Mac Marshal Continuation Funding

This project will extend Mac Marshal in four principal ways: First, they will create a version of Mac Marshal that runs on Microsoft Windows (thereby allowing the analysis of Mac disks from Windows machines). Second, they will extend Mac Marshal's application analysis framework to include common peer-to-peer (P2P) file sharing clients (often seen in child exploitation cases). Third, modify and extend Mac Marshal's existing analysis tools in order to speed investigations. Finally, ATC-NY will enhance Mac Marshal and its underlying open source Sleuth Kit library to handle deleted files, compressed, files, and other Mac-specific file system attributes, thereby pushing forward the Mac forensics field even for those who do not use the Mac Marshal software.

ca/ncf

Mac Marshal is a NIJ developed digital forensic tool that extracts and analyzes forensic information specific to Macintosh computers. Mac Marshal is in wide use, increasing the quality of evidence extracted from Macs while at the same time reducing the backlog of cases. In order to make Mac Marshal an even better tool for law enforcement, ATC-NY proposes four follow-on tasks for Mac Marshal: (1) Extend Mac Marshal's analysis capabilities to iPhone, iPad, and iPod disk images and backups; (2) Modify Mac Marshal to enable the analysis of Time Machine backups, partial disk images, and recovered deleted files; (3) Enhance and extend Mac Marshal's existing analysis tools in order to further speed investigations, including support for Mac OS (operating system) X 10.7 when it is released; and (4) Enhance the reports generated by Mac Marshal, making them highly customizable and showing in detail the sources of all data presented, enabling investigators to verify Mac Marshal's results using independent tools and to explain their findings in court.

ca/ncf