In this report, the authors describe the development of the Mac OS X-based tool suite, Mac Marshal, that allows investigators to graphically access and collect data on dual-boot Mac systems, and to gather and analyze forensically-relevant data specific to the Mac OS X platform and common programs that run on it.
The authors report on the design and implementation of Mac Marshal, an extensible tool for the analysis of files on Mac OS X disk images which provides simple access to Spotlight metadata maintained by the operating system, yielding efficient file content search and exposing metadata such as digital camera make and model. Mac Marshal can also help investigators access FileVault encrypted home directories. Mac Marshal extracts and analyzes OS X-specific forensic information from a seized image disk, it could also operate in a live forensics setting by executing directly on the machine to be analyzed, but the authors’ initial attention is on after-the-fact analysis. The authors also discuss the acquisition and forensic implications of metadata gathered by Mac Marshall, the use of Spotlight queries, and application analysis and other features of Mac Marshall that are meant to dramatically speed up investigators’ search for particular files.