The Case Details window allows the user to enter case details.
This section will discuss how to prepare for a case using MacForensicsLab.
Overview
During the course of using MacForensicsLab the examiner will come across a range of different suspect devices, media and disk images. These will all work with a variety of ‘Read’ and ‘Write’ access settings. It is therefore important to ensure that the examiner understands how each of these varies and how the computer interacts with them.
Before connecting any device to the workstation it makes sense to assume that the device, image or media may be written to and therefore should be handled with the utmost caution.
In Mac OS X there are a couple of ways in which to handle the issues of possibly tainting and overwriting data on the suspect drive or device. The first is ‘Disk Arbitration’ and the second is ‘Write Blocking’. It is also a MUSTfor the examiner to have a secondary “Work Drive” onto which case data can be saved, and which will have been wiped. This avoids the chance of overwriting possible evidence and thus losing and/or tainting it.
Disabling Disk Arbitration
Whether at start-up or when connecting a suspect device via any data bus (FireWire, USB, ATA) on your Macintosh Workstation, OS X is notified and will immediately look for mountable partitions on the device.
If detected, it initiates the mount and the disk’s internal arbitration tables are updated with the necessary information to work with the system. Having mounted, the Finder is updated with the information and the volume(s) appear on the desktop. Any other applications that may have subscribed to disk arbitration notifications are also updated in a cascade effect.
In the process of finding and updating the arbitration tables on devices found and mounted, there runs the risk of writing to the devices and therefore tainting the evidence. MacForensicsLab however has a built-in option, accessible via the Window drop menu, or keyboard shortcut [Command] + [B], that allows the examiner to turn off the process.
In addition, to help avoid these issues, as MacForensicsLab reaches the ‘Main’ window it always automatically prompts the examiner to ensure that Disk Arbitration is enabled or disabled, per his or her desired behavior.
Enabling Disk Arbitration
As the examiner quits MacForensicsLab he or she will be asked a similar message whether they wish to enable disk arbitration again.
TIPS — If you have Disk Arbitration turned off and you have quit MacForensicsLab, you will need to relaunch MacForensicsLab, and enable Disk Arbitration or your machine will not boot correctly.
Hardware Write Blockers
MacForensicsLab works effectively with all available write blocking hardware on the market, and we recommend that examiners use these devices, as their organization may dictate, when performing forensics on suspect drives. SubRosaSoft.com Inc. also carries an optional hardware blocker that works hand-in-hand with MacForensicsLab. Please visit our web site https://www.SubRosaSoft.com for more information, or contact us via email: sales@subrosasoft.com; or telephone: +1 (510) 870 7883.
Clearing the Work Drive
It is essential that before the examiner uses any drive for storing the results of an investigation, that the drive has been cleared properly. This should mean that the work drive has been formatted at least with a single pass with zeroing data.
To clear the work drive, select a partition of the designated drive in the ‘Devices’ pane of the ‘Main’ window. Having done this, select “Clear work drive” from the File menu. A confirmation window will come to the fore, which the examiner should accept, after which the ‘shred’ window will come forward.
The window contains a slider with which the examiner can set the numbers of passes required to clear the drive. Also, in order to speed up the process the examiner also has the option to shred only “Free Space”, so that only the available space on the partition will be cleared. Having set this, simply click Start and the clearing procedure will begin. If the examiner picks the wrong partition, and/or decides to stop, by simply clicking Close, the ‘Shred’ window will disappear and he or she will be returned to the ‘Main’ window.
Terminal Access
MacForensicsLab provides the examiner with quick access via the Window drop menu, or keyboard shortcut [Command] + [T], to a terminal window, so that he or she does not have to leave MacForensicsLab in order to run commands through another Terminal application.
Core Functions
This section will outline the core functions of MacForensicsLab for further, detailed discussion.
The Core Functional Areas of MacForensicsLab
-Preferences Window
-Main Window
-Acquire Window
-Search Window
-Analyze Window
-Salvage Window
-Browse Window
-Audit Window
-Hash Window
-Bookmarks & Notes
-Database Window
The Main Window
This section will describe the layout and functionality of MacForensicsLab’s Main Window.
The section contains the following information:
- Overview
- The Main Window Layout
- The Access Panel – Devices View
- The Actions Menu
- The Contextual Menus
Overview
The ‘Main’ window is the starting point after accessing a case and provides the examiner with a detailed view of the system, any devices or disk images attached to it and their directory and file structure. It is from the ‘Main’ window that the examiner will gain full access to the wide array of functions and features that MacForensicsLab provides, each of which will be covered in subsequent chapters of this manual.
When working with the ‘Main’ window, the examiner may want to maximize the view of the window either by clicking the green maximize button at the top left of the window, or by using the resize handle at the bottom right. Maximizing the window will lessen the need to scroll up and down the various panels.
The Main Window Layout
There are 2 key sections to the layout of the ‘Main’ window:
-The ‘Access’ panel (1)
-The ‘Explorer’ panel (2).
The Access Panel – Devices View
When the Main Window starts up, MacForensicsLab lists all devices attached to the machine in the leftmost pane. When a device is selected the corresponding device details appear in the Explorer portion of the window.
The following information is specified:
- Display Name – The volume title
- Mounted – Status (true or false)
- Leaf Writable – Write Status (yes or no)
- Partition ID
- Preferred Block Size
- BSD Major & Minor
- BSD Name – Mount point Size – in bytes
- Content & Content Hint –
- Format type and hint
- Removable & Ejectable – Status (yes or no)
- BSD Unit Whole Drive Title – manufacturer’s model number
- Serial – manufacturer’s serial number’s serial number
- Used – the amount of drive space used
- Available – the amount of drive space currently available
- Percentage – the percentage of drive space used
When a user click on the triangle tab to expand a device, the window lists shortcuts (1) to volumes and user folders, with the Explorer portion of the window (2) allowing for viewing of the directory structure and individual files, along with their corresponding information (such as date/times, permissions, and etc…).
The following information is specified:
- File Name – full filename with extension.
- File Size – in bytes, whilst folders display the total items inside them within brackets – hidden files are included.
- Mac Creator Code – the OS creator application code
- Mac Type – the OS file type.
- Header – the first 32 characters of the file.
