Forensic software o...
 
Notifications
Clear all

Forensic software on a Macintosh computer

5 Posts
5 Users
0 Likes
564 Views
(@hassman)
Posts: 3
New Member
Topic starter
 

Hello all,

My question is this. Will any forensics software run on a Macintosh computer? I am new to the Mac world and was just wondering.

Thanks,

Tom

 
Posted : 06/12/2004 6:11 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Not that I know of. Most COTS forensic tools (EnCase, FTK, WinHex etc) are Windows based and will not run on a MAC. The file system, and processor are completely different to a PC (generally MAC=Big Endian, PC=Little Endian).

I am not too sure whether the Linux/Unix based stuff will work (i.e. Smart, Sleuth Kit, etc). The MAC OS is similar to UNIX, so if any were to be compatible it may be these. Perhaps some MAC guru can answer this? They are very rare and exceptionally geeky animals to find in the wild 🙂

The MAC is an interesting and often overlooked system, with many inbuilt features that are very practical for Forensic work, for example, you can turn a MAC into a Firewire attached device in read only mode – 'Target Disk Mode', by pressing the ‘T’ key during boot. If attached to a Windows or Linux box, it displays as a storage device. This is an easy method of acquiring a MAC in EnCase (if you are perturbed at removing the HDD – which on some MAC computers and laptops is like open heart surgery).

There is always Virtual PC for MAC, which as a PC emulator/virtual environment for the MAC OS. You could use the Windows based tools in the virtual environment.

Take a look here for more info: -

http://homepage.mac.com/macbuddy/ForensicGuide.html

and here

http://www.blackbagtech.com/software.html

Andy

 
Posted : 06/12/2004 6:53 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm not a MAC forensic analyst, nor do I play one on TV…however…

http://blogs.23.nu/RedTeam/stories/4977/
http://homepage.mac.com/macbuddy/ForensicGuide.html
http://lists.virus.org/macsec-0301/msg00000.html

Google is your friend!

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com

 
Posted : 07/12/2004 3:17 pm
(@Anonymous)
Posts: 0
Guest
 

indeed. an intresting note as well, for those who aren't aware - os-x is based on bsd so essentially the door has been kicked down for several suites to be ported over.

I'm not a MAC forensic analyst, nor do I play one on TV…however…

http://blogs.23.nu/RedTeam/stories/4977/
http://homepage.mac.com/macbuddy/ForensicGuide.html
http://lists.virus.org/macsec-0301/msg00000.html

Google is your friend!

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com

 
Posted : 07/12/2004 8:32 pm
gdominguez
(@gdominguez)
Posts: 3
New Member
 

Hi,

If you run win XP inside Virtual PC version 7 you can run EnCase and FTK. I am in the process of testing the differences in performance so I can't say how well it works as compared to a PC. I will post results in the near future.

BlackBag Technologies also has Mac based forensic tools.

Greg

 
Posted : 28/02/2005 2:42 am
Share: