Hi all
Im currently on my years placement and thinking of ideas for my final year uni project in which we have to create a forensic tool and present it.
My main idea so far that I am going to look into further is with Time Machine and Spotlight on the Mac.
I plan on creating a piece of software that will be able to retrieve keyword searches from spotlight and be able to create a kind of time line/life span of files through examining Time Machine entries.
Would this be possible to do and how would it go down as a project idea>
also, can any of you point me in the right direction as to good sources of research?
Thanks
You might start researching the subject by reading "MAC OS X, IPOD, AND IPHONE FORENSIC ANALYSIS DVD TOOLKIT" by Jesse Varsalone (ISBN-13 978-1-59749-297-3) for some background information about "Time Machine and Spotlight on the Mac." (ccorlett7)
yer a guy i work with has that book so ive had a quick look through it.
are there any other books that would be useful?
also, can anyone recommend how I would go about starting to code this or draw up the algorithms that would then need to be coded?
Thanks
Hi all
Im currently on my years placement and thinking of ideas for my final year uni project in which we have to create a forensic tool and present it.
My main idea so far that I am going to look into further is with Time Machine and Spotlight on the Mac.
I plan on creating a piece of software that will be able to retrieve keyword searches from spotlight and be able to create a kind of time line/life span of files through examining Time Machine entries.Would this be possible to do and how would it go down as a project idea>
also, can any of you point me in the right direction as to good sources of research?Thanks
There already is a tool like the one you describe for Time Machine sparsebundles called Back In Time. It does a timeline display of tracked changes in files between the backups. Another consideration is that Spotlight can be disabled on media in System Preferences so you may not get any results from spotlight stores. There is another product called Macmarshal that is designed to use the Spotlight stores from an image to provide indexed search capabilities.
In short, these things have been done already so you may not get your project supervisor to agree to your proposal.
In short, these things have been done already so you may not get your project supervisor to agree to your proposal.
Just because it's been done before doesn't mean you can't do something similar. Compare the different products, change some time stamps and review how the tools deal with them, use anti-forensic tools on a number of files and see how the tools respond.
What about trying to extract the data to a SQL database therefore allowing you to identify trends, perform keyword searches and format the data so that it could be used to create graphs, pie charts etc? This way you only have to worry about the best approach to get data out of spotlight/time machine (assuming you can trust and prove the data provided by these applications is correct - see my point above regarding testing the tools with known changes).
From my experience of uni it is the research, conclusion and future work all written in a clear and concise manner that bring the best marks. They also tend to be the most fun to do and result in a greater learning experience.