Transcript
Page 1: MacForensicsLab 2.9 Manual

MacForensicsLab 2.9 Manual

Page 2: MacForensicsLab 2.9 Manual

1 Overview

1.1 Overview of MacForeniscsLab 6

2 System Requirements

2.1 System Requirements 11

3 Installing MacForensicsLab

3.1 Installing MacForensicsLab 15

4 Running MacForensicsLab for the First Time

4.1 Running MacForensicsLab for the First Time 20

5 Case Preparation

5.1 Case Preparation 34

6 Core Functions

6.1 Core Functions 39

7 The Preferences Window

7.1 The Preferences Window 41

8 The Main Window

8.1 The Main Window 59

9 The Acquire Function

9.1 The Acquire Function 64

10 The Search Function

10.1 The Search Function 69

Page 3: MacForensicsLab 2.9 Manual

11 The Analyze Function

11.1 The Analyze Function 74

12 The Salvage Function

12.1 The Salvage Function 80

13 The Browse Function

13.1 The Browse Function 88

14 The Audit Function

14.1 The Audit Function 92

15 The Hash Function

15.1 The Hash Function 98

16 Bookmarks

16.1 Bookmarks 101

17 Examiner Notes

17.1 Notes in MacForensicsLab 107

18 The MacForensicsLab Database

18.1 The MacForensicsLab Database 112

19 Reporting

19.1 Generating a Report 117

20 Keyboard Shortcuts

20.1 Keyboard Shortcuts 120

Page 4: MacForensicsLab 2.9 Manual

21 Getting Help and Technical Support

21.1 Getting Help and Technical Support 122

22 Uninstalling MacForensicsLab

22.1 Uninstalling MacForensicsLab 125

23 Gloassary

23.1 Glossary 127

24 End User's License Agreement (EULA)

24.1 End Users License Agreement 130

25 Copyright Notice

25.1 Copyright Notice 134

26 Trademarks

26.1 Trademarks 136

Page 5: MacForensicsLab 2.9 Manual

Overview

MacForensicsLab 2.9 Manual - 5

Page 6: MacForensicsLab 2.9 Manual

Overview of MacForeniscsLab

This lesson provides an overview of MacForensicsLab, its features, functionality and design.

About MacForeniscsLab Incorporated

Welcome to MacForensicsLab Incorporated. If this is your first time using MacForensicsLab softwarebe assured you made the right decision. MacForensicsLab Inc. is the world-wide leader inMacintosh-based forensics, with many federal, state and local law enforcement organizations aroundthe globe using our software. In addition, MacForensicsLab software is used by our military, intelligencecommunity, and many privately owned and operated organizations seeking a powerful and innovativeforensic solution.

As a company, MacForensicsLab Incorporated is dedicated to providing forensic solutions that not onlymeet and exceed your expectations but that change the way modern computer forensics areperformed. Traditional computer forensic software development has mirrored the needs of traditionallaw enforcement by developing a solution only as a problem presented itself. In doing so, lawenforcement is left without a timely answer to their technological dillema. When the momentum of aninvestigation suffers due to a purley reactive development cycle, criminals go unpunished and victimsare left needing resolution or worse, new victims are created. MacForensicsLab Inc. seeks to changethat paradigm by offering expandable and scalable solutions that can adapt to an organization's needsand anticipate problems through use of intelligent proactive development.

MacForensicsLab Inc. understands how difficult it has become to keep pace with technology. All toooften, forensic examiners are understaffed and overworked, making the environment ripe for casebacklogs and an increasing potential for errors. In an effort to minimize these conditions,MacForensicsLab Inc. leverages technology and technological advancements to allow for fewermistakes while maximizing the efficiency and effectiveness of its users, thereby getting more done withless mistakes.

MacForensicsLab Inc. is dedicated to our mission of providing powerful, easy-to-use, cost-effective forensic solutions that help you achieve your organization's forensic needs. To this end, we offerproducts that account for the entire spectrum of computer forensics, not just the static lab-basedsolution. Modern technologies demand integration throughout the forensic process, MacForensicsLabInc acconts for this evolution with solutions for incident reponse, triage, static examinations andreporting. Additionally, MacForensicsLab utilizes open ISO standards to ensure compatability with othertools so the examiner is not limited to one tool or one answer to a problem. In summary,MacForensicsLab Inc views mission accomplishment as a corporate social responsibility, one we takevery seriously and as such we strive to become not only a software development company but apartner to all our customers.

MacForensicsLab 2.9 Manual - 6

Page 7: MacForensicsLab 2.9 Manual

MacForensicsLab Overview

MacForensicsLab is the first comprehensive computer forensic solution that runs natively on aMacintosh. As such, MacForensicsLab combines the power of modern computing with elegant designand a feature rich environment. Capable of performing all aspects of the forensic process on anyfilesystem the system bus can recognize, these filesystems include: NTFS, UFS, HFS, HFSPlus, ext2,ext2, ReiserFS and many more.

In addition to being the premire Macintosh-based forensic application, previous versions ofMacForensicsLab (up to 2.5.5) are cross platform, allowing users to run MacForensicsLab natively onWindows XP, Windows Vista and Linux (RedHat, Ubuntu and SuSe).

MacForensicsLab Design Features

MacForensicsLab has been designed, from the ground up, to be a powerful easy-to-use forensicsolution. A vital component in achieving this is the software's GUI (Graphical User Interface). Bycontrast many modern forensic solutions interface contains 15 or more buttons, making them difficult touse and due to the crowded space, somewhat overwhelming for the user. By contrastMacForensicsLab has just 7 buttons representing the core functionality of the software. In addition,these buttons are laid out in an order that if followed from one to the next will guide the examinerthrough the completion of an entire forensic examination.

The second aspect concerning the design of MacForensicsLab is automation. The automation of taskshas changed the world. First, the Industrial Revolution was marked by automation of the blue collarworkforce, changing the way manufacturing wasa done. In the Information Age, this automation is seenthrough computers performing complex repetitive tasks. In computer forensics, this automation refers toleveraging the computer to collect and collate data so the examiner can analyze the data.MacForensicsLab, is unique in that it excels at this, allowing the examiner to perform the vital tasks ofanalysis, thus providing context to the computer findings. This concept is readily apparent in theBrowse and Audit functions, described below.

Another aspect of MacForensicsLab design is fault tolerance. Unique within the industryMacForensicsLab provides fault tolerance during both the acquisition and data recovery operations aswell as instant wites to the system, as it is a database-driven application, thus no need for time intervalsavings, which inevitably result is data loss.

Interoperability is another design feature that MacForensicsLab takes seriously. The task of moderncomputer forensics is one of increasing complexity. As such, no one solution provides all the answersto the examiner. Therefore, MacForeniscsLab strives enable the examiner to use the results ofMacForensicsLab with other tools. The use of OpenISO imaging and HTML reporting are just twoexamples of how MacForensicsLab strives to work well with other tools to assist in accomplishing themission of the forensic examiner.

MacForensicsLab 2.9 Manual - 7

Page 8: MacForensicsLab 2.9 Manual

Speed and accuracy are the other tenets of MacForensicsLab design features. The rapid increase indata volume equates to a longer forensic process. MacForensicsLab uses asynchronous operations toincrease speed making it much faster than other tools such as dd.

Accuracy is a foundational element of computer forensics. Unfortunately many software vendorssacrifice speed for accuracy. An example of this would be performing data recovery operations basedon the directory structure. The sole use of the directory structure provides fast results, however it doesnot account for a corrupted structure. Whent he directory structure is corrupted and that is the onlymeans of data recovery, then all is lost without attempting to fix the directory structure.MacForensicsLab takes a different approach, instead of the faster method, it takes the best method forrecovering all files. In doing so, MacForensicsLab demonstrates its understanding that without all thedata, there is no case and in this instance, it is better to sacrifice speed for accuracy.

Now that we understand the basic deisgn features of MacForensicsLab, let's take a minute tofamiliarize ourselves with the core funtionalities of MacForensicsLab.

The Acquire Feature

The ‘Acquire’ function uses an intelligent algorithm to recover mechanically sound and faulty drives.Even if the drive has been partially compromised, mechanically or otherwise, MacForensicsLab has thebest chance at recovering evidence to a forensically sound disk and open format, industry standarddisk image for further data salvage and analysis.

The Search Feature

The ‘Search’ process examines logical directory structures and files to bookmark files of interest,helping to zero in on any suspect material. Comparisons can be made against a database of hashvalues for known good, or known suspect content. MacForensicsLab creates a list of cataloginformation, MD5, SHA1, and SHA256 checksums, as well as other basic file information, usingpre-specified search terms and filters.

The Analyze Feature

The ‘Analyze’ function enables an investigator to examine the contents of files in Hex and Nativemodes. ‘Analyze’ allows the investigator to search unallocated space for specific terms and itemsincluding keywords, hex strings, credit card numbers and social security numbers; scanning file sectorsat blazing speeds that no other package can approach.

The Salvage Feature

MacForensicsLab’s ‘Salvage’ functionality is fault tolerant and thorough by design, making it the mostpowerful data recovery engine on the market. The 'Salvage' function recognizess over 100 file typesand can readily recover deleted files from hard drives, CD-ROMs, external storage devices, digital

MacForensicsLab 2.9 Manual - 8

Page 9: MacForensicsLab 2.9 Manual

camera memory cards, iPods, and much more. In addition, "Salvage' possesses the ability to learnon-the-fly enabling the examiner to add unknown file types into the 'Salavge' database for recovery.These features, combined with filters allowing targeted data recovery makes this a foundational featurefor all subsequent forensic processes.

The Browse Feature

The ‘Browse’ function allows the investigator to quickly and easily thumbnail and preview graphicimages and their metedata. MacForensicLab was the first forensic software application to contain abuilt-in Skin Tone Analyzer, radically reducing the time spent manually culling through tens ofthousands of image files to locate files of investigative interest, which are easliy bookmarked and/orexported for further action.

The Audit Feature

The ‘Audit’ function quickly and efficiently collects and collates operating system artifacts and userpreferences, to include cached internet history and bookmarks, Instant Messaging buddy lists, WiFiAccess Points, Address Book information, iPhone information and much more. In doing so, the 'Audit'feature enables the examiner to keep the investigative momentum while allowing for further in-depthanalysis.

The Hash Feature

The 'Hash' funtion allows the examiner to perform an md5, SHA1 and SHA256 hash on any given filelocated on the volume while exporting the results with the full path to a text file for easy reference.

MacForensicsLab 2.9 Manual - 9

Page 10: MacForensicsLab 2.9 Manual

System Requirements

MacForensicsLab 2.9 Manual - 10

Page 11: MacForensicsLab 2.9 Manual

System Requirements

This lesson covers the basic and recommened system requirements for successfully runningMacForensicsLab. Modern forensic processes require not only powerful systems to process themassive amount of data, but a scalable solution designed to harness the system resources for greaterspeed and increased functionality. A database solution provides such potential. SinceMacForensicsLab is database driven, the performance of the software is greatly influenced by theperformance of the computer that is being used to perform the investigations.

Mac OS X Base Requirements

-Apple Macintosh G4 800MHZ or faster-Mac OS X (version 10.3.9 or newer)-512 MB of RAM-DVD-Rom drive for Boot CD/DVD and Installation from DVD-1 x USB 1.0 Port + HASP license dongle (supplied with MacForensicsLab)

Windows Base Requirements (for use up to and including MacForensicsLab 2.5.5)

-Processor 800MHZ or faster-Windows 2000/XP/Vista-512 MB of RAM-DVD-Rom drive for Boot CD/DVD and Installation from DVD-1 x USB 1.0 Port + HASP license dongle (supplied with MacForensicsLab)

Linux Base Requirements (for use up to and including MacForensicsLab 2.5.5)

-Processor 800MHZ or faster-x86-based Linux distribution with GTK+ 2.0 (or higher), glibc-2.3 (or higher) and CUPS (CommonUNIX Printing System)

We oficially support the following:-SUSE Linux Enterprise Desktop-Red Hat Enterprise Linux Desktop-512 MB of RAM-DVD-Rom drive for Boot CD/DVD and Installation from DVD-1 x USB 1.0 Port + HASP license dongle (supplied with MacForensicsLab)

MacForensicsLab 2.9 Manual - 11

Page 12: MacForensicsLab 2.9 Manual

Recommended Desktop Forensic Workstation

-Apple MacPro (2.66 GHz Quad Core Intel Xeon "Nehalem" processor or better)-Mac OS X (version 10.5 or newer)-8GB of RAM-1TB or more of available hard drive space-DVD-Rom drive for Boot CD/DVD and Installation from DVD-Firewire 800 <-> ATA/SATA hardware write blocker-1 x USB 2.0 Port + HASP license dongle (supplied with MacForensicsLab)

Recommended Forensic Laptop

-Apple MacBook Pro Intel Core 2 Duo 2.4GHZ or faster-Mac OS X (version 10.5 or newer)-4GB of RAM-Firmtek SeriTek Serial ATA ExpressCard Adapter-1TB or more of available hard drive space-DVD-Rom drive for Boot CD/DVD and Installation from DVD,-1 x USB 1.0 Port + HASP license dongle (supplied with MacForensicsLab)

Additional Considerations

Providing the system with more resources and faster equipment such as faster Processor, more RAMand and faster, larger hard disk drive will improve the performance of MacForensicsLab where datareading, calculation and verification functions occurring.

The database/logging functionality is best performed with the fastest possible network interface whenworking with a centralized network database server.

MacForensicsLab 2.9 Manual - 12

Page 13: MacForensicsLab 2.9 Manual

The MacForensicsLab Dongle

MacForensicsLab requires a dongle to function. To this end, previous versions of MacForensicsLabrequired a HASP dongle, however, starting with MacForensicsLab 2.9, this dongle will be replaced witha USB key customized for MacForensicsLab. This customized dongle will allow users who havepurchased both MacForensicLab and MacLockPick to use the same dongle for both applications,providing a seamless integration througout the forensic process.

MacForensicsLab 2.9 Manual - 13

Page 14: MacForensicsLab 2.9 Manual

Installing MacForensicsLab

MacForensicsLab 2.9 Manual - 14

Page 15: MacForensicsLab 2.9 Manual

Installing MacForensicsLab

This lesson demonstrates how to install MacForensicsLab for the upgrade from 2.5.5 to 2.9.

Obtaining the latest version of MacForensicsLab

To install the latest version of MacForensicsLab, open a web browser and navigate to theMacForeniscsLab web site: http://www.MacForensicsLab.com. Once on the main webpage, select the"Upgrades" link.

MacForensicsLab 2.9 Manual - 15

Page 16: MacForensicsLab 2.9 Manual

Locate the version of MacForensicsLab

The Upgrades page allows a user to select the version of MacForeniscsLab they wish to download.Once the correct version is located, select the link (highlighted in blue).

MacForensicsLab 2.9 Manual - 16

Page 17: MacForensicsLab 2.9 Manual

Download

The download page will present the above image. To begin the download, click on the image.

Downloaded Archive

The file that downloads is a .zip file that will be uncompressed automatically by the operating systemand will appear in the Downloads folder as a folder titled: MacForensicsLab.

Locate the MacForensicsLab Folder

Open the folder where MacForensicsLab was downloaded (by dafault this is the Downloads folder).

MacForensicsLab 2.9 Manual - 17

Page 18: MacForensicsLab 2.9 Manual

Installing MacForensicsLab

To install MacForensicsLab, simply drag the MacForensicsLab folder in to the Applications folder, theapplication is now ready to be run for the first time.

MacForensicsLab 2.9 Manual - 18

Page 19: MacForensicsLab 2.9 Manual

Running MacForensicsLab forthe First Time

MacForensicsLab 2.9 Manual - 19

Page 20: MacForensicsLab 2.9 Manual

Running MacForensicsLab for the First Time

This lesson demonstrates how to run MacForensicsLab for the first time.

Opening MacForensicsLab

Navigate to the Applications folder and open the MacForensicsLab folder by double clicking on it.

Launch MacForensicsLab

To launch the MacForensicsLab application, double click on the MacForensicsLab.app icon.

Allow MacForensicsLab to Run

The first time MacForensicsLab is launched, a warning banner will appear informing the user that theapplication was downloaded from the Internet. Select "Open."

MacForensicsLab 2.9 Manual - 20

Page 21: MacForensicsLab 2.9 Manual

Configure MacForensicsLab Preferences

Once the MacForensicsLab application is launched, the Preferences Pane will open. In order tosuccessfully run MacForensicsLab, the Preferences Pane must be filled out.

MacForensicsLab 2.9 Manual - 21

Page 22: MacForensicsLab 2.9 Manual

Configure a Local Database File

In this example we will configure a Local File database (this means the database file will be resident onthe local machine and not connected remotely to a database). The "Database" tab in the upper left ofthe window is selected (1), then select the "Local File" (2), next select "Create" (3).

Save the Local Database

Once the "Create" button is selected in the previous step, a navigation window appears. The navigationwindow allows the user to select the location of the database file. By default the file is named"MacForeniscsLab Database.rsd" (1) and is located in Documents folder (2), then select "Save."

MacForensicsLab 2.9 Manual - 22

Page 23: MacForensicsLab 2.9 Manual

Configure the Examiners Tab

The next tab to configure in the Preferences Pane is the "Examiners" tab. Select the "Examiners" tab(1). To add an examiner, select the "+" radio button on the left (2). Once the radio button is selected anExaminer window will open.

MacForensicsLab 2.9 Manual - 23

Page 24: MacForensicsLab 2.9 Manual

Configure Examiner Window

Fill out the fields to complete the Examiner window, then select "Save."

MacForensicsLab 2.9 Manual - 24

Page 25: MacForensicsLab 2.9 Manual

Confirm Examiner Information

The Preference Pane appears and the new examiner information can be noted.

MacForensicsLab 2.9 Manual - 25

Page 26: MacForensicsLab 2.9 Manual

Configure the Cases Tab

To add a new case to the database, select the "Cases" tab (1) along the top of the window. Add a caseby selecting the "+" radio button in the lower left (2). Once the radio button is selected a case Detailspop-up window will appear.

MacForensicsLab 2.9 Manual - 26

Page 27: MacForensicsLab 2.9 Manual

The Case Details Window

The Case Details window allows the user to enter case details.

MacForensicsLab 2.9 Manual - 27

Page 28: MacForensicsLab 2.9 Manual

Complete Case Details

In the Case Details window enter the case number or Case ID (1) and a description of the case (2).Once completed, select "Save" (3).

MacForensicsLab 2.9 Manual - 28

Page 29: MacForensicsLab 2.9 Manual

Selecting the Case

Once the "Save" button is selected in the previous step, the user is returned to the Preferences Pane.Be sure to highlight the new case, as seen above.

MacForensicsLab 2.9 Manual - 29

Page 30: MacForensicsLab 2.9 Manual

The E-Mail Pane

The purpose of the E-Mail pane is to enable the user to be notified upon completion of tasks beingconducted by MacForensicsLab.

MacForensicsLab 2.9 Manual - 30

Page 31: MacForensicsLab 2.9 Manual

Complete the E-Mail Pane

Complete all requisite information and select "Test:" (1) to ensure the connection is properly configured,once the test is successful, select the "Continue" button (2).

Authenticate MacForeniscsLab

MacForensicsLab requires the user to authenticate by entering the admin password.

MacForensicsLab 2.9 Manual - 31

Page 32: MacForensicsLab 2.9 Manual

Complete Authentication

Enter the admin password (1) and then select "OK" (2).

Disk Arbitration

To complete the configuration of MacForeniscsLab in preparation of running it for the first time, the userneeds to decide whether to ignore disk arbitration (leaving it enabled) or to disable it. The user shouldonly disable disk arbitration if he/she intends to create a forensic image from the suspect's media. Onceeither the "Ignore" or the "Disable" buttons are selected, the main window of MacForensicsLab opens.

MacForensicsLab 2.9 Manual - 32

Page 33: MacForensicsLab 2.9 Manual

Case Preparation

MacForensicsLab 2.9 Manual - 33

Page 34: MacForensicsLab 2.9 Manual

Case Preparation

This lesson will discuss how to prepare for a case using MacForensicsLab.

Overview

During the course of using MacForensicsLab the examiner will come across a range of differentsuspect devices, media and disk images. These will all work with a variety of ‘Read’ and ‘Write’ accesssettings. It is therefore important to ensure that the investigator understands how each of these variesand how the computer interacts with them.

Before connecting any device to the workstation it makes sense to assume that the device, image ormedia may be written to and therefore should be handled with the utmost caution.

In Mac OS X there are a couple of ways in which to handle the issues of possibly tainting andoverwriting data on the suspect drive or device. The first is ‘Disk Arbitration’ and the second is ‘WriteBlocking’. It is also a MUST for the investigator to have a secondary “Work Drive” onto which case datacan be saved, and which will have course been pre-cleared. This avoids the chance of overwritingpossible evidence and thus losing and/or tainting it.

Disabling Disk Arbitration

Whether at start-up or when connecting a suspect device via any data bus (FireWire, USB, ATA) onyour Macintosh Workstation, OS X is notified and will immediately look for mountable partitions on thedevice.

If detected, it initiates the mount and the disk’s internal arbitration tables are updated with thenecessary information to work with the system. Having mounted, the Finder is updated with theinformation and the volume(s) appear on the desktop. Any other applications that may have subscribedto disk arbitration notifications are also updated in a cascade effect.

MacForensicsLab 2.9 Manual - 34

Page 35: MacForensicsLab 2.9 Manual

In the process of finding and updating the arbitration tables on devices found and mounted, there runsthe risk of writing to the said devices and therefore tainting the evidence. MacForensicsLab howeverhas a built in option, accessible via the Window drop menu, or keyboard shortcut [Apple Key] + [B],menu that allows the investigator to turn off the process.

In addition, to help avoid these issues, as MacForensicsLab reaches the ‘Main’ window it alwaysautomatically prompts the investigator to ensure that Disk Arbitration is enabled or disabled, per his orher desired behavior.

Enabling Disk Arbitration

As the investigator quits MacForensicsLab he or she will be asked a similar message whether theywish to enable disk arbitration again.

Hardware Write Blockers

As the investigator will hear over and over, when working with a suspect drive he or she will want toavoid every single chance of tainting the data on it. MacForensicsLab works effectively with allavailable write blocking hardware on the market, and we recommend that investigators use suchdevices when performing forensics on suspect drives. SubRosaSoft, Inc. also carries an optionalhardware blocker that works hand-in-hand with MacForensicsLab. Please visit our web site http://www.subrosasoft.com for more information, or contact us via email: [email protected]; ortelephone: +1 (510) 675 0681.

MacForensicsLab 2.9 Manual - 35

Page 36: MacForensicsLab 2.9 Manual

Clearing the Work Drive

It is essential that before the investigator uses any drive for storing the results of an investigation, thatthe drive has been cleared properly. This should mean that the work drive has been formatted at leastwith a single pass with zeroing data.

To clear the work drive, select a partition of the designated drive in the 'Devices’ pane of the 'Main’window'. Having done this, select “Clear work drive” from the File menu. A confirmation window willcome to the fore, which the investigator should accept, after which the ‘shred’ window will come forward.

The window contains a slider with which the investigator can set the numbers of passes required toclear the drive. Also, in order to speed up the process the investigator also has the option to shred only“Free Space”, so that only the available space on the partition will be cleared. Having set this, simplyclick Start and the clearing procedure will begin. If the investigator picks the wrong partition, and/ordecides to stop, by simply clicking Close the ‘Shred’ window will disappear and he or she will bereturned to the ‘Main’ window.

MacForensicsLab 2.9 Manual - 36

Page 37: MacForensicsLab 2.9 Manual

Terminal Access

MacForensicsLab provides the investigator with quick access via the Window drop menu, or keyboardshortcut [Apple Key] + [t], to a terminal window, so that he or she does not have to leaveMacForensicsLab in order to run commands through another Terminal application.

MacForensicsLab 2.9 Manual - 37

Page 38: MacForensicsLab 2.9 Manual

Core Functions

MacForensicsLab 2.9 Manual - 38

Page 39: MacForensicsLab 2.9 Manual

Core Functions

This section will outline the core functions of MacForensicsLab for further, detailed discussion.

The Core Functional Areas of MacForensicsLab

-Preferences Window-Main Window-Acquire Window-Search Window-Analyze Window-Salvage Window-Browse Window-Audit Window-Hash Window-Bookmarks & Notes-Database Window

MacForensicsLab 2.9 Manual - 39

Page 40: MacForensicsLab 2.9 Manual

The Preferences Window

MacForensicsLab 2.9 Manual - 40

Page 41: MacForensicsLab 2.9 Manual

The Preferences Window

This lesson will cover the Preferences Window settings and configuration.

Overview

The ‘Preferences’ window allows the examiner to setup and manage both individual cases andexaminers within MacForensicsLab. In addition, it enables the examiner to configure MacForensicsLabdatabase settings and even configure an e-mail based notification feature.

Finding the Preferences Window

The ‘Preferences’ window will, by default, appear at start-up once the MacForensicsLab splash screenhas disappeared. To return to the ‘Preferences’ window after progressing to the ‘Main’ window, theexaminer must select “Preferences” from the MacForensicsLab application drop menu, or use thekeyboard shortcut [apple key] + [comma]. In order to disable the ‘Preferences’ window from appearingat start-up the investigator should deselect the “Show this window at start-up” check box in the bottomleft hand corner of the window.

MacForensicsLab 2.9 Manual - 41

Page 42: MacForensicsLab 2.9 Manual

The Preference Window Layout

The Preference Window has four sections, eash containing their own preference information. The foursections are: Database (1), Examiners (2), Cases (3) nd eMail (4).

MacForensicsLab 2.9 Manual - 42

Page 43: MacForensicsLab 2.9 Manual

The Database Preference Pane

By default the Database will be disabled (1).

MacForensicsLab 2.9 Manual - 43

Page 44: MacForensicsLab 2.9 Manual

Configuring a Local Database File

MacForensicsLab allows the examiner to harness the power of a database solution without having toassociate with a remote database. The creation of a local database file enables examiners to takeadvantage of a database while not requiring the infrastructure incurred with larger solutions.

To create a local database file, select Local File (1), and then "Create." (2)

MacForensicsLab 2.9 Manual - 44

Page 45: MacForensicsLab 2.9 Manual

Selecting a Location for the Local Database File

Once you select "Create" in the previous step, a navigation box will appear allowing the examiner toselect the location of the local database file (by default it will place the file in the Documents folder andwill be named MacForeniscsLab Database.rsd.

MacForensicsLab 2.9 Manual - 45

Page 46: MacForensicsLab 2.9 Manual

Checking the Local File Database Path

Once the examiner has chosen a location for the Local Database file to be stored, they are returned tothe Database Window, where the path chosen is displayed (1).

MacForensicsLab 2.9 Manual - 46

Page 47: MacForensicsLab 2.9 Manual

REAL SQL Setup

If the examiner access to a REAL SQL database, then MacForeniscsLab allows for seamlessintegration. Select the REAL SQL tab (1). Then by filling out the form fields (2), and selecting the"Connect" button (3), the examiner will then be able to take advantage of power of the REAL SQLdatabase.

MacForensicsLab 2.9 Manual - 47

Page 48: MacForensicsLab 2.9 Manual

MySQL Setup

If the examiner access to a MySQL database, then MacForeniscsLab allows for seamless integration.Select the MySQL tab (1). Then, by filling out the form fields (2), and selecting the "Connect" button (3),the examiner will then be able to take advantage of power of the MySQL database.

MacForensicsLab 2.9 Manual - 48

Page 49: MacForensicsLab 2.9 Manual

The Examiners Tab

Select the Examiners Tab (1). The Examiners Tab is where an examiner enters their identifiableinformation. By default, there is a "Default" examiner (2). To add an examiner, select the "+" radiobutton (3) and a pop-up window will appear.

MacForensicsLab 2.9 Manual - 49

Page 50: MacForensicsLab 2.9 Manual

Configuring Examiner Specific Data

The pop-up window allows the examiner to enter specific information by filling out the form fields (1). Itshould be noted, that these fields can be changed at any time by selecting the "edit" button from withinthe Examiner's tab. Likewise it is important to note that none of these fields are not required.

MacForensicsLab 2.9 Manual - 50

Page 51: MacForensicsLab 2.9 Manual

Save the Form

Once the examiner specific form fields are filled out, select the "Save" button, thus returning theexaminer to the Preferences Window.

MacForensicsLab 2.9 Manual - 51

Page 52: MacForensicsLab 2.9 Manual

Confirm the Correct User

The user information entered will be reflected under the Examiners Tab (1), which is where you will beautomatically returned to upon selecting "Save" in the previous step.

MacForensicsLab 2.9 Manual - 52

Page 53: MacForensicsLab 2.9 Manual

The Cases Tab

To add a case, select the "Cases" Tab (1) from the Preferences window and select the "+" button (2).Once selected, a pop-up window will appear.

MacForensicsLab 2.9 Manual - 53

Page 54: MacForensicsLab 2.9 Manual

Fill Out Case Details

The Case Details window has two sections, the Case ID (1) and te Description (2). The Case IDrepresents a field where the examiner would enter the case number. The Case Description field is asimple text field enabling the examiner to input additional case information.

MacForensicsLab 2.9 Manual - 54

Page 55: MacForensicsLab 2.9 Manual

Complete Case Details Pop-up

Complete the Case Details pop-up window and select "Save."

MacForensicsLab 2.9 Manual - 55

Page 56: MacForensicsLab 2.9 Manual

Verify Case Information

Upon completing the previous step, the examiner is returned to the Preferences Pane, wherein he/shecan verify the correct case is selected (1).

MacForensicsLab 2.9 Manual - 56

Page 57: MacForensicsLab 2.9 Manual

eMail Tab Setup

By selecting the eMail tab (1) and filling out the form fields (2) and testing the connection (3), Theexaminer is now able to receive password notification when MacForeniscsLab has completed it currentprocess. Once configured, press "Continue" (4).

MacForensicsLab 2.9 Manual - 57

Page 58: MacForensicsLab 2.9 Manual

The Main Window

MacForensicsLab 2.9 Manual - 58

Page 59: MacForensicsLab 2.9 Manual

The Main Window

This lesson will describe the layout and functionlity of MacForeniscsLab's Main Window.

Overview

The ‘Main’ window is the starting point after accessing a case and provides the investigator with adetailed view of the system, any devices or disk images attached to it and their directory and filestructure. It is from the ‘Main’ that the investigator will gain full access to the wide array of functions andfeatures that MacForensicsLab provides, each of which will be covered in subsequent chapters of thismanual.

When working with the ‘Main’ window, the investigator should maximize the view of the window eitherby clicking the green maximize button at the top left of the window, or by using the resize handle at thebottom right. Such a move will lessen the need to scroll up and down the various panels

The Main Window Layout

There are 3 key sections to the layout of the ‘Main’ window:

-The ‘Access’ panels (Devices and Files),-The ‘Explorer’ panel,

MacForensicsLab 2.9 Manual - 59

Page 60: MacForensicsLab 2.9 Manual

-The ‘Buttons’ panel.

The Access Panel - Devices Tab

In the Main Window, there are two buttons: "Devices" (1) and "Files" (2). As depicted above the Devicebutton lists all devices (with their respective partitions and volumes) attached to the machine in theleftmost pane (3). When a device is selected the corresponding device details appear in the Explorerportion of the window (4).

The following information is specified:

Display Name – The volume titleMounted – Status (true or false)LeafWritable – Write Status (yes or no)Partition IDPreferred Block SizeBSD Major & MinorBSD Name – Mount pointSize – in bytesContent & Content Hint – Format type and hintRemovable & Ejectable – Status (yes or no)

MacForensicsLab 2.9 Manual - 60

Page 61: MacForensicsLab 2.9 Manual

BSD UnitWholeDrive Title – manufacturer’s model numberSerial – manufacturer’s serial number’s serialnumber&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;Used - The amount of drive space usedAvailable - The amount of drive space currently availablePercentage - The percentage of drive space used

The Access Panel - Files Tab

When the Files Tab (1) is selected the leftmost portion of the window lists shortcuts (2) to volumes anduser folders, with the Explorer portion of the window (3) allowing for viewing of the directory structureand individual files, along with their corresponding information (such as date/times, permissions, etc.).

