This awardee has received supplemental funding. This award detail page includes information about both the original award and supplemental awards.
Description of original award (Fiscal Year 2009, $174,943)
ATC-NY has created an extensible Macintosh evidence gathering and analysis tool called Mac Marshal. Developed in collaboration with law enforcement and Architecture Technology Corporation, Mac Marshal gathers Mac OS X specific information that is largely ignored by existing tools, such as configuration, log, and cache data written by the operating system (OS), other OSs present via dual boot or virtual machines, and information available through the built-in Spotlight search facility.
Mac Marshal speeds up investigative analysis of Macintosh computers by applying established tools and techniques, in a forensically sound manner, to consistently gather and present usage information about a suspect Macintosh'including evidence that may be overlooked by examiners not familiar with the intricacies of Mac OS X, and evidence that is time-consuming to extract by hand. With computer crime labs seeing upwards of 10% of their investigations involving Macs, and having few trained Mac experts on hand, Mac Marshal can make a significant impact in reducing law enforcement case backlogs.
This project will will extend Mac Marshal, from small enhancements driven by law enforcement feedback to major new capabilities, such as the ability to extract data from an iPhone and to conduct forensic investigations on live, running systems, gathering volatile data from systems for later analysis.
This project will extend Mac Marshal in four principal ways: First, they will create a version of Mac Marshal that runs on Microsoft Windows (thereby allowing the analysis of Mac disks from Windows machines). Second, they will extend Mac Marshal's application analysis framework to include common peer-to-peer (P2P) file sharing clients (often seen in child exploitation cases). Third, modify and extend Mac Marshal's existing analysis tools in order to speed investigations. Finally, ATC-NY will enhance Mac Marshal and its underlying open source Sleuth Kit library to handle deleted files, compressed, files, and other Mac-specific file system attributes, thereby pushing forward the Mac forensics field even for those who do not use the Mac Marshal software.
Mac Marshal is a NIJ developed digital forensic tool that extracts and analyzes forensic information specific to Macintosh computers. Mac Marshal is in wide use, increasing the quality of evidence extracted from Macs while at the same time reducing the backlog of cases. In order to make Mac Marshal an even better tool for law enforcement, ATC-NY proposes four follow-on tasks for Mac Marshal: (1) Extend Mac Marshal's analysis capabilities to iPhone, iPad, and iPod disk images and backups; (2) Modify Mac Marshal to enable the analysis of Time Machine backups, partial disk images, and recovered deleted files; (3) Enhance and extend Mac Marshal's existing analysis tools in order to further speed investigations, including support for Mac OS (operating system) X 10.7 when it is released; and (4) Enhance the reports generated by Mac Marshal, making them highly customizable and showing in detail the sources of all data presented, enabling investigators to verify Mac Marshal's results using independent tools and to explain their findings in court.