- CRC – the Cyclic Redundancy Check checksum value of the ‘Header’.
- File Reference – starting block number for the file.
- User ID – OS user id for file owner permission.
- Group ID – OS group id for file access permission.
- Finder Flags – OS finder settings.
- Permissions – OS permissions for read, write and execution of file.
- Creation Date – date when file/folder was created.
- Modification Date- date when file/folder was modified.
Each column can be sorted in both directions by clicking the column header.
The Actions Menu
The ‘Button’ panel found on version 3.0 is now replaced by the Action menu and Context sensitive menus.
The action menu contains a listing of available functions for the device, volume, partition, folder or file selected within the main window. There corresponding keyboard shortcuts for each action are also shown in the Action menu.
The Contextual Menus
Contextual menus can be accessed by right-clicking (or [Control + click]) on a device, volume, partition, file or folder. A contextual menu showing the available functions for the selected item will appear.
The Preferences Window
This section will cover the Preferences Window settings and configuration.
The section contains the following information:
- Overview
- Finding the Preferences Window
- The Preference Window Layout
- The Database Preference Pane
- Configuring a Local Database File
- The Examiner Tab
- Configuring Examiner Specific Data
- The Cases Tab
- Fill Out Case Details
- eMail Tab Setup
Overview
The ‘Preferences’ window allows the examiner to setup and manage both individual cases and examiners within MacForensicsLab. In addition, it enables the examiner to configure MacForensicsLab database settings and even configure an e-mail based notification feature.
Finding the Preferences Window
The ‘Preferences’ window will, by default, appear at start-up once the MacForensicsLab splash screen has disappeared. To return to the ‘Preferences’ window after progressing to the ‘Main’ window, the examiner must select “Preferences” from the MacForensicsLab application drop menu, or use the keyboard shortcut [Command] + , [Comma]. In order to disable the ‘Preferences’ window from appearing at start-up the examiner should deselect the “Show this window at start-up” check box in the bottom left hand corner of the window.
The Preference Window Layout
The Preference Window has five sections, each containing their own preference information. The five sections are: Database (1), Examiners (2), Cases (3) eMail (4), and Plug-ins (5).
The Database Preference Pane
By default the Database will be disabled (1).
Configuring a Local Database File
MacForensicsLab allows the examiner to harness the power of a database solution without having to associate with a remote database. The creation of a local database file enables examiners to take advantage of a database while not requiring the infrastructure incurred with larger solutions.
To create a local database file, select Database (1), Local File (2), and then “Create.” (3)
Selecting a Location for the Local Database File
Once you select “Create” in the previous step, a navigation box will appear allowing the examiner to select the location of the local database file (by default it will place the file in the Documents folder and will be named MacForensicsLab Database.rsd).
Checking the Local File Database Path
Once the examiner has chosen a location for the Local Database file to be stored, they are returned to the Database Window, where the path chosen is displayed (1).
MySQL Setup
If the examiner access to a MySQL database, then MacForensicsLab allows for seamless integration. Select the MySQL from the drop down menu (1). Then, by filling out the form fields (2), and selecting the “Connect” button (3), the examiner will then be able to take advantage of power of the MySQL database.
The Examiners Tab
Select the Examiners Tab (1). The Examiners Tab is where an examiner enters their identifiable information. To add an examiner, select the “+” radio button (2) and a pop-up window will appear.
Configuring Examiner Specific Data
The pop-up window allows the examiner to enter specific information by filling out the form fields (1). It should be noted, that these fields can be changed at any time by selecting the “Edit” button from within the Examiner’s tab. Likewise it is important to note that none of these fields are required.
Save the Form
Once the examiner specific form fields are filled out, select the “Save” button, thus returning the examiner to the Preferences Window.
Confirm the Correct User
The user information entered will be reflected under the Examiners tab (1), which is where you will be automatically returned to upon selecting “Save” in the previous step.
The Cases Tab
To add a case, select the “Cases” Tab (1) from the Preferences window and select the “+” button (2). Once selected, a pop-up window will appear.
Fill Out Case Details
The Case Details window has two sections, the Case ID (1) and the Description (2). The Case ID represents a field where the examiner will enter the case number. The Case Description field is a simple text field enabling the examiner to input additional case information.
Complete Case Details Pop-up
Complete the Case Details pop-up window and select “Save.”
Verify Case Information
Upon completing the previous step, the examiner is returned to the Preferences Pane, where he/she can verify the correct case is selected (1).
eMail Tab Setup
By selecting the eMail tab (1) and filling out the form fields (2) and testing the connection (3), the examiner is now able to receive notification when MacForensicsLab has completed it current process. Once configured, press “Continue” (4).
The Acquire Function
This section will discuss the acquisition capabilities of MacForensicsLab.
The section contains the following information:
- The Acquire Window – An Overview
- Creating a Disk Image
- Attaching Disk Images
The Acquire Window – An Overview
MacForensicsLab can work with original devices and media, as well as disk image copies of these same data sources. Using the ‘Acquire’ function ensures that the evidential integrity of the suspect drive is protected, by allowing the examiner to create a disk image for analysis and investigation, rather than having to work with the suspect drive.
In performing the acquisition scan ‘Acquire’ benefits from a number of features. These include checksum hashing for validation, the ability to create a separate golden master, the ability to create a smeared image in an environment when a volume cannot be unmounted, segmentation for ease of backup to alternative media, and, proprietary fault tolerant bad block recovery to work around faults, thus allowing the examiner to create disk images from damaged media or resume a previous acquire attempt that failed due to faulty media and/or electrical shortages.
Starting with version 4, the examiner can modify the information for the acquisition. For example, if only minimal information is needed for the report, the examiner can select the non-essential data and delete them.
Creating a Disk Image
When creating a disk image, the examiner can do so directly from either a partition or device, although it is recommended that copies be made of an entire device rather than of individual partitions.
Having selected the respective device or partition from the ‘Device’ panel, the examiner must select the Acquire function, bringing the function window to the fore.
>In performing an acquisition the examiner can set a number of options:
Segment Size – This refers to the amount of data on each acquired image, thus allowing the examiner to separate his or her acquisition into multiple images. Each segment can then be limited to a specific data size, thus allowing for easier backup, for example, if the examiner plans to burn the image to a set of DVDs. To do so the examiner need only select the “4.36 GB (DVD-R/DVD+R)” option from the popup list.
Packet Size – Refers to data intervals at which MacForensicsLab will perform a checksum validation on the data being written to the acquisition image. A lower setting means many more checksum verifications are performed, thus improving overall data integrity but reducing the overall speed of the acquisition.
Smeared Image – Allows the examiner to generate an image from a drive that cannot, or perhaps that he or she may not wish to be unmounted. This would apply for example, when the examiner wishes to acquire the main volume on an operational file server that cannot be taken offline to avoid alerting users to the actions of the examiner.
Golden Master – In addition to the working copy, this option allows the examiner to save an extra disk image copy for other purposes. When the Golden Master option is selected, the user will be prompted to choose a save location twice before the acquisition is made. Once to select a location for the disk image, and the second time to choose the location for the golden master. This allows the user to save the golden master to a different location then that of the working image.
Resume – Provides the examiner with the option to continue on from a previous acquisition, if, for whatever reason, the prior acquisition process was interrupted. This means that the ‘Open’ dialog window rather than the ‘Save’ dialog window will appear when the acquisition is initiated. Select the previous acquisition image from the ‘Open’ dialog to continue the acquisition.
Having made the desired changes to the presets, click the Start button to begin the acquisition process. This will bring up a ‘Save file’ dialog box, if creating the image rather than resuming, and the examiner will be prompted to enter a filename for the disk image. By default the file name appears as “Disk Image”, select and edit this to a preferred name and then chose a location into which to save the disk image. The click Save and the process will begin.
Note: Always be sure to save the disk image to a location other than that which one is creating an image of. Also, make sure that the device one is saving the new disk image to has enough storage space. The acquisition of a 60GB hard drive will require the destination disk to have a minimum of 60GB of free capacity.
Unless the “Create a Smeared Image” option has been selected, MacForensicsLab will first attempt to unmount the selected volume or volumes of the selected device. A status bar then marks the progress of the acquisition, along with a variety of other information. This information includes: checksum mismatch total; total bad blocks; total data remaining to be copied; total data copied; total capacity; approximate current data transfer rate; and total time remaining until acquisition completed.
During the process of acquisition a DAT file is created in the same location as the image file, and contains checksum data for the disk image. It is a small file and takes up less than 25 KB of space and is deleted after the acquisition process is complete.
Once completed, a dialog window will notify the examiner of such and will provide them with an error count. The examiner should simply take note of this and then close the dialog box by clicking Close, returning to the ‘Main’ window. The disk image can then be found in the previously specified location. By default the disk image file/ segments will be locked, thus avoiding the opportunity to further modify or to delete it/them.
Attaching Disk Images
Once an image file or segment has been created, the examiner will want to prepare it for analysis. In order to do this the examiner must attach the disk image and mount it in the Finder.
To access the disk image, while in the ‘Main’ window, select “Attach Disk Image” from the File menu; the Attach Disk Image dialog box will appear. Click the Select button to choose the disk image to mount. There are two options listed for attaching the image.
Use Shadow File – This option will mount the disk image using a shadow file which emulates the disk being writable without actually writing to the disk image itself.
Ignore Permissions – This option turns on the feature in the Finder that maintains all disk permissions but ignores them, giving you access to any user files on all parts of the image.
Once you have selected the desired disk image and options, click the Attach button.
Using this method avoids the need to unlock and lock the image file from the Finder. After mounting disk images, the examiner may need to force MacForensicsLab to rescan for new devices or images; this can be done either by selecting “Rescan Bus” from the File menu, or with the keyboard shortcut [Command] + [R].
It should be noted that if the examiner is using Anti-Virus software, it may be configured to scan all newly attached disks, this includes disk images as they are brought into MacForensicsLab. This process will slow the mounting of the image.
To detach a disk image after analysis, select the item from the ‘Device’ panel in the ‘Main’ window, followed by “Detach” from the File menu.
The Search Function
This section will discuss the search functionality of MacForensicsLab.
The section contains the following information:
- Overview
- The Search Window Layout
- Using Custom Search Terms and Filters
- Performing The Search Operation
Overview
The ‘Search’ function of MacForensicsLab provides the examiner with an automatic means by which to scan a directory, gather evidence and bookmark that same data for later reference. This helps the examiner to quickly and easily zero in on suspect material. In performing the function, MacForensicsLab creates bookmarks of the selected directory structure, collecting all of the file information and hash values as it scans.
The Search Window Layout
The ‘Search’ window is split into 4 tabs/panels:
- Filter
- Keywords, or Search Terms
- Patterns
- Output
Filter Panel
The ‘Filter’ panel is the part of the ‘Search’ window within which the examiner may establish criteria by which to filter the results of the search scan. Filters are based on standard file information, such as, but not limited to: filename; size; date of creation.
Available ‘Search Filters’ include all those in the Log File Format Fields:
- Name
- Creation Date
- Modification Date
- Header
- CRC
- MD5
- SHA1
- SHA256
- Data Size
- Resource Size
- Owner
- Mac Creator
- Mac Type
- Absolute Path
- UID
- GUID
- Permissions
Each of these filter types can be applied against the following operators:
- Is Equal To
- Is Not Equal To
- Contains
- Does Not Contain
- Is Less Than
- Is Greater Than
- Is In Database
- Is Not In Database
Keywords Panel
The ‘Keywords’ tab allows the examiner to assign and manage specific lookup terms. These can be either HEX or ASCII terms for pattern matching within the files being scanned.
Clicking the (+) button underneath the desired pane will create a new filter/item at the bottom of the current list, after which the examiner can manually edit the filter/item details. To remove an individual filter, select the respective item and then press the (-) button. Clearing an entire list is equally simple; just click the (clear) button under the desired panel. This will, without warning, remove all the items from the list.
To import a custom checksum database, simply click the Import button at the bottom of the ‘Search Items’ panel. This will bring up an open file dialog box from which the examiner can locate and select the required file. Upon import the information in the database file will populate the ‘Items’ pane.
