MacForensicsLab 2.9 Manual

  • View
    84

  • Download
    2

Embed Size (px)

DESCRIPTION

Manual for MacForensicsLab 2.9

Text of MacForensicsLab 2.9 Manual

MacForensicsLab 2.9 Manual

1

Overview 1.1 Overview of MacForeniscsLab 6

2

System Requirements 2.1 System Requirements 11

3

Installing MacForensicsLab 3.1 Installing MacForensicsLab 15

4

Running MacForensicsLab for the First Time 4.1 Running MacForensicsLab for the First Time 20

5

Case Preparation 5.1 Case Preparation 34

6

Core Functions 6.1 Core Functions 39

7

The Preferences Window 7.1 The Preferences Window 41

8

The Main Window 8.1 The Main Window 59

9

The Acquire Function 9.1 The Acquire Function 64

10

The Search Function 10.1 The Search Function 69

11

The Analyze Function 11.1 The Analyze Function 74

12

The Salvage Function 12.1 The Salvage Function 80

13

The Browse Function 13.1 The Browse Function 88

14

The Audit Function 14.1 The Audit Function 92

15

The Hash Function 15.1 The Hash Function 98

16

Bookmarks 16.1 Bookmarks 101

17

Examiner Notes 17.1 Notes in MacForensicsLab 107

18

The MacForensicsLab Database 18.1 The MacForensicsLab Database 112

19

Reporting 19.1 Generating a Report 117

20

Keyboard Shortcuts 20.1 Keyboard Shortcuts 120

21

Getting Help and Technical Support 21.1 Getting Help and Technical Support 122

22

Uninstalling MacForensicsLab 22.1 Uninstalling MacForensicsLab 125

23

Gloassary 23.1 Glossary 127

24

End User's License Agreement (EULA) 24.1 End Users License Agreement 130

25

Copyright Notice 25.1 Copyright Notice 134

26

Trademarks 26.1 Trademarks 136

Overview

MacForensicsLab 2.9 Manual - 5

Overview of MacForeniscsLabThis lesson provides an overview of MacForensicsLab, its features, functionality and design.

About MacForeniscsLab IncorporatedWelcome to MacForensicsLab Incorporated. If this is your first time using MacForensicsLab software be assured you made the right decision. MacForensicsLab Inc. is the world-wide leader in Macintosh-based forensics, with many federal, state and local law enforcement organizations around the globe using our software. In addition, MacForensicsLab software is used by our military, intelligence community, and many privately owned and operated organizations seeking a powerful and innovative forensic solution. As a company, MacForensicsLab Incorporated is dedicated to providing forensic solutions that not only meet and exceed your expectations but that change the way modern computer forensics are performed. Traditional computer forensic software development has mirrored the needs of traditional law enforcement by developing a solution only as a problem presented itself. In doing so, law enforcement is left without a timely answer to their technological dillema. When the momentum of an investigation suffers due to a purley reactive development cycle, criminals go unpunished and victims are left needing resolution or worse, new victims are created. MacForensicsLab Inc. seeks to change that paradigm by offering expandable and scalable solutions that can adapt to an organization's needs and anticipate problems through use of intelligent proactive development. MacForensicsLab Inc. understands how difficult it has become to keep pace with technology. All too often, forensic examiners are understaffed and overworked, making the environment ripe for case backlogs and an increasing potential for errors. In an effort to minimize these conditions, MacForensicsLab Inc. leverages technology and technological advancements to allow for fewer mistakes while maximizing the efficiency and effectiveness of its users, thereby getting more done with less mistakes. MacForensicsLab Inc. is dedicated to our mission of providing powerful, easy-to-use, cost-effective forensic solutions that help you achieve your organization's forensic needs. To this end, we offer products that account for the entire spectrum of computer forensics, not just the static lab-based solution. Modern technologies demand integration throughout the forensic process, MacForensicsLab Inc acconts for this evolution with solutions for incident reponse, triage, static examinations and reporting. Additionally, MacForensicsLab utilizes open ISO standards to ensure compatability with other tools so the examiner is not limited to one tool or one answer to a problem. In summary, MacForensicsLab Inc views mission accomplishment as a corporate social responsibility, one we take very seriously and as such we strive to become not only a software development company but a partner to all our customers.

