Macintosh Evidence Gathering and Analysis (MEGA)

In the spring of 2007, the E-Crime Technology Work Group identified Macintosh forensics as a priority. Forensic examiners observed an increase in Mac computers because of the dual boot capability of MAC OS-X10 operating systems (boots to Macintosh or Windows XP). Mac Evidence Gathering and Analysis (MEGA) will gather Mac OS X specific information that is largely ignored by existing tools, such as configuration, log, and cache data written by the operating system (OS), other OSs present via dual boot or virtual machines, and information available through the built-in Spotlight search facility. This project contributes to the reduction of crime laboratory backlogs in processing computer evidence by greatly reducing the time necessary to forensically examine a Macintosh machine. ca/ncf