We have imaged an Apple Mac running Mountain Lion 10.8.4 and when we open the image in EnCase v6.19.3.11 there is no sign of the system.log in Private/Var/Log.
We have booted the Mac and can see the system.log in the same path on the physical machine.
EnCase 7 shows the same behaviour in the sense that is not showing some other .log files in Private/Var/Log that appear when the image is viewed in EnCase v6.19.3.11
Anyone have any ideas what would cause this behaviour?
I would suggest using a forensic tool that runs on a Mac like BlackLight. Even though the latest version of EnCase 7 is supposed to be "better" for Mac data, it still isn't parsing everything that's there. Use Blacklight and compare it to what EnCase is presenting you with. I think you will see that it's not even comparable.
https://
Thanks for the response Earn. I wasn't aware that EnCase had issues parsing Mac data, that is a bit of a worry.
I will follow up with Blackbag, thanks again.
Which filesystem is hosting the relevant files? HFS+? Journaled HFS+?
EnCase 6 has issues viewing some versions of HFS, but I am somewhat surprised (although I guess I shouldn't be) about EnCase 7 parsing it incorrectly. Personally I would post something about this on the GSI forums.
If using a Mac for investigations is not a possibility for you (or you want something cheaper), X-Ways parses HFS+ OK in all it's flavours as far as I know.
I would definitely suggest FTK for Mac OS X investigations. Handles HFS and also parses .plist files for easier reviewing.