicsLab Field Agent

When the search has completed, the Browse window will appear. All images that meet the requirements set forth in the search perimeters will be displayed in the results window. Clicking on any of these images will display information about the image in the information area on the right. This information includes; filename, location, creation and modification dates, dimensions, and much more. Much of the information displayed in the File Information area is dependent on the metadata contained within the image file itself.

The Skin Tone slider below the thumbnails can be used to show or hide images based on percentage of skin tones within the image. By default this slider is set to 15% as that has been found to be the optimal range to eliminate many non-human pictures without hiding too many false positives. Increasing this slider will increase the percentage of skin tone that must be present in the image to be displayed in the thumbnail area. Decreasing the slider to 0% will display all images in the thumbnail area.

Saving images

Users may select one or more images to be saved to the location of their choice. To do this, click on the image (or Command-Click on a Mac and Option-Click on a PC to select multiple images) the user wishes to save. Then select Save from the File menu. The user will be prompted to select a location to save these images. Select the location and click the Save button. The images will be saved in the desired location in a folder labeled with the name of the folder that contains the image(s).

Writing a report

To write a report, first select the images to include in the report. Once the images are selected, click the Step 5: Write Report button at the bottom right. The user will be prompted to select a location to save the report. This is the location the report will be written to in a folder labeled with the website address along with a folder containing thumbnails and the actual images. Once the location has been selected, click the Choose button. A progress window will be displayed briefly while the report is written.

Report generated by MacForensicsLab Field Agent

Once the report has been written, it will automatically be opened in the default web browser. The report will show the selected images along with where the image was found with information about each image plus hash numbers in three different standards (MD-5, SHA-1, and SHA-256).

The report formatting can be change by editing the HTML file titled index.html containing in the MacForensicsLab Field Agent Template folder within the Shared Resources folder in the same directory as the MacForensicsLab Field Agent application.