MacForensicsLab 2.9 Manual - 6

MacForensicsLab OverviewMacForensicsLab is the first comprehensive computer forensic solution that runs natively on a Macintosh. As such, MacForensicsLab combines the power of modern computing with elegant design and a feature rich environment. Capable of performing all aspects of the forensic process on any filesystem the system bus can recognize, these filesystems include: NTFS, UFS, HFS, HFSPlus, ext2, ext2, ReiserFS and many more. In addition to being the premire Macintosh-based forensic application, previous versions of MacForensicsLab (up to 2.5.5) are cross platform, allowing users to run MacForensicsLab natively on Windows XP, Windows Vista and Linux (RedHat, Ubuntu and SuSe).

MacForensicsLab Design FeaturesMacForensicsLab has been designed, from the ground up, to be a powerful easy-to-use forensic solution. A vital component in achieving this is the software's GUI (Graphical User Interface). By contrast many modern forensic solutions interface contains 15 or more buttons, making them difficult to use and due to the crowded space, somewhat overwhelming for the user. By contrast MacForensicsLab has just 7 buttons representing the core functionality of the software. In addition, these buttons are laid out in an order that if followed from one to the next will guide the examiner through the completion of an entire forensic examination. The second aspect concerning the design of MacForensicsLab is automation. The automation of tasks has changed the world. First, the Industrial Revolution was marked by automation of the blue collar workforce, changing the way manufacturing wasa done. In the Information Age, this automation is seen through computers performing complex repetitive tasks. In computer forensics, this automation refers to leveraging the computer to collect and collate data so the examiner can analyze the data. MacForensicsLab, is unique in that it excels at this, allowing the examiner to perform the vital tasks of analysis, thus providing context to the computer findings. This concept is readily apparent in the Browse and Audit functions, described below. Another aspect of MacForensicsLab design is fault tolerance. Unique within the industry MacForensicsLab provides fault tolerance during both the acquisition and data recovery operations as well as instant wites to the system, as it is a database-driven application, thus no need for time interval savings, which inevitably result is data loss. Interoperability is another design feature that MacForensicsLab takes seriously. The task of modern computer forensics is one of increasing complexity. As such, no one solution provides all the answers to the examiner. Therefore, MacForeniscsLab strives enable the examiner to use the results of MacForensicsLab with other tools. The use of OpenISO imaging and HTML reporting are just two examples of how MacForensicsLab strives to work well with other tools to assist in accomplishing the mission of the forensic examiner.MacForensicsLab 2.9 Manual - 7

Speed and accuracy are the other tenets of MacForensicsLab design features. The rapid increase in data volume equates to a longer forensic process. MacForensicsLab uses asynchronous operations to increase speed making it much faster than other tools such as dd. Accuracy is a foundational element of computer forensics. Unfortunately many software vendors sacrifice speed for accuracy. An example of this would be performing data recovery operations based on the directory structure. The sole use of the directory structure provides fast results, however it does not account for a corrupted structure. Whent he directory structure is corrupted and that is the only means of data recovery, then all is lost without attempting to fix the directory structure. MacForensicsLab takes a different approach, instead of the faster method, it takes the best method for recovering all files. In doing so, MacForensicsLab demonstrates its understanding that without all the data, there is no case and in this instance, it is better to sacrifice speed for accuracy. Now that we understand the basic deisgn features of MacForensicsLab, let's take a minute to familiarize ourselves with the core funtionalities of MacForensicsLab.

The Acquire FeatureThe Acquire function uses an intelligent algorithm to recover mechanically sound and faulty drives. Even if the drive has been partially compromised, mechanically or otherwise, MacForensicsLab has the best chance at recovering evidence to a forensically sound disk and open format, industry standard disk image for further data salvage and analysis.

The Search FeatureThe Search process examines logical directory structures and files to bookmark files of interest, helping to zero in on any suspect material. Comparisons can be made against a database of hash values for known good, or known suspect content. MacForensicsLab creates a list of catalog information, MD5, SHA1, and SHA256 checksums, as well as other basic file information, using pre-specified search terms and filters.

The Analyze FeatureThe Analyze function enables an investigator to