In today's computing environment of tera-byte hard drives and encrypted file systems, the practice of 'pull the plug, image at the lab' is becoming impractical, if not risky. To address these and other challenges, live acquisition is gaining in popularity. Indeed, every digital forensics examiner should become proficient in the techniques of what has come to be the latest buzz-phrase in the industry: “field triage.”

Overview/Features

To meet the needs of non-technical first-responders such as law-enforcement, parole officers, private investigators, etc., SubRosaSoft (subrosasoft.com/OSXSoftware/index.php) has introduced MacLockPick II, a USB stick loaded with a suite of acquisition and reporting utilities that will extract pertinent data from Apple Macintosh, Windows (XP and Vista) and Linux systems.

The MacLockPick II (MLP) arrived packed in a round can with an accompanying CD that features a 17-minute instruction video in Quicktime, MP4 format. The MLP itself is a mini-USB stick with a non-ferrous metal shell that extends to the end of the USB contacts (see photos). With the extended metal case, there is no need for a “connector protector” to fumble with or misplace. However, the cladding does make the MLP a little more difficult to insert in a USB port than a regular flash drive.

What's in the box

MacLockPick

In Action

Before the MLP can be used to extract data, it must be “authenticated.” This is a relatively straightforward process of executing an application on the MLP, emailing the resultant file to SubRosaSoft and copying the attachment from the return email to the MLP. My request was answered by the vendor in less than 4 hours – on a Saturday night!

Once the MacLockPick is inserted in a USB port, the device is auto-mounted and auto-executes the acquisition program. Very little user-intervention is required. As data is being collected, an animated progress screen lets the user know that the program is working and a caption reports on which particular items are being extracted at the time. A message indicates when the acquisition process has completed. (NB: The MLP shows up as “UT165 USB2 Flash Storage” in the Windows Registry. It is important to document this “change” if the PC is to be seized and imaged later.)

Not surprisingly (considering its name), MacLockPick acquisition from a Macbook was a breeze. Data-collection was easy and fast!

Running the MLP against my Windows XP Home desktop, was unsuccessful. Because I have disabled Auto-Run/Auto-Play on my system, the MLP was not able to self-execute. When I manually invoked the acquisition executable, I received a message after a few seconds that the program completed successfully. Examination of the output folder showed that no data had been been extracted. SubRosaSoft is working on repeating and resolving this issue. I have been very favorably impressed with SubRosaSoft's prompt replies to all of my emails.

Subsequent tests on other PCs that still had Auto-Run/Auto-Play enabled were successful, although in one instance it took 90 minutes to extract data from the Windows Registry of a laptop running XP.

I was unable to extract data with the MLP from a Fedora 10 Linux system. According to SubRosaSoft, the MacLocPick was tested successfully on Ubuntu and SUSE Linux systems.

What I Retrieved

Here is a list of the most notable data that I recovered from the various test systems:

- Windows Clipboard
- Bookmarks from Internet Explorer, Firefox, and Apple Safari
- Browsing History
- Cookies
- Auto-fill entries
- System Information
- Network Information, including ARP entries and Statistics
- Interface information (MAC & IP info)
- Running processes
- Windows Registry – Full Tree (Classes Root), file associations
- Apple Key Chain extraction

(A more complete description of what the MacLockPick can recover is available here.)

The retrieved information is stored in a separate database file for each case. The MLP Reader application presents this data in a sortable table that may be exported to a text file for searching and reporting.

I was quite surprised with the amount and quality of information that the MLP recovered from the test systems. In fact, the MacLockPick recovered a good bit of data that I mistakenly thought my “privacy-protection” software had wiped from my PC!

Screen-shot of Data Reader (click image to view full size)

What I Liked

When it worked, auto-execution was smooth and returns a LOT of information. Report output is clean and easy-to-read. The MLP is small and designed to be carried on a key-chain. The metal shell makes the MLP very rugged. As previously mentioned, the reinforced USB connector requires some extra effort to insert the device into a USB port. That's not a complaint - I'll take ruggedness over easy-to-insert any day for a product that will spend most of its time being jangled in someone's pocket along with keys and loose change.

What I Didn't Like

If the MLP doesn't auto-start, it doesn't work. Windows acquisition can be quite slow. I'm not convinced that a user in the field would want to wait an hour and a half while the MacLockPick extracts data. As to the how-to CD that comes with the MLP, although informative, the audio track was annoyingly choppy (duplicated on various Windows systems). This may be just a minor irritation to some, but for the price (see below) and considering the non-technical audience for this product, I feel it one worth addressing.

The Price

At $495 USD, I felt the MacLockPick II is a bit pricey, although the cost is very close to what is offered by competing vendors. Considering the hefty price-tag of most products that are aimed at the digital forensics market, the MacLockPick II may actually be a bargain.

The Verdict

Most systems encountered in the field run either XP or Vista. The failure of MacLockPick II to consistently extract information from Windows PCs in a timely manner is a significant shortcoming. If a user encounters a PC that has Auto-Run disabled, there should be a “Click Me” workaround on the MLP that will assist them.

In its current version, the MacLockPick II still needs a little work. In addition to resolving the Auto-Run issue, I'd like future revisions to have a graphics extractor to allow a system to be quickly scanned for its image content and the results summarized in a collection of thumbnails. If SubRosaSoft can solve the performance issues mentioned above, the MLP could be a very useful tool for first-responders. Until then, prospective customers may wish to evaluate other products.

- Austin W. Troxell, MSc, CISSP

This review can be discussed here.