Pattern Panel
The Patterns tab allows examiner to quickly and easily search for standard credit card and social security number formats respectively. To ensure that all files containing either credit card or social security numbers are searched the examiner must select either or both of the respective checkboxes in the ‘Search Items’ panel.
Output Panel
There are multiple options available for displaying the search results.
Selecting Browse Results will open the results of a searching procedure directly into a browse window, making it easier to manually review the results and to perform some manual bookmarking procedures to better identify potential evidence for future reference. Additionally, the results of the Search can be further analyzed by applying MacForensicsLab’s built-in Skin Tone analyzer directly to them.
The Bookmark option allows the examiner to auto-generate bookmarks of matched items, and make them available for easy reference at a later date. The text area below the folder drop down is designed for comments or a description pertaining to your customized bookmarks folder. To add the items as bookmarks to a respective group, the examiner must select the “Bookmark” checkbox in the ‘Bookmarks’ panel and then select a bookmark group from the drop down menu. If a new one is required, the examiner should do so through the Bookmarks menu (please refer to the chapter on Bookmarks for more detail).
The ‘Calculate Hash Values’ selection allows the examiner to define the auto-hashing options for a search scan. Options include adding the hashed file values to the internal database as well as the ability to export these to an external log file.
Using Custom Search Terms and Filters
In order to zero in on areas of particular interest Positive and Negative filters can be applied using custom checksum databases or those provided by the National Software Reference Library.
Performing The Search Operation
Having selected the partition or directory structure for searching, select from either the Action menu or the context sensitive menu the Search function, bringing the ‘Search’ window to the fore, and having set up the window with the desired ‘Search Items’, ‘Keywords’, and ‘Output’ options, the examiner should be ready to perform the search operation. To initiate the process, he or she should click the highlighted Search button on the bottom right of the ‘Search’ window. If the hash export checkbox has been selected, the examiner will be prompted to define a file name and save location for the exported hash text file before the scan proceeds.
Once the process of scanning and searching the items found has completed, the examiner will be prompted with a screen advising them as such, which once closed will take him or her back to the ‘Main’ window.
The Analyze Function
This section will discuss the Analyze Function within MacForensicsLab.
The section contains the following information:
- Overview
- The Analyze Window Layout
- Examining Results of a Search
- Carving Data
Overview
There will come a point in the case when an examiner may wish to analyze the file data block-by-block; the ‘Analyze’ function enables that to be done. Once analysis has been performed and evidence located, the examiner can then export and/or hash the requisite section of the drive to file for safekeeping and later use or further analysis.
The Analyze Window Layout
The analysis window can be split into 4 core sections:
- ‘Hex Content’ pane
- ‘Search Items’ pane
- ‘Found’ pane
- ‘Carve’ pane
The Hex Content Pane
The ‘Hex Content’ pane is the right-hand side of the ‘Analyze’ window and is where the examiner can read block data piece by piece in ‘Hex’ mode. Starting from MacForensicsLab 3.0, this area has been expanded to display a block at a time with the default view being ASCII.
Search Items Pane
The ‘Search Items’ pane contains a number of elements that are of use to the examiner:
Search Fields Pane – This is the first element in the Search Items Pane, which contains the working list of search terms (or filters) with which to analyze the data blocks. This is split into 2 columns: type and value. Type refers to whether the string that should be pattern matched against the HEX content or the text (ASCII) content of the blocks. Value refers to the content of the string that is going to be pattern matched against the said format blocks, usually a word.
As previously mentioned, MacForensicsLab has the ability to handle foreign language multi-byte character sets such as those used in Russian, Arabic and Oriental languages when searching. The number of characters in a search can be up to 128. The number of search keywords is 128 as well. Search Fields Management Buttons – Below the ‘Search Fields’ pane are buttons to manage the search fields in that pane.
- Clear: to clear all of the search fields in the window above
- Import: to bring up a dialog box and import a search terms database file
- Plus (+): to manually add individual search fields
- Minus (-): to individually delete each selected search field
Quick Tip: Saving Search Fields
The ‘Search Fields’ in the ‘Analyze’ window are retained from one investigative session to the next.
Found Pane
The ‘Found’ pane permits the examiner to very quickly and easily access any of the hits that are generated as a result of the terms used in the search. To view a specific block entry in the ‘Hex Content’ pane, click on the individual result item and the block data will load into the Hex viewer in the main panel.
Search File Data
When investigating files with the ‘Analyze’ window it is possible for the examiner to search for strings within the blocks of data that make up the file.
Individual Search Terms
To do so, the examiner must click the (+) button below the ‘Search Items’ pane; this will add a new field. After this, the examiner should define the search term type (text or hex) by clicking the up/down arrows in the center of the search term row, followed by typing in a unique search term string in the text entry field to the right hand side of the arrows.
This can be repeated multiple times, building up as complex a filter mechanism as desired. If items are added in error, an item can easily remove them by selecting each one in turn and then clicking the (-) button located under the ‘Search Items’ pane. When ready, the examiner can proceed by clicking Search. While processing the data, the examiner will see a progress bar, and upon completion of the search the results will appear in the ‘Found’ pane.
Importing Custom Search Lists
Though an examiner might find it useful to create search terms in an ad hoc manner as discoveries in the investigation necessitate, at some point he or she will want a more in-depth search, based on hundreds, if not thousands of search terms. The best way to achieve this is to importing custom search lists.
Custom search lists are essentially ‘CSV Text’ files with each individual search term on a new line. Custom search lists are also a great way to keep a database of useful terms and makes running a productive analysis or cataloguing on a suspect device a process that is no more than just a few clicks away from getting started.
To import a list, click on the Import button to the middle of the ‘Search Items’ drawer. This will bring up a ‘Find File’ dialog box. Once the examiner has found the file, click ‘Open’.
Each individual line item will then appear as an individual term in the ‘Search Items’ pane. The examiner then has to define whether each term is in Text or HEX format, though they are all imported as and predefined as ASCII Text format content by default.
Credit Card and Social Security Number Search
By selecting the respective checkboxes below the ‘Search Items’ pane it is possible for the examiner to get MacForensicsLab to look for and find credit card and social security numbers during the search process.