The following information is specified:

File Name - full filename with extension.File Size - in bytes, whilst folders display the total items inside them within brackets - hidden files areincluded.Mac Creator Code - the OS creator application code

MacForensicsLab 2.9 Manual - 61

Page 62: MacForensicsLab 2.9 Manual

Mac Type - the OS file type.Header - the first 32 characters of the file.CRC - the Cyclic Redundancy Check checksum value of the ‘Header’.File Reference - starting block number for the file.User ID - OS user id for file owner permission.Group ID - OS group id for file access permission.Finder Flags - OS finder settings.Permissions - OS permissions for read, write and execution of file.Creation Date - Date when file/folder was created.Modification Date- Date when file/folder was modified.

Each column can be sorted in both directions by clicking the columnheader.&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;

The Buttons Panel

The ‘Buttons’ panel provides the examiner with access to selected core functions of MacForensicsLab. Each button in turn will be highlighted and accessible, or greyed out and disabled, dependent on theitem selected by the examiner in either of the ‘Access’ panels.

MacForensicsLab 2.9 Manual - 62

Page 63: MacForensicsLab 2.9 Manual

The Acquire Function

MacForensicsLab 2.9 Manual - 63

Page 64: MacForensicsLab 2.9 Manual

The Acquire Function

This lesson will discuss the acquire capabilities of MacForeniscsLab.

Overview

MacForensicsLab can work with original devices and media, as well as disk image copies of thesesame data sources. Using the ‘Acquire’ function ensures that the evidential integrity of the suspectdrive is protected, by allowing the investigator to create a disk image for analysis and investigation,

MacForensicsLab 2.9 Manual - 64

Page 65: MacForensicsLab 2.9 Manual

rather than having to work with the suspect drive.

In performing the acquisition scan ‘Acquire’ benefits from a number of features. These includechecksum hashing for validation, the ability to create a separate golden master, the ability to create asmeared image in an environment when a volume cannot be unmounted, segmentation for ease ofbackup to alternative media, and, proprietary fault tolerant bad block recovery to work around faults,thus allowing the examiner to create disk images from damaged media or resume a previous acquireattempt that failed due to faulty media and/or electrical shortages.

Creating a Disk Image

When creating a disk image, the investigator can do so directly from either a partition or device, those itis recommended that copies be made of an entire device rather than of individual partitions.

Having selected the respective device or partition from the ‘Device’ panel the examiner must press theAcquire button, bringing the function window to the fore.

In performing an acquisition the examiner can set a number of options:

Segment Size - This refers to the amount of data on each acquired image, thus allowing theinvestigator to separate his or her acquisition into multiple images. Each segment can then be limited toa specific data size, thus allowing for easier backup, for example, if the investigator plans to burn theimage to a set of DVDs. To do so the investigator need only select the “4.36 GB (DVD-R/DVD+R)”option from the popup list.

Packet Size – Refers to data intervals at which MacForensicsLab will perform a checksum validationon the data being written to the acquisition image. A lower setting means many more checksumverifications are performed, thus improving overall data integrity but reducing the overall speed of theacquisition.

Smeared Image – Allows the investigator to generate an image from a drive that cannot, or perhapsthat he or she may not wish to be unmounted. This would apply for example, when the investigatorwishes to acquire the main volume on an operational file server that cannot be taken offline to avoidalerting users to the actions of the investigator.

Golden Master - In addition to the working copy, this option allows the investigator to save an extradisk image copy for other purposes.

Resume a Previous Recover – Provides the examiner with the option to continue on from a previousacquisition, if, for whatever reason, the prior acquisition process was interrupted. This means that the‘Open’ dialog window rather than the ‘Save’ dialog window will appear when the acquisition is initiated.

MacForensicsLab 2.9 Manual - 65

Page 66: MacForensicsLab 2.9 Manual

Having made the desired changes to the presets, click the Start button to begin the acquisition process. This will bring up a ‘save file’ dialog box, if creating the image rather than resuming, and theinvestigator will be prompted to enter a filename for the disk image. By default the file name appears as“Disk Image”, select and edit this to a preferred name and then chose a location into which to save thedisk image. The click Save and the process will begin.

Note: always be sure to save the disk image to a location other than that which one is creating animage of. Also, make sure that the device one is saving the new disk image to has enough storagespace. The acquisition of a 60GB hard drive will require the destination disk to have a minimum of60GB of free capacity.

Unless the “Create a Smeared Image” option has been selected, MacForensicsLab will first attempt tounmount the selected volume or volumes of the selected device. A status bar then marks the progressof the acquisition, along with a variety of other information. This information includes: checksummismatch total; total bad blocks; total data remaining to be copied; total data copied; total capacity;approximate current data transfer rate; and total time remaining till acquisition completed.

During the process of acquisition a DAT file is created in the same location as the image file, andcontains checksum data for the disk image. It is a small file and takes up less than 25 KB of space andis deleted after the acquisition process is complete.

Once the completed, a dialog window will notify the investigator of such and will provide them with anerror count. The investigator should simply take note of this and then close the said dialog box byclicking Close, returning to the ‘Main’ window. The disk image can then be found in the previouslyspecified location. By default the disk image file/segments will be locked, thus avoiding the opportunityto further modify or to delete it/them.

Attaching Disk Images

Once an image file or segment there of has been created, the investigator will want to prepare it foranalysis. In order to do this the investigator must attach the disk image and mount it in the Finder.

To access the disk image, whilst in the ‘Main’ window, select “Attach Disk Image” from the File menu,or use the keyboard shortcut [Apple Key] + [t]; then navigate to the disk image in the open dialogwindow that appears as a result, select the image file and then click "Open." Using this method avoidsthe need to unlock and lock the image file from the Finder. After mounting disk images, the investigatormay need to force MacForensicsLab to rescan for new devices or images; this can be done either byselecting “Rescan Bus” from the file menu, or with the keyboard shortcut [apple key] + [r].

To detach a disk image after analysis, select the item from the ‘Device’ panel in the ‘Main’ window,followed by “Detach” from the file menu. Alternatively, select the disk image in the main window and

MacForensicsLab 2.9 Manual - 66

Page 67: MacForensicsLab 2.9 Manual

use the keyboard shortcut [apple key] + [d]

MacForensicsLab 2.9 Manual - 67

Page 68: MacForensicsLab 2.9 Manual

The Search Function

MacForensicsLab 2.9 Manual - 68

Page 69: MacForensicsLab 2.9 Manual

The Search Function

This lesson will discuss the search functionality of MacForensicsLab.

Overview

The ‘Search’ function of MacForensicsLab provides the examiner with an automatic means by which toscan a directory, gather evidence and bookmark that same data for later reference. This helps theexaminer to quickly and easily zero in on suspect material. In performing the function,MacForensicsLab creates bookmarks of the selected directory structure, collecting all of the fileinformation and hash values as it scans.

The Search Window Layout

The ‘Search’ window can be split into 5 core portions:

(1) -Search Filter

MacForensicsLab 2.9 Manual - 69

Page 70: MacForensicsLab 2.9 Manual

(2) -Search Terms(3) -Browse Results(4) -Bookmarks(5) -Hash Keys

Search Filter Panel

The ‘Search Filter’ panel is the part of the ‘Search’ window within which the investigator may establishcriteria by which to filter the results of the search scan. Filters are based on standard file information,such as, but not limited to: filename; size; date of creation.

Search Terms Panel

The ‘Search Terms’ panel is the portion of the ‘Search’ window within which the investigator canmanage specific lookup terms. These can be either HEX or ASCII terms for pattern matching within thefiles being scanned. The investigator may also quickly and easily select either of two check boxes tosearch for standard credit card and social security number formats respectively as well as being able toimport large databases of terms.

Browse Results

It is now possible to open the results of a searching procedure directly into a browse window making iteasier to manually review the results and to perform some manual bookmarking procedures to betteridentify potential evidence for future reference.

Bookmarks Panel

When performing a search scan the investigator can use the options contained within the ‘Bookmarks’panel to auto-generate bookmarks of matched items, and so make them available for easy reference ata later date. The text area below the folder drop down is designed for comments or a descriptionpertaining to your customized bookmarks folder.

Hash Panel

The ‘Hash’ panel allows the investigator to define the auto-hashing options for a search scan. Optionsinclude adding the hashed file values to the internal database, as well as the ability to export these toan external log file.

Using Custom Search Terms and Filters

MacForensicsLab 2.9 Manual - 70

Page 71: MacForensicsLab 2.9 Manual

In order to zero in on areas of particular interest Positive and Negative filters can be applied usingcustom checksum databases or those provided by the National Software Reference Library.

Available ‘Search Filters’ include all those in the Log File Format Fields:

-Name-Creation Date-Modification Date-Header-CRC-MD5-SHA1-SHA256-Data Size-Resource Size-Owner-Mac Creator-Mac Type-Absolute Path-UID-GUID-Permissions

Each of these filter types can be applied against the following operators:

-Is Equal To-Is Not Equal To-Contains-Does Not Contain-Is Less Than-Is Greater Than-Is in database-Is not in database Quick Tip: Foreign Languages

MacForensicsLab has the ability to handle filtering based on foreign multi-byte character set such asRussian, Arabic and Chinese, not just English.

Adding & Removing Search Filters & Items

MacForensicsLab 2.9 Manual - 71

Page 72: MacForensicsLab 2.9 Manual

Clicking the (+) button underneath the desired pane will create a new filter/item at the bottom of thecurrent list, after which the investigator can manually edit the filter/item details. To remove an individualfilter, select the respective item and then press the (-) button. Clearing an entire list is equally simple;just click the (clear) button under the desired panel. This will, without warning, remove all the itemsfrom the list.

Importing A Custom ‘Search Item’ Database

To import a custom checksum database, simply click the Import button at the bottom of the ‘SearchItems’ panel. This will bring up an open file dialog box from which the investigator can locate and selectthe required file. Upon import the information in the database file will populate the ‘Items’ pane.

Searching for Credit Card and Social Security Numbers In order to ensure that all files containing either credit card or social security numbers are searched andpossibly bookmarked the investigator must tick either or both of the respective checkboxes in the‘Search Items’ panel.

Auto-Bookmarking Files

When scanning directories, the search function can be used to auto-generate bookmarks for referenceat a later time in the investigation.

To add the items as bookmarks to a respective group, the investigator must tick the “Bookmark”checkbox in the ‘Bookmarks’ panel and then select a bookmark group from the drop down menu. If anew one is required, the investigator should do so through the Bookmarks menu (Please refer to thechapter on Bookmarks for more detail).

Performing The Search Operation

Having selected the partition or directory structure for searching, clicked the Search button in the ‘Main’window, bringing the ‘Search’ window to the fore, and having set up the window with the desired‘Search Items’, ‘Search Filters’, bookmarking and hashing options, the investigator should be ready toperform the search operation. To initiate the process, he or she should click the highlighted Searchbutton on the bottom right of the ‘Search’ window. If the hash export checkbox has been selected, theinvestigator will be prompted to define a file name and save location for the exported hash text filebefore the scan proceeds.

Once the process of scanning and searching the items found has completed. The investigator will beprompted with a screen, advising them as such, which once closed will take him or her back to the‘Main’ window.

MacForensicsLab 2.9 Manual - 72

Page 73: MacForensicsLab 2.9 Manual

The Analyze Function

MacForensicsLab 2.9 Manual - 73

Page 74: MacForensicsLab 2.9 Manual

The Analyze Function

This lesson will discuss the Analyze Function within MacForensicsLab.

Overview

There will come a point in the case when an investigator may wish to analyze the file datablock-by-block; the ‘Analyze’ function enables that to be done. Once analysis has been performed andevidence located, the investigator can then export and/or hash the requisite section of the drive to filefor safekeeping and later use or further analysis.

The Analyze Window Layout

The analysis window can be split into 4 core sections:

(1) -‘Block View’ pane(2) -‘Search Fields’ pane(3) -‘Search Results’ pane(4) -The ‘Hash Fields’

MacForensicsLab 2.9 Manual - 74

Page 75: MacForensicsLab 2.9 Manual

The Block View (Hex or Native)

The ‘Block View’ pane is the right-hand side of the ‘Analyze’ window and is the from where theinvestigator can read block data either piece by piece in ‘Hex’ mode or in its entirety with ‘Native’ view. The investigator can easily flip between the two separate views by using the tabs directly above thepane. Native view allows files such as images and movies to be viewed as is, with controllers wherenecessary for audio and video.

Search Fields Pane

The ‘Search Fields’ pane contains a number of elements that are of use to the examiner:

Search Fields Pane – The first is the ‘Search Fields’ pane, which contains the working list of searchterms (or filters) with which to analyze the data blocks. This is split into 2 columns: format and term.Format refers to whether the string in term should be pattern match against the HEX content or theASCII content of the blocks. Term refers to the content of the string that is going to be pattern matchedagainst the said format blocks, usually a word.

As previously mentioned, MacForensicsLab has the ability to handle foreign language multi-bytecharacter sets such as those used in Russian, Arabic and Oriental languages when searching.

Search Fields Management Buttons – Below the ‘Search Fields’ pane are buttons to manage thesearch fields in that pane.

-Clear to clear all of the search fields in the window above-Import to bring up a dialog box and import a search terms database file-Plus to manually add individual search fields-Minus to individually delete each selected search field Quick Tip: Saving Search FieldsThe ‘Search Fields’ in the ‘Analyze’ window are retained from one investigative session to the next.

Hash Fields

The ‘Hash Fields’ are located to the left-hand side of the window, directly below the ‘Search Results’pane. The investigator can use the Hash button to generate the respective hash records (MD5, SHA1,SHA256) and then copy and paste into his or her database.

Search Results Pane

The ‘Search Results’ pane permits the investigator to access very quickly and easily any of the hits that

MacForensicsLab 2.9 Manual - 75

Page 76: MacForensicsLab 2.9 Manual

are generated as a result of the terms used in the search. To view a specific block entry in the ‘BlockView’ pane, click on the individual result item and the block data will load into the HEX/ASCII viewer inthe central panel.e central panel.&#0;&#0;&#0;&#0;&#0;&#0;&#0;&#0;

Search File Data

When investigating files with the ‘Analyze’ window it is possible for the examiner to search for stringswithin the blocks of data that make up the file.

Individual Search Terms

To do so, the investigator must click the (+) button below the ‘search fields’ pane; this will add a newfield. After this, the investigator should define the search term type (text or hex) by clicking the up/downarrows in the centre of the search term row, followed by typing in a unique search term string in the textentry field to the right hand side of the arrows.

This can be repeated multiple times, building up as complex a filter mechanism as possible. If items areadded in error, an item can easily remove them by selecting each one in turn and then clicking the (-)button located under the ‘Search Terms’ pane. When ready, and having defined the maximum size ofthe result set in the “Limit” text entry field, the investigator can proceed by clicking Search. Whilstprocessing the data, the investigator will see a progress bar, and upon completion of the search theresults will appear in the ‘Search Results’ pane.

Importing Custom Search Lists

Though an investigator might find it useful to create search terms in an ad hoc manner, as discoveriesin the case investigation necessitate, at some point he or she will want a more in-depth search, basedon hundreds, if not thousands of search terms. The best way to achieve this is to importing customsearch lists.

Custom search lists are essentially just ‘CSV Text’ files with each individual search term on a new line. Custom search lists are also a great way to keep a database of useful terms and means that running aproductive analysis or cataloguing on a suspect device is a process that is no more than just a fewclicks away from getting started.

To import a list, click on the Import button to the middle of the ‘Search Terms’ drawer. This will bring upa ‘Find File’ dialog box. Once the investigator has found the file, click ‘Open’.

Each individual line item will then appear as an individual term in the ‘Search Terms’ pane. Theinvestigator then has to define whether each term is an ASCII or HEX format, though they are allimported as and predefined as ASCII Text format content by default.

MacForensicsLab 2.9 Manual - 76

Page 77: MacForensicsLab 2.9 Manual

Credit Card and Social Security Number Search

By selecting the respective checkboxes below the ‘Search Fields’ pane it is possible for the investigatorto get MacForensicsLab to use look for and find credit card and social security numbers during thesearch process.

Performing the Search

Once the search terms have been defined in the ‘Search Fields’ pane, either individually or by import,and when the other settings have been defined, the investigator need only click the now enabledSearch button to perform the search. Once the scan is complete the results will appear in the ‘SearchResults’ pane

Hashing Data

Clicking the Hash button in the buttons bar of the ‘Analyze’ window invokes a hashing process thatreturns the results for an MD5, SHA1 and SHA256 in the ‘Hash’ fields for the entire file or device theinvestigator is reviewing.

Needless to say the smaller the data source that requires hashing, the quicker the process will be; thehashing process can of course be tracked through the progress bar which appears whilst in operation,the hash results of which will remain in place until the investigator closes the ‘Analyze’ window.

Exporting Data

When the investigator is ready to export the block-set being analyzed, he or she can do so very easilyby clicking the "Export" button. Doing so will then invoke the ‘Export’ window, bringing it to the fore.

MacForensicsLab 2.9 Manual - 77

Page 78: MacForensicsLab 2.9 Manual

The available options on the ‘Export window’ allow the investigator the choice of either exporting theselected blocks either in part or in whole. This is done by moving the respective start (1) and length (2) sliders to the desired position on the axis, or by manually entering the start or end points in the textentry fields.

Once ready, the examiner need only click "Export" (3), bringing a ‘Save’ dialog to the fore. Having giventhe file a name and a location into which to be saved, clicking the Save button will complete the exportprocess.

It is advisable to rename the default export filename and to apply a suffix to the name so that Mac OSor any other operating system can more easily recognize the expected file type and open it with theappropriate application.

Upon completion a message will pop to the fore and the user can simply close this and continue on withthe investigation ana

MacForensicsLab 2.9 Manual - 78

Page 79: MacForensicsLab 2.9 Manual

The Salvage Function

MacForensicsLab 2.9 Manual - 79

Page 80: MacForensicsLab 2.9 Manual

The Salvage Function

This lesson discusses the Salvage function contained within MacForensicsLab.

Overview

MacForensicsLab’s ‘Salvage’ function will search a device, volume, or folder and list all the recoverablefiles held within it, whether erased or not, and then recover the pre-selected files to a selecteddestination folder. When salvaging a device, MacForensicsLab scans through the entire media to findas many recoverable files as possible, as well as scanning through a single directory structure.

The Salvage Window

The Salvage window is divided into upper (1) and lower sections (2). The upper section is responsiblefor the settings Salvage will invoke upon starting. These settings include "Supported File Formats," (3)"Import a Prior Scan," (4) and "Start a New Scan." (5) In addition, these settings can be further defined

MacForensicsLab 2.9 Manual - 80

Page 81: MacForensicsLab 2.9 Manual

to search against a device, folder, free space only (6) or to search for embedded files (7).

The lower section will display a list of files, by type, that Salvage can recover. Once a file is selected, aFile Previewer application will open and attempt to show the file in its native format. Once the file to beSalvaged are determined, the "Salvage Selected Files" (8) is invoked.

Save the Scan

Once you have scanned for files that Salvage can recover, a window appears asking if you'd like tosave the results of the scan. If you are not going to Salvage all files possible, it is a good idea to savethe results of the scan. This process will save time later if the examiner needs to go back and Salvageadditional files from the case.

MacForensicsLab 2.9 Manual - 81

Page 82: MacForensicsLab 2.9 Manual

Choose Destination

Once the examiner has opted to save the scan results, a pop-up window appears asking for adestination for the scan results to be saved, once input, select "Save."

Examine Files by Type

As illustrated above, all possible files are divided by type and number.

MacForensicsLab 2.9 Manual - 82

Page 83: MacForensicsLab 2.9 Manual

File Previewer

Once a particular file is selected for review, the File Previewer application is launched allowing theexaminer to preview the file in question.

MacForensicsLab 2.9 Manual - 83

Page 84: MacForensicsLab 2.9 Manual

Select Files for Salvage

Highlight the files to be Salvaged (1) and select the "Salvage selected files" button (2).

MacForensicsLab 2.9 Manual - 84

Page 85: MacForensicsLab 2.9 Manual

Save Salvaged Files

Once the files for Salvage have been selected, a navigation box appears allowing the examiner toselect the location to which the Salvaged files will be exported.

Filename Rebuilder

Once the files have been Salvaged, MacForensicsLab provides an optional process to attempt torename the files based on the metadata contained within the files. If the examiner does not wish to dothis simply select "Cancel" (1) conversely, by selecting "OK" (2) MacForensicsLab will attempt torebuild all files names.

MacForensicsLab 2.9 Manual - 85

Page 86: MacForensicsLab 2.9 Manual

Reviewing Salvaged Files

The Salvaged files are exported, by default, into a folder titled "Salvage (day of the week) and(month/day/year). Contained within that folder are subfolders broken down by file type for easy reviewand categorization.

MacForensicsLab 2.9 Manual - 86

Page 87: MacForensicsLab 2.9 Manual

The Browse Function

MacForensicsLab 2.9 Manual - 87

Page 88: MacForensicsLab 2.9 Manual

The Browse Function

This lesson will describe the core functionality of the Browse function of MacForensicsLab.

