analyze mac data on...
 
Notifications
Clear all

analyze mac data on windows

9 Posts
5 Users
0 Likes
767 Views
(@pinin113)
Posts: 47
Eminent Member
Topic starter
 

hello, i have acquired an image of a mac using guymager live.now i have to see the files but i have a windows machine with ftk,i tried to use virtualbox to start a yosemite machine,but it crashes.how can i do?

 
Posted : 23/10/2015 12:27 am
(@belkasoft)
Posts: 169
Estimable Member
 

hello, i have acquired an image of a mac using guymager live.now i have to see the files but i have a windows machine with ftk,i tried to use virtualbox to start a yosemite machine,but it crashes.how can i do?

Why do you need to run the machine? Why not analyze it as a dead box?

 
Posted : 23/10/2015 2:19 am
(@pinin113)
Posts: 47
Eminent Member
Topic starter
 

thank you, what do you mean with 'dead box'?

 
Posted : 23/10/2015 1:00 pm
(@belkasoft)
Posts: 169
Estimable Member
 

thank you, what do you mean with 'dead box'?

I mean investigation of a machine without switching it on.

 
Posted : 23/10/2015 1:23 pm
(@pinin113)
Posts: 47
Eminent Member
Topic starter
 

never did it.but in this particular case i don't have the machine anymore.i just have the image obtained with ftk in e01

 
Posted : 23/10/2015 8:22 pm
(@belkasoft)
Posts: 169
Estimable Member
 

never did it.but in this particular case i don't have the machine anymore.i just have the image obtained with ftk in e01

You can perfectly analyze e01 in many tools including FTK itself. We at Belkasoft can also mount and analyze such images.

 
Posted : 23/10/2015 8:33 pm
(@deltron)
Posts: 125
Estimable Member
 

never did it.but in this particular case i don't have the machine anymore.i just have the image obtained with ftk in e01

You could just examine in FTK
Some good articles on mac forensic http//www.appleexaminer.com/
Some OS X artifacts
https://docs.google.com/spreadsheets/d/1VobbmKTw8h_wKr0fpNXiyqOc1eCTuqiRkhIguVk_eXA/edit?hl=en_US#gid=0

Also you could restore image to disk allowing a live investigation in another mac machine if you want a hands on.

You could also just mount the image in Linux and i think log2timeline may work
digital-forensics.sans.org/blog/2011/12/07/digital-forensic-sifting-super-timeline-analysis-and-creation

just ideas sorry.

 
Posted : 23/10/2015 10:59 pm
(@wookieshaver)
Posts: 27
Eminent Member
 

I think it would be a good question as to what utilities and programs you currently have access to. Encase does a reasonably good job of analyzing mac data, though for some aspects a good workflow and knowledge of mac file types and locations are necessary. The mentions of AppleExaminer.com above are really helpful. I would ask though, when you created your mac in virtualbox, did you use these directions? (http//www.macbreaker.com/2015/01/virtualbox-yosemite-zone.html) As they worked fine for me. It does help that the machine you create the VM's on have a boat load of ram to spare though. Mac is best for handling mac mail and ms office for mac file types - so you may want to pursue getting the vm working.

 
Posted : 08/12/2015 12:48 am
(@nathanc)
Posts: 9
Active Member
 

Running a Mac VM on a Windows machine (past 10.6 I think) is a bit flakey.

When I need to do it I would either restore the image to disc and boot from it using a Mac of the same type if you have one.

 
Posted : 10/12/2015 8:02 pm
Share: