In this report, the authors describe the development of the Mac OS X-based tool suite, Mac Marshal, that allows investigators to graphically access and collect data on dual-boot Mac systems, and to gather and analyze forensically-relevant data specific to the Mac OS X platform and common programs that run on it.
The authors report on the design and implementation of Mac Marshal, an extensible tool for the analysis of files on Mac OS X disk images which provides simple access to Spotlight metadata maintained by the operating system, yielding efficient file content search and exposing metadata such as digital camera make and model. Mac Marshal can also help investigators access FileVault encrypted home directories. Mac Marshal extracts and analyzes OS X-specific forensic information from a seized image disk, it could also operate in a live forensics setting by executing directly on the machine to be analyzed, but the authors’ initial attention is on after-the-fact analysis. The authors also discuss the acquisition and forensic implications of metadata gathered by Mac Marshall, the use of Spotlight queries, and application analysis and other features of Mac Marshall that are meant to dramatically speed up investigators’ search for particular files.
Downloads
Related Topics
Forensic sciencesSimilar Publications
- Technical Note: A novel method for simultaneous recovery of DNA, RNA, and proteins from trace biological samples for forensic application
- Assessing Methods to Enhance and Preserve Proteinaceous Impressions from the Skin of Decedents during the Early Stages of Decomposition
- Assessment of a microhaplotype panel for human identification and ancestry inference in Brazil