Overview

The ‘Browse’ window provides the examiner with an exceedingly quick and easy way to search for files(primarily images and multimedia) in directories, view the results found based on the preset searchcriteria, bookmark, make notes and even perform closer analysis.

The Browse Window

The Browse window allows the examiner a range of variable options to include in his/her search. Theseoptions include:

File Checks (1):-File size (min-max range in kilobytes)

MacForensicsLab 2.9 Manual - 88

Page 89: MacForensicsLab 2.9 Manual

Image Checks:-Image-only results (yes or no) (2)-Horizontal & vertical dimensions (min-max range in pixels) (3) & (4)-Skintone (min-max range in percent - 15% is the default) (5)

To invoke the Browse, select the "Browse" (6) button at the bottom of the window.

After clicking Browse, as MacForensicsLab scans the selected location for matching files, a progressdialog will be displayed providing the examiner with a status report. If the examiner needs to end thescan prematurely, clicking the Cancel button under the progress bar will end the scan and return to the‘Main’ window. When the scan is complete a finish prompt will appear and chime can be heard, uponclicking OK the prompt will close and the ‘Browse’ window will come to the fore.

Reviewing the Results

Upon completion, the Browse window will display a thumbnail view of all files meeting theaforementioned criteria set forth by the examiner. When an image is selected, it is highlighted in red (asseen above) and the metadata for that file appears on the right (1).

MacForensicsLab 2.9 Manual - 89

Page 90: MacForensicsLab 2.9 Manual

Bookmarking the Findings

Once the appropriate images are highlighted, the examiner can bookmark the results by choosing"Bookmarks" from the Main window or using the keyboard shortcut of command + d. In the aboveexample, a bookmark labeled "images" (1) was created, with a note "suspicious imges" (2) to save thepreviously selected file.

Viewing Bookmark

The examiner can review the bookmark by navigating to the Bookmark window by selecting "Bookmark-> Show All Bookmarks" from the Main window.

MacForensicsLab 2.9 Manual - 90

Page 91: MacForensicsLab 2.9 Manual

The Audit Function

MacForensicsLab 2.9 Manual - 91

Page 92: MacForensicsLab 2.9 Manual

The Audit Function

This lesson describes the Audit function of MacForensicsLab.

Overview

The Audit function enables the examiner to quickly and easily locate relevant OS artifacts as theypertain to the system, the network and the user.

Getting Started

To invoke the Audit function, the examiner must select the "Files" (1), the volume/partition (2) with avalid user folder contained within it from the ‘Device’ pane of the ‘Main’ window. Furthermore, theexaminer must select the "Users" folder (3) for the ‘Audit’ button to become enabled.

MacForensicsLab 2.9 Manual - 92

Page 93: MacForensicsLab 2.9 Manual

Invoking the Audit

Once the Audit button is enabled, the examiner can select a specific user (1), or if the system hasmultiple users, he/she can check "Audit all users" (2), then select the "Audit" button (3).

Locate Audit Results

The results of the Audit are stored in the MacForensicsLab database. To access the database from theMacForensicsLab Main window select "Window -> Database" or use the keyboard shortcut of"shift+command+d."

MacForensicsLab 2.9 Manual - 93

Page 94: MacForensicsLab 2.9 Manual

Review Audit Findings

To review the findings of the Audit, select a user, then scroll up or down to view the results. Theexaminer can highlight findings of interest and export them out to a file by selecting the "Export" button.

MacForensicsLab 2.9 Manual - 94

Page 95: MacForensicsLab 2.9 Manual

Generate a Report

Once the "Export" button is invoked, a dialogue box appears allowing the examiner to choose betweenan HTML or Plain Text report. Once decided, select "OK."

Save Report

Select a location to save the Audit report.

View the Report

Since an HTML report was selected in the example, a browser launches showing the report. All itemshighlighted and exported are hyperlinked under the "Table of Contents" located to the right.

MacForensicsLab 2.9 Manual - 95

Page 96: MacForensicsLab 2.9 Manual

Reviewing the Hyperlinks

The examiner can select any hyperlink and be taken directly to that portion of the report.

MacForensicsLab 2.9 Manual - 96

Page 97: MacForensicsLab 2.9 Manual

The Hash Function

MacForensicsLab 2.9 Manual - 97

Page 98: MacForensicsLab 2.9 Manual

The Hash Function

This lesson will describe the hash function contained within MacForensicsLab.

Using the Hash Function

The Hash functionality is a new feature added in MacForensicsLab 2.9. This button allows the examinerto quickly and easily create a hash of any device of file by highlighting it (1) and invoking the "Hash"button (2).

MacForensicsLab 2.9 Manual - 98

Page 99: MacForensicsLab 2.9 Manual

Reviewing the Hash

Once completed, the Hash window appears, displaying the path of the file, md5, SHA1 and SHA256hashes respectively.

Saving the Results

The results of the hash can be either saved out as a text file or added directly to the hash database. Toexport, simply select "Save" and navigate to where the file is to be saved.

MacForensicsLab 2.9 Manual - 99

Page 100: MacForensicsLab 2.9 Manual

Bookmarks

MacForensicsLab 2.9 Manual - 100

Page 101: MacForensicsLab 2.9 Manual

Bookmarks

This lesson will cover Bookmarks within MacForensicsLab.

Overview

MacForensicsLab uses bookmarks to assist the examiner in collecting files of investigative interest. It ispossible to bookmark files and directories for reference and examination at a later time in the case. Likewise, the examiner can bookmark any file or folder, or groups of files. You cannot bookmarkdevices or specific blocks within a device.

Locating the Bookmarks

The bookmarks can be viewed and managed from the ‘Bookmarks’ window and are accessible at anytime by selecting “Show All Bookmarks …” from the Bookmarks menu, or by using the keyboardshortcut "command + option + b.

The Bookmark Window Layout

The ‘Bookmarks’ window is divided into 4 clear portions:

-The folders/groups pane (1)

MacForensicsLab 2.9 Manual - 101

Page 102: MacForensicsLab 2.9 Manual

-The folder note pane (2)-The bookmark detail pane (3)-The bookmark note pane (4)

The Folders Pane & Folder Note Pane Bookmarks can be grouped together using folders. These are listed in the Folders Pane (1). Whenindividually selected, the notes for the respective folder, in editable form, can be seen in the ‘FolderNotes’ pane, directly below (2), while the grouped bookmarks can be seen in the ‘Bookmarks’ pane tothe right (3).

The Bookmarks Pane & Bookmark Note Pane Having selected an individual bookmark folder, the contents of the folder will be displayed in the‘Bookmarks’ pane (3). Each bookmark is listed with: bookmark name, file path, file size and creationdate. Columns can of course be resized and sorted by the examiner simply by clicking on therespective header or by dragging the column separators to the desired size. Having selected abookmark, the notes for the bookmark item will be displayed, in editable form, in the ‘Bookmark Note’pane (4).

Resizing Panes In order to maximize viewing space the examiner can resize the partitions between all four panes of the‘Bookmarks’ window. To do so, the examiner should click & drag the resize handle of the respectiveseparator, thus being able to minimize and maximize the required viewing space for each pane.

MacForensicsLab 2.9 Manual - 102

Page 103: MacForensicsLab 2.9 Manual

Managing Bookmark Folders

Adding Bookmark Folders Bookmark folders can be added in one of two ways. The first is to use the ‘Add Bookmark Folder…’window and the second is to do so from the ‘Bookmarks’ window itself.

Via the ‘Add Boomark Folder…’ Window When working with the other functions in MacForensicsLab, it is quickest and easiest to invoke the ‘AddBookmark Folder…’ window from Bookmarks menu or use the keyboard shortcut: "command + shift +n."

If adding a new folder while creating a new bookmark, then simply click the (+) button below the foldertitle option list in the ‘Add Bookmark’ window.

Once the ‘Add Bookmark Folder…’ window comes to the fore, the investigator need only enter thename of the new folder (1) into the “Name” text input field, and click Save (3). If the investigator sowishes, he or she can enter a note/summary into the “Summary” text field (2) for reference then andthere, or do so at a later date in time from the ‘Bookmarks’ window.

MacForensicsLab 2.9 Manual - 103

Page 104: MacForensicsLab 2.9 Manual

Via the ‘Bookmarks’ Window The second way to add bookmark folders is to bring the ‘Bookmarks’ window to the fore, after which theinvestigator must click the (+) button under the ‘Bookmark Folders’ pane. This will generate a newfolder with an empty title in the pane above ready with the text cursor in the entry field. Once the nameis complete, the investigator can either press Enter/Return or simply click out of the name entry field. To add a summary, having created a new folder in this way, the investigator need only select the newfolder in the ‘Bookmark Folders’ pane and then enter his or her summary for the selected folder into the‘Folder Note’ pane below.

Amending Bookmark Folder Names Should the investigator wish to amend the name of the bookmark folder, he or she can do so from the‘Bookmarks’ window by simply double-clicking on the respective bookmark folder’s name in the‘Bookmark Folders’ pane and make the edits accordingly, before clicking out of the text entry field.

Removing Bookmark Folders Removing bookmark folders, either collectively or individually, can be done from the ‘Bookmarks’window.

Clearing ALL Folders To clear ALL folders, and lose the bookmarks contained within them, the investigator must click the(clear) button under the ‘Bookmark Folders’ pane, at which point MacForensicsLab will prompt him orher to confirm the deletion - as it cannot be undone. Having clicked OK, the investigator will be returnedto the ‘Bookmarks’ window with a cleared ‘Bookmark Folders’ pane.

Clearing Individual Folders To remove folders individually, the investigator must select each item in turn and click the (-) buttonbeneath the ‘Bookmark Folders’ pane. As before, there will be a prompt confirming the deletion and theinvestigator need only click OK to follow through with the the action.

MacForensicsLab 2.9 Manual - 104

Page 105: MacForensicsLab 2.9 Manual

Clearing Actions

Removing Bookmarks Removing bookmarks, either collectively or individually, can be done from the ‘Bookmarks’ window.

Clearing ALL Bookmarks To clear ALL bookmarks from within a bookmark folder, the investigator should select the desiredbookmark folder in the ‘Bookmark Folders’ pane and then click the (clear) button under the ‘Bookmarks’pane (1), at which point MacForensicsLab will prompt him or her to confirm the request to delete ALLbookmarks. Having clicked OK, the investigator will be returned to the ‘Bookmarks’ window with acleared ‘Bookmarks’ pane.

Clearing Individual Bookmarks To remove bookmarks individually, the investigator must first select the requisite bookmark folder andthen, once the bookmarks load, select each item in turn and click the (-) button underneath the‘Bookmark’ pane (2). As before, there will be a prompt confirming the action and the investigator needonly click OK to follow through with the action

MacForensicsLab 2.9 Manual - 105

Page 106: MacForensicsLab 2.9 Manual

Examiner Notes

MacForensicsLab 2.9 Manual - 106

Page 107: MacForensicsLab 2.9 Manual

Notes in MacForensicsLab

This lesson will describe the Note functionality contained within MacForensicsLab.

