Notifications
Clear all

Mac OSx System.log

5 Posts
4 Users
0 Likes
388 Views
(@creeshie)
Posts: 11
Active Member
Topic starter
 

We have imaged an Apple Mac running Mountain Lion 10.8.4 and when we open the image in EnCase v6.19.3.11 there is no sign of the system.log in Private/Var/Log.

We have booted the Mac and can see the system.log in the same path on the physical machine.

EnCase 7 shows the same behaviour in the sense that is not showing some other .log files in Private/Var/Log that appear when the image is viewed in EnCase v6.19.3.11

Anyone have any ideas what would cause this behaviour?

 
Posted : 17/09/2013 6:12 am
 Earn
(@earn)
Posts: 146
Estimable Member
 

I would suggest using a forensic tool that runs on a Mac like BlackLight. Even though the latest version of EnCase 7 is supposed to be "better" for Mac data, it still isn't parsing everything that's there. Use Blacklight and compare it to what EnCase is presenting you with. I think you will see that it's not even comparable.

https://www.blackbagtech.com/software-products/blacklight.html

 
Posted : 18/09/2013 2:22 am
(@creeshie)
Posts: 11
Active Member
Topic starter
 

Thanks for the response Earn. I wasn't aware that EnCase had issues parsing Mac data, that is a bit of a worry.

I will follow up with Blackbag, thanks again.

 
Posted : 18/09/2013 8:42 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Which filesystem is hosting the relevant files? HFS+? Journaled HFS+?

EnCase 6 has issues viewing some versions of HFS, but I am somewhat surprised (although I guess I shouldn't be) about EnCase 7 parsing it incorrectly. Personally I would post something about this on the GSI forums.

If using a Mac for investigations is not a possibility for you (or you want something cheaper), X-Ways parses HFS+ OK in all it's flavours as far as I know.

 
Posted : 18/09/2013 12:14 pm
(@zekituredi)
Posts: 16
Active Member
 

I would definitely suggest FTK for Mac OS X investigations. Handles HFS and also parses .plist files for easier reviewing.

 
Posted : 21/09/2013 7:40 pm
Share: