Mac Forensics in this article Mac is short for the Macintosh operating systems developed by Apple to support its line of devices and series of personal computers, Mac is one of the most adopted systems across the globe and is also facing increase in number of attacks annually. The investigators must have knowledge of Mac, its process, policies, functions and internal storage patters used by the operating system to be able to perform forensics. This section will help introduce you with the processes that can help to conduct forensics investigation over a Mac-based system.
Introduction to MAC Forensics
The usage of Apple products has increased drastically in the last few years, for instance MAC computers, iPods, iPads, iPhones etc. Eventually they have also become the main target to the cyber attackers. The reason behind this is, there are not enough security tools developed to defend these attacks. MAC Forensics comes into picture when there is an attack on Macintosh systems.
MAC forensics refers to investigation of a crime occurred on or using a MAC device. To encounter the cyber-attacks, it is indispensable that the forensic investigators possess a good understanding on the MAC file system and all the operating system features. MAC operating system works on HFS (Hierarchical File System) File structure, and presently HFS+ is the most preferred file system used in MAC OS devices.
Related Product : Computer Hacking Forensic Investigator | CHFI
MAC Forensics Data (Cont’d)
With the increase of the usage of Apple’s Macintosh systems, the number attacks have increased tremendously. If a MAC device is present in the crime scene, seize the device at first the device and safeguard ft. The suspect device is then imaged using Write blockers and the investigations are performed on the imaged copy. Forensic examiners then examine the digital media in a forensically sound manner. Their task is to identify, preserve, recover, analyze and present the evidences extracted from them in the court if law.
We have covered all the sources which are of forensic concern and from which the investigators can retrieve information in a MAC operating system. For instance the Version.plist file which contains the system version details, the Timestamp utility which helps the investigator to correlate the log events, Application bundles which are directory hierarchies that consists of sub folders that contain executable code, etc. Analyzing all these sources can provide crucial forensic data, which may help the investigators to trace out the attackers.
Investigators can procure all the user account details from the Library folder and can gather information related to the account creation, modification, and access timings. It is essential for forensic investigators to have a good understanding of the file system of the device he/she is dealing with. As we are discussing about Apple’s Macintosh systems, the newer versions of MAC OS use HFS+ file system. In depth understanding of the data structure and allocation blocks will helps the investigator to find out the required forensic information. The MAC OS uses the Basic Security Model, which helps to understand the file type, its creator and data usage.
Spotlight is a desktop search feature of the MAC OS, which indexes the files by their types and thus making the search easy. This technology is particularly useful for investigators to trace a specific file.
The Home folder in the MAC OS X stores all the files, documents, applications, library folders etc., pertaining to a particular user. The MAC OS creates separate Home directory for each user of the system with their username; so that the investigator can easily analyze the Home directory and retrieve crucial data such as passwords, log files, library folders, logon attempts, and other forensically important information.
MAC OS has its default standalone email client called the Apple mail. It stores all the email messages on the host computer. These email messages can act as crucial source of forensic evidences. Safari is the default web browser in the MAC system. It holds information of the browsing history, download history, etc. as plist files in the Library folder.
Also Read : Linux Forensics
MAC Forensics Tools
OS X Auditor- Mac Forensics Tool
OS X Auditor is a python based computer forensics tool. The tool allows analysts to parse and hash artifacts on the running system or a copy of a system to not modify the original evidence.
MacForensicLab
MacForensicsLab is a forensic tool that allows examiners to conduct their examinations and process suspect data to find and recover deleted and embedded files — then preview and recover them.
Memoryze for the Mac
Memoryze for the Mac is free memory forensic software that helps incident responders find evil in memory on Macs. Memoryze for the Mac can acquire and/or analyze memory images. Analysis can be performed on offline memory images or on live systems.
Mac Marshal
Mac Marshal is a tool to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects, and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications.
F-Response
F-Response is a software utility that enables investigators to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tool(s) of choice. It provides read-only access to full physical disk(s), physical memory (RAM), 3rd party Cloud, Email and Database storage.
Mac OS X Memory Analysis Toolkit
Mac OS X Memory Analysis Toolkit is an open source toolkit for Mac OS X and BSD forensics. The tool is a python based and allows investigating security incidents and finding information for malwares and any malicious program on the system.
Volatility 2.5
Volatility Framework is a memory analysis and forensics tools used for finding contraband within hard drive images. Volatility enables users to analyze the runtime state of a system using the data found in volatile storage (RAM).
OS X Rootkit Hunter for Mac
OS X Rootkit Hunter is scanning tool that can detect malicious tools on a Mac. This tool scans for rootkits, backdoors, and local exploits.
Questions related to this topic
- How do I access files on my MacBook from my iMac?
- How do I find email files on my Mac?
- How do you preview files on a Mac?
- What is the file management tool in Macos?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