Overview

Case Notes are an extremely useful function of MacForensicsLab that allow the examiner to addcomments and observations to their case file at any point during the examination process. Whetherbrowsing the ‘Main’ window or in the middle of a lengthy acquisition, the investigator can open the‘Notes’ tab of the ‘Database’ window, using either the keyboard shortcut ("Command + n") or ‘’Window’drop menu, and make the desired entry, before returning to the prior screen when finished.

Opening Notes

To acces the Notes window at anytime during the investigation, select "Window -> Make Note" from theMain window.

MacForensicsLab 2.9 Manual - 107

Page 108: MacForensicsLab 2.9 Manual

Notes Window Layout

The Notes Window is divided into three sections:

-The Database Tab (1)-The Note Data Pane (2)-The Note Information Section (3)

MacForensicsLab 2.9 Manual - 108

Page 109: MacForensicsLab 2.9 Manual

Adding and Removing Case Notes

To add a new note, the examiner need only click the (+) button at the bottom right hand side of theupper ‘Notes Data’ pane (1) . This will generate a blank new entry, which the examiner needs to thenselect and enter his or her notes into, using the lower ‘Note Entry’ pane (2). Having completed thenote, the examiner can then just close the ‘Database’ window and return to the previous screen.

Editing Case Notes When necessary to edit a case note, select the individual note in the ‘Notes’ pane at the top of thewindow. Once the note itself has loaded in the window below, the investigator is free to edit it at will.Having finished any amendments, click out of the editor pane and the new version of the note will besaved and changes logged.

MacForensicsLab 2.9 Manual - 109

Page 110: MacForensicsLab 2.9 Manual

Removing Case Notes The examiner can remove individual notes, or clear the entire ‘Notes’ pane in one go. To remove anindividual note detail the examiner should select the note earmarked for removal and then click the (-)button on the right-hand side below the ‘Notes’ pane (4). To remove all the details in one go, theinvestigator should click the (Clear) button (3) on the right-hand side below the ‘Notes’ pane. In bothinstances, the deletion will generate a warning prompt dialog, to which the investigator must confirm hisor her actions.

Refreshing the Notes Pane When working in a centralized database environment, it is possible that the ‘Notes’ pane may becomeout of sync with the listing in the database. To bring it up-to-date the investigator needs to click theRefresh button (5) on the left-hand side below the ‘Notes’ pane.

MacForensicsLab 2.9 Manual - 110

Page 111: MacForensicsLab 2.9 Manual

The MacForensicsLab Database

MacForensicsLab 2.9 Manual - 111

Page 112: MacForensicsLab 2.9 Manual

The MacForensicsLab Database

This lesson will cover the organization and layout of the MacForensicsLab database.

Overview

When whichever database (local file, RealSQL server, MySQL server) is enabled via the ‘Preferences’window, detailed logs are kept of every action and all points of interest to support the examiner in theunderstanding and final presentation of their evidence. In the ‘Database’ window, the examiner has fullaccess to comprehensive details of what has been logged in the forensic examination to date.

Opening the Database

The MacForensicsLab database can be located, from the Main window by selecting "Window ->Database" or using the keyboard shortcut of "shift+command+d."

MacForensicsLab 2.9 Manual - 112

Page 113: MacForensicsLab 2.9 Manual

The Database Window Layout

The ‘Database’ window can essentially be split into 2 parts:

The tab bar - consisting of the various database sections:-Acquisition-Analyze-Audit-Chronology-Hash-Notes-Salvage

The viewing pane(s) - consisting of:-Device information-Date/time/description-Data

MacForensicsLab 2.9 Manual - 113

Page 114: MacForensicsLab 2.9 Manual

Navigating through each individual database tab produces its own unique layout. Each screen’s layoutwithin the ‘Database’ window varies between a single pane with a columnar list and a triple panedlayout with bookmarks and note/native viewer.

Viewing the Database Sections

The Views As each tab is clicked in turn the database will be read, either locally or centrally, and the contentsloaded into the new window layout; needless to say, the larger the dataset the longer the process offetching and loading the data will take to complete.

Accessible through the individual buttons of the tab bar in the ‘Database’ window are:

The Acquisition Log - lists the date and time of an acquisition process, a description of it and theexact block details (offset, length, hash sum etc).

The Analyze Log - keeps track of the details of searches performed, as well as the results associatedwith them. Details logged include: date and time, file location, results and the associated match andoffset.

The Audit Log - lists the date and time of an acquisition process, a description of it and the specific OSartifact information generated, to include folder creation date/times, network preferences, systemsettings, user preferences, bookmarks, web caches, and much more.

The Chronology Log - lists all the events from the moment the case reference is set up to the latestaction performed in MacForensicsLab. It lists the date and time of the actions, the name of theexaminer, the action performed (opening windows, pressing buttons etc) and the data returned by theactions.

The Hash Database – provides a means by which the examiner can import, manage and store hashvalues for use within the various functions provided by MacForensicsLab.

The Notes Log - contains all the notes regarding the investigation as inputted by various examiners. Notes are listed with examiner name, date and initial number of characters, with the ability to view anentire note, as well as manage and edit notes.

The Salvage Log - keeps track of the date and time of the salvage process, the name of the examiner,

MacForensicsLab 2.9 Manual - 114

Page 115: MacForensicsLab 2.9 Manual

the actions performed, and the location and specific details of the files salvaged.

Sorting The Data The examiner can sort by the available columns by clicking on the respective column headers, oncehighlighted and sorted ascending, clicking the title bar again will sort the column in reverse order.

Managing Records Certain panes containing log data benefit from the availability of management buttons. That is to saythat an assortment of buttons exist to:

-Refresh-Clear-Delete-Add-Edit

Where available the examiner should use these buttons as in others functions windows to reload datainto the respective pane, to remove or clear records, both of which will generate a warning promptrequesting confirmation to delete records, as well as to add items or make amendments.

MacForensicsLab 2.9 Manual - 115

Page 116: MacForensicsLab 2.9 Manual

Reporting

MacForensicsLab 2.9 Manual - 116

Page 117: MacForensicsLab 2.9 Manual

Generating a Report

This lesson covers how to write a report using MacForensicsLab.

Opening Report Window

To open the Report window, from the MacForensicsLab Main window, select "File -> Write Report," oruse the keyboard shortcut "command+p."

Select Report Contents

The Report window consists of a series of checkboxes that are to be toggled on or off depending on theinformation the examiner wants to include in the report. Once the appreopriate checkboxes areselected, select "Start."

MacForensicsLab 2.9 Manual - 117

Page 118: MacForensicsLab 2.9 Manual

Report Location

Once the report settings have been determined, a navigation box opens. This box enables theexaminer to dictate where the report will be generated and saved.

Viewing the Report

Once the report is saved, a browser will open automatically showing the report. The report is dividedinto two sections, the navigation section on the left and the reported information on the right.

MacForensicsLab 2.9 Manual - 118

Page 119: MacForensicsLab 2.9 Manual

Keyboard Shortcuts

MacForensicsLab 2.9 Manual - 119

Page 120: MacForensicsLab 2.9 Manual

Keyboard Shortcuts

This lesson will list the keyboard shortcuts supported by MacForensicsLab.

Shortcuts

The following shortcuts are specific to the MacForensicsLab Application.

Command + Comma (,) - Open ‘Preference’ Window

Command + p - Write HTML report

Command + t - Attach Disk Image

Command + d - Detach Disk Image

Command + m - Mount Device

Command + r - Rescan available hardware buses

Command + u - Unmount Device

Option + Command + b - Show all bookmarks

Command + d - Add bookmark

Shift + Command + n - Make note

Shift + Command + d - Open ‘Database’ window

Command + b - Open ‘Disk Arbitration’ window

Command + t - Open terminal

Command + s - Saves/Exports a file

MacForensicsLab 2.9 Manual - 120

Page 121: MacForensicsLab 2.9 Manual

Getting Help and TechnicalSupport

MacForensicsLab 2.9 Manual - 121

Page 122: MacForensicsLab 2.9 Manual

Getting Help and Technical Support

This lesson covers the various ways to obtain help and technical support when using MacForensicsLab.

Finding Help within MacForensicsLab

Help can be found both via the small, context sensitive information clips that appear when theinvestigator rolls the mouse over a window element, as well as the standard help menu at the top of thescreen. Contextual tool tips include buttons and parts of MacForensicsLab that require some form ofuser interaction.

On the Web

We provide over 100 links to forensic resources, manuals, a complete knowledge base and a plethoraof additional information on our website. For updates, resources and additional information please visit:http://www.MacForensicsLab.com.

Technical Support

We provide free technical support both via email or phone during the hours 10am to 6pm PacificStandard Time (GMT -8) Monday to Friday. By email, we can be reached at the following address: [email protected]. By phone, we can be reached at: +1 (510) 870 7883, or by fax on +1 (510)868 3407.

In addition to any support question(s), the investigator must include ALL of the following pieces ofinformation:

-Valid registration number or purchase information.-System configuration(s) – hard drive make, model etc.-System OS version.-System related information can be found by using the “System Profiler” application in the-/Applications/Utilities folder.

Comments and Questions

If you have comments, problems, or questions about this product, or if you are interested in a sitelicense, please contact us via email: [email protected].

Company Address

SubRosaSoft.com Incorporated37600 Central Ct, Suite 212Newark, California 94560

MacForensicsLab 2.9 Manual - 122

Page 123: MacForensicsLab 2.9 Manual

http://www.SubRosaSoft.comhttp://www.MacForensicsLab.com

MacForensicsLab 2.9 Manual - 123

Page 124: MacForensicsLab 2.9 Manual

Uninstalling MacForensicsLab

MacForensicsLab 2.9 Manual - 124

Page 125: MacForensicsLab 2.9 Manual

Uninstalling MacForensicsLab

This lesson covers how a user can uninstall MacForensicsLab.

Using the Main Window

MacForensicsLab is a completely self-contained application and requires no special functionality touninstall it. The procedure to uninstall MacForensicsLab is to navigate to the directory in whichMacForensicsLab is currently installed, highlight the MacForensicsLab folder and either drag and dropit into the Trash or delete it using the delete key.

MacForensicsLab 2.9 Manual - 125

Page 126: MacForensicsLab 2.9 Manual

Gloassary

MacForensicsLab 2.9 Manual - 126

Page 127: MacForensicsLab 2.9 Manual

Glossary

This lesson is a Glossary of terms relevant to MacForensicsLab.

Glossary

Acquisition The process through which an investigator can make duplicate working copies of a suspect drive,media or other data storage hardware.

