Hello all,
My question is this. Will any forensics software run on a Macintosh computer? I am new to the Mac world and was just wondering.
Thanks,
Tom
Not that I know of. Most COTS forensic tools (EnCase, FTK, WinHex etc) are Windows based and will not run on a MAC. The file system, and processor are completely different to a PC (generally MAC=Big Endian, PC=Little Endian).
I am not too sure whether the Linux/Unix based stuff will work (i.e. Smart, Sleuth Kit, etc). The MAC OS is similar to UNIX, so if any were to be compatible it may be these. Perhaps some MAC guru can answer this? They are very rare and exceptionally geeky animals to find in the wild 🙂
The MAC is an interesting and often overlooked system, with many inbuilt features that are very practical for Forensic work, for example, you can turn a MAC into a Firewire attached device in read only mode – 'Target Disk Mode', by pressing the ‘T’ key during boot. If attached to a Windows or Linux box, it displays as a storage device. This is an easy method of acquiring a MAC in EnCase (if you are perturbed at removing the HDD – which on some MAC computers and laptops is like open heart surgery).
There is always Virtual PC for MAC, which as a PC emulator/virtual environment for the MAC OS. You could use the Windows based tools in the virtual environment.
Take a look here for more info: -
and here
Andy
I'm not a MAC forensic analyst, nor do I play one on TV…however…
Google is your friend!
H. Carvey
"Windows Forensics and Incident Recovery"
indeed. an intresting note as well, for those who aren't aware - os-x is based on bsd so essentially the door has been kicked down for several suites to be ported over.
I'm not a MAC forensic analyst, nor do I play one on TV…however…
http://blogs.23.nu/RedTeam/stories/4977/ http://homepage.mac.com/macbuddy/ForensicGuide.html http://lists.virus.org/macsec-0301/msg00000.html Google is your friend!
H. Carvey
"Windows Forensics and Incident Recovery"http://www.windows-ir.com
Hi,
If you run win XP inside Virtual PC version 7 you can run EnCase and FTK. I am in the process of testing the differences in performance so I can't say how well it works as compared to a PC. I will post results in the near future.
BlackBag Technologies also has Mac based forensic tools.
Greg