Performing the Search
Once the search items have been defined in the ‘Search Items’ pane, either individually or by import, and when the other settings have been defined, the examiner need only click the now enabled Search button to perform the search. Once the scan is complete the results will appear in the ‘Found’ pane. Clicking on any hit displayed in the ‘Found’ pane will display the location of that hit in the ‘Hex Content’ pane and highlight it. The block number it is found in will be displayed in at the bottom of the ‘Hex Content’ pane in the Block Number field. The start and length of the hit will also be populated in the Carve section.
Examining Results of a Search
Once the search has completed (1), the resulting hits are displayed in the ‘Found’ section of the Analyze window. The user may examine these hits by clicking on them (2) and the hit location will be displayed in the ‘Hex Content’ section of the window (3). When clicked, the search hit will turn red and a check mark will appear next to it. This allows the examiner to see which results they have reviewed and which ones they have yet to review, saving them time by making sure they don’t re-examine search hits.
Carving Data
When the examiner is ready to export the block-set being analyzed, he or she can do so very easily by clicking the “Carve” button. Doing so will then invoke the ‘Save’ window, bringing it to the fore.
The examiner may use the Start and Length fields to define the starting byte and the number of bytes after it to be carved out. These values can be changed by either entering the desired number in the Start and Length fields or by pressing the up and down arrows to the right of those fields. Clicking the Locked boxes to the right of these fields will lock the field to prevent it from being changed.
It is advisable to rename the default export filename and to apply a suffix to the name so that Mac OS or any other operating system can more easily recognize the expected file type and open it with the appropriate application.
Upon completion a message will pop to the fore and the user can simply close this and continue on with the investigation.
This section discusses the Salvage function contained within MacForensicsLab.
Overview
MacForensicsLab’s ‘Salvage’ function will search a device, volume, or folder and list all the recoverable files held within it, whether erased or not, and then recover the pre-selected files to a selected destination folder. When salvaging a device, MacForensicsLab scans through the entire media to find as many recoverable files as possible, as well as scanning through a single directory structure.
The Salvage Window
The Salvage window is divided into upper and lower sections. The upper section is responsible for the settings Salvage will invoke upon starting. These settings include “Supported File Formats, “Import a Prior Scan,” and “Start a New Scan”. The Supported File Formats section allows the examiner to select specific file types or groups of file types (i.e., all music files, images files and so on), as well as selecting all file formats (the default). In addition, these settings can be further defined to search Free Space Only (Deleted Files) or the Entire Device (All Files). Options for speed can also be selected by choosing either Fast Scan (Block by Block) or Slow Scan (Byte by Byte).
The lower section will display a list of files, by type, that Salvage can recover. Once a file is selected, a File Previewer application will open and attempt to show the file in its native format. Once the files to be Salvaged are determined, the “Salvage selected files” is invoked.
Save the Scan
Once you have scanned for files that Salvage can recover, a window appears asking if you’d like to save the results of the scan. If you are not going to Salvage all files possible, it is a good idea to save the results of the scan. This process will save time later if the examiner needs to go back and Salvage additional files from the case.
Choose Destination
Once the examiner has opted to save the scan results, a pop-up window appears asking for a destination for the scan results to be saved, once input, select “Save.”
Examine Files by Type
As illustrated above, all possible files are divided by type and number.
File Previewer
Once a particular file is selected for review, the File Previewer application is launched allowing the examiner to preview the file in question.
This section will describe the core functionality of the Browse function of MacForensicsLab.
Overview
The Browse window provides the examiner with an exceedingly quick and easy way to search for files (primarily images and multimedia) in directories, view the results found based on the preset search criteria, bookmark, make notes and even perform closer analysis.
The Browse Window
The Browse window allows the examiner a range of variable options to include in his/her search. These options include:
File Checks (1):
-File size (min-max range in kilobytes)
Image Checks:
-Image-only results (yes or no) (2)
-Horizontal & vertical dimensions (min-max range in pixels) (3) & (4)
To invoke the Browse, select the “Browse” (5) button at the bottom of the window.
After clicking Browse, as MacForensicsLab scans the selected location for matching files, a progress dialog will be displayed providing the examiner with a status report. If the examiner needs to end the scan prematurely, clicking the Cancel button under the progress bar will end the scan and return to the Main window. When the scan is complete a finish prompt will appear and chime can be heard, upon clicking OK the prompt will close and the Browse window will come to the fore.
Reviewing the Results
Upon completion, the Browse window will display a thumbnail view of all files meeting the aforementioned criteria set forth by the examiner. When an image is selected via clicking the checkbox below the image, it is highlighted in red (as seen above) and the metadata for that file appears on the right (1).
Bookmarking the Findings
Once the appropriate images are highlighted, the examiner can bookmark the results by choosing “Bookmarks” from the Main window or using the keyboard shortcut of [Command] + [D]. In the above example, a bookmark labeled “images” (1) was created, with a note “suspicious images” (2) to save the previously selected file.
Viewing Bookmark
The examiner can review the bookmark by navigating to the Bookmark window by selecting “Bookmark -> Show All Bookmarks” from the Main window.
Bookmarks
This section will cover Bookmarks within MacForensicsLab.
The section contains the following information:
- Overview
- Locating the Bookmarks
- The Bookmark Window Layout
- Resizing Panes
- Managing Bookmark Folders
Overview
MacForensicsLab uses bookmarks to assist the examiner in collecting files of investigative interest. It is possible to bookmark files and directories for reference and examination at a later time in the case. Likewise, the examiner can bookmark any file or folder, or groups of files. You cannot bookmark devices or specific blocks within a device.
Locating the Bookmarks
The bookmarks can be viewed and managed from the Bookmarks window and are accessible at any time by selecting Show All Bookmarks from the Bookmarks menu, or by using the keyboard shortcut [Command] + [Option] + [B].
The Bookmark Window Layout
The ‘Bookmarks’ window is divided into 4 clear portions:
- The folders/groups pane
- The folder note pane
- The bookmark detail pane
- The bookmark note pane
The Folders Pane & Folder Note Pane
Bookmarks can be grouped together using folders. These are listed in the Folders Pane (1). When individually selected, the notes for the respective folder, in editable form, can be seen in the ‘Folder Notes’ pane, directly below (2), while the grouped bookmarks can be seen in the ‘Bookmarks’ pane to the right (3).
The Bookmarks Pane & Bookmark Note Pane
Having selected an individual bookmark folder, the contents of the folder will be displayed in the ‘Bookmarks’ pane (3). Each bookmark is listed with: bookmark name, file path, file size and creation date. Columns can of course be resized and sorted by the examiner simply by clicking on the respective header or by dragging the column separators to the desired size. Having selected a bookmark, the notes for the bookmarked item will be displayed, in editable form, in the ‘Bookmark Note’ pane (4).
Resizing Panes
In order to maximize viewing space the examiner can resize the partitions between all four panes of the ‘Bookmarks’ window. To do so, the examiner should click & drag the resize handle of the respective separator, thus being able to minimize and maximize the required viewing space for each pane.
Managing Bookmark Folders
Adding Bookmark Folders
Bookmark folders can be added in one of two ways. The first is to use the ‘Add Bookmark Folder…’ window and the second is to do so from the ‘Bookmarks’ window itself.
Via the ‘Add Bookmark Folder…’ Window
When working with the other functions in MacForensicsLab, it is quickest and easiest to invoke the ‘Add Bookmark Folder…’ window from Bookmarks menu or use the keyboard shortcut: [Command] + [Shift] + [N].
If adding a new folder while creating a new bookmark, then simply click the (+) button below the folder title option list in the ‘Add Bookmark’ window.
Once the ‘Add Bookmark Folder…’ window comes to the fore, the examiner need only enter the name of the new folder (1) into the “Name” text input field, and click Save (3). If the examiner so wishes, he or she can enter a note/summary into the “Summary” text field (2) for reference then and there, or do so at a later date in time from the ‘Bookmarks’ window.
Via the ‘Bookmarks’ Window
The second way to add bookmark folders is to bring the ‘Bookmarks’ window to the fore, after which the examiner must click the (+) button under the ‘Bookmark Folders’ pane. This will generate a new folder with an empty title in the pane above ready with the text cursor in the entry field. Once the name is complete, the examiner can either press Enter/Return or simply click out of the name entry field. To add a summary, having created a new folder in this way, the examiner need only select the new folder in the ‘Bookmark Folders’ pane and then enter his or her summary for the selected folder into the ‘Folder Note’ pane below.
Amending Bookmark Folder Names
Should the examiner wish to amend the name of the bookmark folder, he or she can do so from the ‘Bookmarks’ window by simply double-clicking on the respective bookmark folder’s name in the ‘Bookmark Folders’ pane and make the edits accordingly, before clicking out of the text entry field.
Removing Bookmark Folders
Removing bookmark folders, either collectively or individually, can be done from the ‘Bookmarks’ window.
Clearing ALL Folders
To clear ALL folders and lose the bookmarks contained within them, the examiner must click the (clear) button under the ‘Bookmark Folders’ pane, at which point MacForensicsLab will prompt him or her to confirm the deletion – as it cannot be undone. Having clicked OK, the examiner will be returned to the ‘Bookmarks’ window with a cleared ‘Bookmark Folders’ pane.
Clearing Individual Folders
To remove folders individually, the examiner must select each item in turn and click the (-) button beneath the ‘Bookmark Folders’ pane. As before, there will be a prompt confirming the deletion and the examiner need only click OK to follow through with the the action.
Clearing Actions
Removing Bookmarks
Removing bookmarks, either collectively or individually, can be done from the ‘Bookmarks’ window.
Clearing ALL Bookmarks
To clear ALL bookmarks from within a bookmark folder, the examiner should select the desired bookmark folder in the ‘Bookmark Folders’ pane and then click the (clear) button under the ‘Bookmarks’ pane (1), at which point MacForensicsLab will prompt him or her to confirm the request to delete ALL bookmarks. Having clicked OK, the examiner will be returned to the ‘Bookmarks’ window with a cleared ‘Bookmarks’ pane.
Clearing Individual Bookmarks
To remove bookmarks individually, the examiner must first select the requisite bookmark folder and then, once the bookmarks load, select each item in turn and click the (-) button underneath the ‘Bookmark’ pane (2). As before, there will be a prompt confirming the action and the examiner need only click OK to follow through with the action.
Moving Bookmarks
Starting with version 4.0, the examiner can move bookmarks between folders. For example, to limit the bookmarks to the relevant items, the examiner can create a new bookmark folder, and drag items from another bookmark folder that has thousands of bookmarks gathered from a over general search to the more specific bookmarks, and report only the specific bookmarks during the reporting stage.
To select and move relevant bookmarks to another folder, highlight the bookmark(s) of interest (1) by clicking (or control click to select multiple items), then drag the items into the folder of choice (2).
After the process is completed, the examiner can click on the folder of choice and confirm the bookmarks have been transferred.
Examiner Notes
This section will describe the Note functionality contained within MacForensicsLab.
The section contains the following information:
- Overview
- Opening Notes
- Editing Case Notes
- Removing Case Notes
- Refreshing the Notes Pane
Overview
Case Notes are an extremely useful function of MacForensicsLab that allow the examiner to add comments and observations to their case file at any point during the examination process. Whether browsing the ‘Main’ window or in the middle of a lengthy acquisition, the examiner can open the ‘Notes’ tab of the ‘Database’ window, using either the keyboard shortcut ([Command] + [N]) or ‘’Window’ drop menu, and make the desired entry, before returning to the prior screen when finished.
Opening Notes
To access the Notes window at anytime during the investigation, select “Window -> Make Note” from the Main window.
Notes Window Layout
The Notes Window is divided into three sections:
- The Database Tab
- The Note Data Pane
- The Note Information Section
Adding and Removing Case Notes
To add a new note, the examiner need only click the (+) button at the bottom right hand side of the upper ‘Notes Data’ pane. This will generate a blank new entry, which the examiner needs to then select and enter his or her notes into, using the lower ‘Note Entry’ pane. Having completed the note, the examiner can then click the ‘Save’ button and close the ‘Database’ window and return to the previous screen.
Editing Case Notes
When necessary to edit a case note, select the individual note in the ‘Notes’ pane at the top of the window. Once the note itself has loaded in the window below, the examiner is free to edit it at will. Having finished any amendments, click out of the editor pane and the new version of the note will be saved and changes logged.
Removing Case Notes
The examiner can remove individual notes or clear the entire ‘Notes’ pane in one go. To remove an individual note detail the examiner should select the note earmarked for removal and then click the (-) button on the right-hand side below the ‘Notes’ pane. To remove all the details in one go, the examiner should click the (Clear) button on the right-hand side below the ‘Notes’ pane. In both instances, the deletion will generate a warning prompt dialog, to which the examiner must confirm his or her actions.
Refreshing the Notes Pane
When working in a centralized database environment, it is possible that the ‘Notes’ pane may become out of sync with the listing in the database. To bring it up-to-date the examiner needs to click the Refresh button on the left-hand side below the ‘Notes’ pane. The time stamp is in Greenwich time.
The MacForensicsLab Database
This section will cover the organization and layout of the MacForensicsLab database.
The section contains the following information:
- Overview
- Opening the Database
- The Database Window Layout
- Viewing the Database Sections
- Sorting The Data
- Managing Records
Overview
When whichever database (local file or MySQL server) is enabled via the ‘Preferences’ window, detailed logs are kept of every action and all points of interest to support the examiner in the understanding and final presentation of their evidence. In the ‘Database’ window, the examiner has full access to comprehensive details of what has been logged in the forensic examination to date.
Opening the Database
The MacForensicsLab database can be located, from the Main window by selecting “Window -> Database” or using the keyboard shortcut of [Shift] + [Command] + [D].
The Database Window Layout
The ‘Database’ window can essentially be split into 2 parts:
The tab bar – consisting of the various database sections: -Acquisition -Analyze -Audit -Chronology -Hash -Notes -Salvage
The viewing pane(s) – consisting of: -Device information -Date/time/description -Data
Navigating through each individual database tab produces its own unique layout. Each screen’s layout within the ‘Database’ window varies between a single pane with a columnar list and a triple paned layout with bookmarks and note/native viewer.
Viewing the Database Sections
As each tab is clicked in turn the database will be read, either locally or centrally, and the contents loaded into the new window layout; needless to say, the larger the dataset the longer the process of fetching and loading the data will take to complete. Accessible through the individual buttons of the tab bar in the ‘Database’ window are:
The Acquisition Log – lists the date and time of an acquisition process, a description of it and the exact block details (offset, length, hash sum, etc).
The Analyze Log – keeps track of the details of searches performed, as well as the results associated with them. Details logged include: date and time, file location, results and the associated match and offset.
The Audit Log – lists the date and time of an audit process, a description of it and the specific OS artifact information generated, to include folder creation date/times, network preferences, system settings, user preferences, bookmarks, web caches, and much more.
The Chronology Log – lists all the events from the moment the case reference is set up to the latest action performed in MacForensicsLab. It lists the date and time of the actions, the name of the examiner, the action performed (opening windows, pressing buttons etc) and the data returned by the actions.
The Hash Database – provides a means by which the examiner can import, manage and store hash values for use within the various functions provided by MacForensicsLab.
The Notes Log – contains all the notes regarding the investigation as inputted by various examiners. Notes are listed with examiner name, date and initial number of characters, with the ability to view an entire note, as well as manage and edit notes.
The Salvage Log – keeps track of the date and time of the salvage process, the name of the examiner, the actions performed, and the location and specific details of the files salvaged.
Sorting The Data
The examiner can sort by the available columns by clicking on the respective column headers, once highlighted and sorted ascending, clicking the title bar again will sort the column in reverse order.
Managing Records
Certain panes containing log data benefit from the availability of management buttons. That is to say that an assortment of buttons exist to:
- Refresh
- Clear
- Delete
- Add
- Edit
Where available the examiner should use these buttons as in others functions windows to reload data into the respective pane, to remove or clear records, both of which will generate a warning prompt requesting confirmation to delete records, as well as to add items or make amendments.
Reporting
This section covers how to write a report using MacForensicsLab.
Opening Report Window
To open the Report window, from the MacForensicsLab Main window, select “File -> Write Report,” or use the keyboard shortcut [Command] + [P].
Select Report Contents
The Report window consists of a series of checkboxes that are to be toggled on or off depending on the information the examiner wants to include in the report. Once the appropriate checkboxes are selected, select “Start.”
Report Location
Once the report settings have been determined, a navigation box opens. This box enables the examiner to dictate where the report will be generated and saved.
Viewing the Report
Once the report is saved, a browser will open automatically showing the report. The report is divided into two sections, the navigation section on the left and the reported information on the right.
Keyboard Shortcuts
This section will list the keyboard shortcuts supported by MacForensicsLab.
Shortcuts
The following shortcuts are specific to the MacForensicsLab application.
| Command + Comma (,) |
Open Preference Window |
| Command + P |
Write HTML report |
| Command + T |
Attach Disk Image |
| Command + D |
Detach Disk Image |
| Command + M |
Mount Device |
| Command + R |
Rescan available hardware buses |
| Command + U |
Unmount Device |
| Option + Command + B |
Show all bookmarks |
| Command + D |
Add bookmark |
| Shift + Command + N |
Make note |
| Shift + Command + D |
Open Database window |
| Command + B |
Open Disk Arbitration window |
| Command + T |
Open terminal |
| Command + S |
-Saves/Exports a file |
Getting Help and Technical Support
This section covers the various ways to obtain help and technical support when using MacForensicsLab.
The section contains the following information:
- Finding Help within MacForensicsLab
- Technical Support
- Comments and Questions
- Company Address
Finding Help within MacForensicsLab
Help can be found both via the small, context sensitive information clips that appear when the examiner rolls the mouse over a window element, as well as the standard help menu at the top of the screen. Contextual tool tips include buttons and parts of MacForensicsLab that require some form of user interaction.
On the Web
We provide over 100 links to forensic resources, manuals, a complete knowledge base and a plethora of additional information on our website. For updates, resources and additional information please visit: https://www.SubRosaSoft.com
Technical Support
We provide free technical support both via email or phone during the hours 10am to 6pm Pacific Standard Time (GMT -8) Monday to Friday. By email, we can be reached at the following address: support@subrosasoft.com. By phone, we can be reached at: +1 (510)870-7883, or by fax on +1 (510)868-3407.
In addition to any support question(s), the examiner must include ALL of the following pieces of information:
- Valid registration number or purchase information.
- System configuration(s), hard drive make, model etc.
- System OS version.
- System related information can be found by using the System Profiler application in the -/Applications/Utilities folder.
Comments and Questions
If you have comments, problems, or questions about this product, or if you are interested in a site license, please contact us via email: info@SubRosaSoft.com
Company Address
SubRosaSoft.com Incorporated
5387 Diana Common
Fremont, Ca 94555
United States of America
Uninstalling MacForensicsLab
This section covers how a user can uninstall MacForensicsLab.
Using the Main Window
MacForensicsLab is a completely self-contained application and requires no special functionality to uninstall it. The procedure to uninstall MacForensicsLab is to navigate to the directory in which MacForensicsLab is currently installed, highlight the MacForensicsLab folder and either drag and drop it into the Trash or delete it using the delete key.
Glossary
This section is a Glossary of terms relevant to MacForensicsLab.
Acquisition
The process through which an examiner can make duplicate working copies of a suspect drive, media or other data storage hardware.
Checksum & Checksum Verification
A checksum is a count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, then one can assume that the complete transmission was received.
Device
Could refer to any form of data storage technology, or equipment required to read data stored on media such as CD’s or DVD’s
Disclosure triangle
The small rightward pointing arrow next to folders in the explorer window that when clicked turn downwards and allow the examiner to view the contents of the said folder.
Disk Image
A disk image is a computer file containing the complete contents and structure of a data storage device. The term has been generalized to cover any such file, whether taken from an actual physical storage device or not.
Disk Arbitration
The process by which a workstation will discover and attempt to mount a device connected to it. OS X is notified of the event by the kernel and will immediately look for mountable partitions on the drive. If found, the OS initiates the mount, then the internal disk arbitration tables are updated with the proper information, which eventually updates any programs that subscribed to notifications. During the process, the suspect’s drive will also be updated.
Evidence Item
Refers to an individual file that may be of use to an investigation or case.
Finder
Also referred to as the Desktop by workstation users. This is the Graphical User Interface portion; or rather Front-End that allows the human User to visually interact with the computer.
Hash or Hashing
Producing hash values for accessing data or for security and verification. A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Formulas used to create hash values, in order of strength ascending, include: MD5. SHA1 and SHA2 otherwise known as SHA256.
Pane
The part of an application window where data may be previewed in columnar or free form style. Headers may be used to sort columns, whilst free form text can be edited.
Partition (also known as a Volume, when used to store data)
A partition is an individual section of a hard disc or media. Drives must contain at least one partial or complete partition in order to be of use, but can contain multiple partitions to separate the data contained within them. Partitions may be setup write protected and even design not to auto-mount.
Suspect Drive
The drive that is the focus of the investigation and which the examiner should avoid tainting if evidence collected is required for later use in a legal environment.
Unallocated Space (also known as a Free Space)
Refers to sectors on the hard drive that are not referenced in the hard drive catalog and therefore may be written to by the computer as they are not reserved.
Work Drive
Refers to the drive on which an examiner will store files relating to a case. Salvaged files and other data will be written to the work drive rather than to contaminate or lose data by writing them to the “Suspect Drive”.
Volume
Please refer to “Partition”
A volume is a partition that can be used to store data.
End User License Agreement for SubRosaSoft MacForensicsLab – Click Here
MacForensicsLab requires a dongle to function. This dongle is a USB key customized for MacForensicsLab. This customized dongle will allow users who have purchased both MacForensicLab and MacLockPick to use the same dongle for both applications, providing a seamless integration throughout the forensic process.
Please note this section only applies to user of version 4 or above. If you have a version lower than version 4.0, you will need to contact 
To install the MacForensicsLab software, insert your USB thumb drive into one of the USB slots of your Macintosh computer. The drive will appear as an icon on the Desktop. Double-click the icon and you will see the MacForensicsLab™ window. Drag the MacForensicsLab 4 folder to the Applications folder of your system.
To launch the MacForensicsLab application, double click on the MacForensicsLab.app icon.
The first time MacForensicsLab is launched, a warning banner may appear informing the user that the application was downloaded from the Internet. Select “Open.”
Once the MacForensicsLab application is launched, the Preferences Pane will open. In order to successfully run MacForensicsLab, the Preferences Pane must be filled out.
Once the “Create” button is selected in the previous step, a navigation window appears. The navigation window allows the user to select the location of the database file. By default the file is named “MacForensicsLab Database.rsd” (1) and is located in Documents folder (2), then select “Save.”
Fill out the fields to complete the Examiner window, then select “Save.”
The Preference Pane appears and the new examiner information can be noted.
To add a new case to the database, select the “Cases” tab (1) along the top of the window. Add a case by selecting the “+” radio button in the lower left (2). Once the radio button is selected a case Details popup window will appear.
In the Case Details window enter the case number or Case ID and a description of the case. Once completed, select “Save”.
Once the “Save” button is selected in the previous step, the user is returned to the Preferences Pane. Be sure to highlight the new case, as seen above.
The purpose of the E-Mail pane is to enable the user to be notified upon completion of tasks being conducted by MacForensicsLab.
Complete all requisite information and select “Test:” (1) to ensure the connection is properly configured, once the test is successful, select the “Continue” button (2).
The purpose of the Plug-ins pane is to select the items you would like to be included in your Audit function. Simply check the Audit functions you would like included in the process to enable them.
Before any function is performed, MacForensicsLab requires the user to authenticate by entering the admin password.
Enter the admin password (1) and then select “OK” (2).
To complete the configuration of MacForensicsLab in preparation of running it for the first time, the user needs to decide whether to ignore disk arbitration (leaving it enabled) or to disable it. The user should only disable disk arbitration if he/she intends to create a forensic image from the suspect’s media. Once either the “Ignore” or the “Disable” buttons are selected, the main window of MacForensicsLab opens.
Once the files for Salvage have been selected, a navigation box appears allowing the examiner to select the location to which the Salvaged files will be exported.
The Salvaged files are exported, by default, into a folder titled “Salvage (day of the week) and (month/day/year). Contained within that folder are subfolders broken down by file type for easy review and categorization.