Checksum & Checksum Verification A checksum is a count of the number of bits in a transmission unit that is included with the unit so thatthe receiver can check to see whether the same number of bits arrived. If the counts match, then onecan assume that the complete transmission was received.

Device Could refer to any form of data storage technology, or equipment required to read data stored on mediasuch as CD’s or DVD’s

Disclosure triangle The small rightward pointing arrow next to folders in the explorer window that when clicked turndownwards and allow the investigator to view the contents of the said folder.

Disk Image A disk image is a computer file containing the complete contents and structure of a data storage device.The term has been generalized to cover any such file, whether taken from an actual physical storagedevice or not.

Disk Arbitration The process by which a workstation will discover and attempt to mount a device connected to it. OS Xis notified of the event by the kernel and will immediately look for mountable partitions on the drive. Iffound, the OS initiates the mount, then the internal disk arbitration tables are updated with the properinformation, which eventually updates any programs that subscribed to notifications. During theprocess, the suspect’s drive will also be updated.

Evidence Item Refers to an individual file that may be of use to an investigation or case.

Finder Also referred to as the Desktop by workstation users. This is the Graphical User Interface portion; orrather Front-End that allows the human User to visually interact with the computer.

MacForensicsLab 2.9 Manual - 127

Page 128: MacForensicsLab 2.9 Manual

Hash or Hashing Producing hash values for accessing data or for security and verification. A hash value (or simplyhash), also called a message digest, is a number generated from a string of text. The hash issubstantially smaller than the text itself, and is generated by a formula in such a way that it is extremelyunlikely that some other text will produce the same hash value. Formulas used to create hash values,in order of strength ascending, include: MD5. SHA1 and SHA2 otherwise known as SHA256.

Pane The part of an application window where data may be previewed in columnar or free form style. Headers may be used to sort columns, whilst free form text can be edited.

Partition (also known as a Volume, when used to store data) A partition is an individual section of a hard disc or media. Drives must contain at least one partial orcomplete partition in order to be of use, but can contain multiple partitions to separate the datacontained within them. Partitions may be setup write protected and even design not to auto-mount.

Suspect Drive The drive that is the focus of the investigation and which the investigator should avoid tainting ifevidence collected is required for later use in a legal environment.

Unallocated Space (also known as a Free Space) Refers to sectors on the hard drive that are not referenced in the hard drive catalog and therefore maybe written to by the computer as they are not reserved.

Work Drive Refers to the drive on which an investigator will store files relating to a case. Salvaged files and otherdata will be written to the work drive rather than to contaminate or lose data by writing them to the“Suspect Drive”.

Volume (Please refer to “Partition”) A volume is a partition that can be used to store data.

MacForensicsLab 2.9 Manual - 128

Page 129: MacForensicsLab 2.9 Manual

End User's License Agreement(EULA)

MacForensicsLab 2.9 Manual - 129

Page 130: MacForensicsLab 2.9 Manual

End Users License Agreement

MacForensicsLab Incorporated's End Users License Agreement

EULA

DO NOT USE THIS SOFTWARE UNTIL YOU HAVE CAREFULLY READ THIS AGREEMENT ANDAGREE TO THE TERMS OF THIS LICENSE. BY USING THE ENCLOSED SOFTWARE, YOU AREAGREEING TO THE TERMS OF THIS LICENSE.

The software license agreement for this program is included in this manual so you can read it beforeinstalling the program. INSTALLING THE PROGRAM OR USE OF THE MATERIALS ENCLOSEDWILL CONSTITUTE YOUR ACCEPTANCE OF THE TERMS AND CONDITIONS OF THISSOFTWARE LICENSE AGREEMENT. If you do not agree to the terms of this software licenseagreement, do not install the software and promptly return the package to the place of purchase for afull refund of all money that you paid for the product.

In return for purchasing a license to use the computer program known as "MacForensicsLab™" and forpurchasing documentation included in this package, you agree to the following terms and conditions:

1. License. The Software enclosed is licensed, not sold, to you by MacForensicsLab Inc for use underthe terms of this software license. This non-exclusive license allows you to:

i. Use MacForensicsLab™ software only on a SINGLE computer at any one time. You may only use theMacForensicsLab ™ software and only on drives physically connected to that single CPU.

ii. Only use the Software to monitor systems on a SINGLE computer that is used by you.

iii. Make one copy of Software in machine-readable form, provided that such copy is used only forbackup purposes and the copyright notice is reproduced on the backup copy.

iv. Transfer Software and all rights under this license to another party together with a copy of thislicense and all documentation accompanying the Software, provided the other party agrees to acceptthe terms and conditions of this license.

As a licensee, you own the media on which the Software is originally recorded. The Software iscopyrighted by MacForensicsLab Inc and proprietary to MacForensicsLab Inc, and MacForensicsLabInc retains title and ownership of the Software and all copies of the Software. This license is not a saleof Software or any copy. You agree to hold Software in confidence and to take all reasonable steps toprevent disclosure.

MacForensicsLab 2.9 Manual - 130

Page 131: MacForensicsLab 2.9 Manual

2. Restrictions. You may NOT distribute copies of this Software to others or electronically transferSoftware from one computer to another over a network or via modem. The Software contains tradesecrets that are wholly owned by SubRosaSoft.com Inc. You may NOT decompile, reverse engineer,translate, disassemble or otherwise reduce the Software to a human understandable format. YOU MAYNOT MODIFY, ADAPT, TRANSLATE, RENT, LEASE, RESELL FOR PROFIT, DISTRIBUTE,NETWORK, OR CREATE DERIVATIVE WORKS BASED UPON THIS SOFTWARE OR ANY PARTTHEREOF.

3. Termination. This license is effective until terminated. This license will terminate immediately withoutany notice from MacForensicsLab Inc if you fail to comply with any of its provisions. Upon terminationyou must destroy the Software and all copies thereof. You may terminate this license at any time bydestroying the Software and all copies thereof.

4. Export Law Assurances. You agree and certify that neither the Software nor the documentation willbe transferred or re-exported, directly or indirectly, into any country where such transfer or export isprohibited by the relevant governmental parties and regulations there under or will be used for anypurpose prohibited by relevant government parties.

5. Warranty Disclaimer, Limitation of Damages and Remedies. MacForensicsLab Inc makes no warranty or representation, either expressed or implied, regarding themerchantability, quality, functionality, performance, or fitness of the compact disc, diskettes, manual orthe information provided.

This Software and manual are licensed “AS IS.” It is solely the responsibility of the consumer todetermine the Software’s suitability for a particular purpose or use. MacForensicsLab Inc and anyoneelse who has been involved in the creation, production, delivery or support of the Software, will in noevent be liable for direct, indirect, special, consequential or incidental damages resulting from anydefect, error or omission in the compact disc, diskettes, manual or Software or from any other eventsincluding, but not limited to, any interruption of service, loss of business, loss of profits or good will,legal action or any other consequential damages. The user assumes all responsibility arising from theuse of this Software. MacForensicsLab Inc's liability for damages to you or others will in no eventexceed the total amount paid by you for this Software. In particular, MacForensicsLab Inc shall have noliability for any data or programs stored by or used with MacForensicsLab Inc’s Software, including thecosts of recovering such data or programs. MacForensicsLab Inc will be neither responsible nor liablefor any illegal use of its’ Software. MacForensicsLab Inc reserves the right to make corrections orimprovements to the information provided and to the related Software at any time, without notice.

MacForensicsLab Inc will replace or repair defective distribution media or documentation at no charge,provided you return the item to be replaced with proof of purchase to MacForensicsLab Inc during the30-day period after purchase. ALL IMPLIED WARRANTIES ON THE MEDIA AND DOCUMENTATION,IncLUDING IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

MacForensicsLab 2.9 Manual - 131

Page 132: MacForensicsLab 2.9 Manual

PURPOSE, ARE LIMITED IN DURATION TO THIRTY (30) DAYS FROM THE DATE OF THEORIGINAL RETAIL PURCHASE OF THIS PRODUCT. The warranty and remedies set forth above areexclusive and in lieu of all others, oral or written, expressed or implied. No MacForensicsLab Inc dealer,representative, agent, or employee is authorized to make any modification, extension, or addition to thiswarranty. Some States do not allow limitations on how long an implied warranty lasts, or the exclusionor limitation of implied warranties or liability for incidental or consequential damages, so the abovelimitation or exclusion may not apply to you. This warranty gives you specific legal rights, and you mayalso have other rights that vary from State to State.

6. Government End-Users. If you are a Government end-user, this license of the Software conveys only“RESTRICTED RIGHTS”. This Software was developed at private expense, and no part of it wasdeveloped with government funds. The Software is a trade secret of SubRosaSoft.com Inc for allpurposes of the Freedom of Information Act, and is “commercial computer software” subject to limitedutilization as provided in the contract between the vendor and the governmental entity, and in allrespects is proprietary data belonging solely to MacForensicsLab Inc. Government personnel using theSoftware, are hereby on notice that the use of this Software is subject to restrictions that are the sameas, or similar to, those specified above.

7. General. This license will be construed under the laws of the state of California, except for that bodyof law dealing with conflicts of laws, if obtained in the United States, or the laws of jurisdiction whereobtained if obtained outside the United States. If any provision of this license is held by a court ofcompetent jurisdiction to be contrary to law, that provision will be enforced to the maximum extentpermissible, and the remaining provisions of this license will remain in full force and effect.

Complete Agreement. This license constitutes the entire agreement between the parties with respect tothe use of the Software and related documentation and supersedes all prior or contemporaneousunderstandings or agreements, written or oral, regarding such subject matter.

MacForensicsLab 2.9 Manual - 132

Page 133: MacForensicsLab 2.9 Manual

Copyright Notice

MacForensicsLab 2.9 Manual - 133

Page 134: MacForensicsLab 2.9 Manual

Copyright Notice

MacForensicsLab Copyright Notice.

MacForensicsLab Copyright Notice

MacForensicsLab Incorporated copyrights this software, the product design, and design concepts withall rights reserved. Your rights with regard to the software and manual are subject to the restrictionsand limitations imposed by the copyright laws of the United States of America.

Under the copyright laws, neither the programs nor the manual may be copied, reproduced, translated,transmitted or reduced to any printed or electronic medium or to any machine-readable form, in wholeor in part, without the written consent of MacForensicsLab Inc.

© Copyright 2009 MacForensicsLab Inc. All Rights Reserved

MacForensicsLab 2.9 Manual - 134

Page 135: MacForensicsLab 2.9 Manual

Trademarks

MacForensicsLab 2.9 Manual - 135

Page 136: MacForensicsLab 2.9 Manual

Trademarks

MacForensicsLab Incorporated's trademarks.

Trademarks

"MacForensicsLab” is a trademark of MacForensicsLab Inc.

All other brand and product names are trademarks or registered trademarks of their respective holders.

MacForensicsLab 2.9 Manual - 136


Recommended