We currently have a raw image of an OSX Laptop running High Sierra. We are attempting to recover information of a previous user on the laptop. Unfortunately the user was deleted from the Apple control panel and the laptop was given to another user prior to us imaging it. So it is very probable that any deleted files have been overwritten.
Is there anyway to attempt to recover the user as we are trying to find any of the user generated activity (internet history, usb activity , evidence of mass deletion)
We also have a time machine backup from the system we can attempt to restore but i'm not sure if this is just going to give us user generated files and not necessarily any type of activity information.
Let me know if you can provide any tips to point us in the right direction.
What forensic tools do you have at your disposal?
What forensic tools do you have at your disposal?
we have Recon and we also have encase (most up to date )
Encase doesn't seem to work in opening the image even though it supports APFS now
Recon can open the image
I recommend acquiring a test license of BlackBag (please confirm that tool is APFS compliant).
I own OSForensics, Forensic Explorer and Internet Evidence Finder which might be APFS compliant (I have not had an APFS formatted drive in a case yet), each of the aforementioned tools have worked very well with HFS formatted drives to date.
If you are LE and can provide a download link to the forensic image, I will attempt to carve the deleted user directory for you. If IEF works on your image, I will create a portable case and then deliver the portable case back to you to analyze.
Thank you for the help. I will try what you mentioned.
We also have a time machine backup from the system we can attempt to restore but i'm not sure if this is just going to give us user generated files and not necessarily any type of activity information.
Restoring deleted items from Mac systems has always been more difficult and less successful compared to your standard Windows machine because of the differences in file systems…
What I would recommend is restoring the Time Machine backup onto a different machine and then performing your analysis there. Time Machine will indeed restore both the user generated content and system files that can be used to draw conclusions from. I would start by looking at FSEvents logs, both on the machine that you have right now and also in the backup. It can give you a good view into recent file system operations.
https://