Content of a folder... on a Mac

What is 'Disk utility'?
I'm not a Mac user but is it a Mac application? I assume so.

Believe it or not, I am the 'Mac' guy in our office - not because I use a Mac user (*nix rules - OK), but because I can read and understand the underlying data. Using a Mac to examine a Mac would seem to make sense, but there are some routines in Mac OSX that steadfastly refuse to render the underlying data in it's basic form. For this reason I wouldn't trust a Mac to examine a Mac unless the application vendor could assure me that these routines have been circumvented. Rendering in some of the Windows Forensic tools is far better than using a native Mac (try X-Ways, it is brilliant in this regard). The open source hfstools (generally available in *nix distributions) is also a good alternative.

The crucial thing here is that you are using a process that YOU have faith in. At the end of the day, it will be you standing in the witness box justifying the methods YOU have used, if YOU don't know how that happened, then I would love to be the opposition expert undermining your evidence, because I can (potentially) make you look foolish to the jury (or whomever is adjudicating matters of fact).

As an example, are you relying on hash matches? If so, what type? MD5 has proved to be unreliable hasn't it? (see - Wang et.al.) (for those of you with a mathematical background I only insert this to provide a 'fog of war' argument) SHA1 was written by the same guy, surely this is compromised too? (another 'fog of war' argument).

Here is how I go about acquiring a Mac… (generally, specific instances may change my attack vector)
1) download a forensic distribution (caine 2.5.1 is my current favourite)
2) place the disk in the DVD drive and push it in as far as you can without feeling that you are breaking anything.
3) Press the 'C' button whilst powering the machine on to boot from the CD/DVD drive
4) Use caine to acquire the image to an attached hard drive (which I have mounted in rw mode)

Alternatives include
A) Ripping the Mac apart to access the drive and paying compensation to the owner because I ruined it.
B) Casting an appropriate spell and using magic ( This has never worked, but I keep trying)
C) Using the Mac OS or some application that relies on it, to acquire the hard drive [note I have never had to descend to this level]

I never acquire folders on any OS (Mac, Win or *nix) if I can help it because this is fraught with errors and completely reliant on the underlying filesystem and filesystem drivers for the OS that acquired it. My colleagues with a focus on eDiscovery may disagree and have completely different views, but as an examiner of dead machines (i.e. machines without any power currently attached) this is how I see the world…

Paul

"……MD5 has proved to be unreliable hasn't it?….."

No, it has not. Not yet. The birtday collision in the study of Wang et al will not remove the use of MD5 in forensics, because;

1- MD5 is still secure against a brute force attack. It is computation infeasible to modify the contents of a message such that the hash of the new message mathes some predetermined hash value.

2- Changing one bit in the evidence will still cause a cascade effect that dramatically changes the
MD5 hash result.

http//msn.iecs.fcu.edu.tw/report/data/ori_paper/2005-9-15/MD5%20collisions%20and%20the%20impact%20on%20computer%20forensics.pdf

Pierre-Marc,

If you have a Mac available, you can convert the .dmg file from Disk Utility to dd format, using this command in Terminal

hdiutil convert some.dmg -format UDTO -o some.dd

BlackBag's MacQuisition is nice for both full images and targeted collections (where it can optionally guide the examiner through triage for particular apps and data types)

http//www.blackbagtech.com/forensics/macquisition/macquisition.html

Cheers,
Lars