Hi guys,
New to this area. Would like your comments/advise. Currently looking at macforensicslab, macmarshall and blacklight. Any recommendations/reviews on the above software? Which is better?
Thanks in advance.
Greetings,
You probably should read Ryan's "Apple Examiner" site if you've not already done so
http//
You should also consider native OS X. There are a lot of tools on a Mac, or that you can install on a Mac, that will help you analyze OS X systems.
FTK now has HFS and plist support, making it a viable option as well.
-David
I have all three. Blacklight is still really not fully developed, but I do like what they have done with it so far. Macmarshall is very good, but is more of an automated tool. It gathers a good amount of data. Macforensics Lab is probably the more mature tool of the three.
I agree with David, that you should look at Ryan Kubusiak's Apple Examiner blog as it is all there. My only other comments are that FTK3.3 does an excellent job of processing and indexing Mac images. Also I would add that I have had great results using FTK for Mac for imaging Macs.
David
Been thinking a lot about this lately with the spike in Apple exams I have had of late.
Agree with David on both points.
Ryan's site is the go to for Macs - This page
http//
I printed out and keep with Ryan and Jesse's book
http//
It's such a good check list of things to initialize a Mac case.
Also recommend HFS+ for Windows http//
Just get a Mac. Mac Minis rule - tiny foot print and cheap. You can plug them in on your LAN and keep on a desk or in a corner somewhere. You don't even need to have a monitor or keyboard - I remote in with LogMeInFree to it (granted I am going out and back in to the network-but it just works fast and consistent).
To connect to your Win box's shares, get to know how to do the UNC equivalent instead browsing for shares through the Finders GUI and "Network". I find the GUI to not always show the network hosts (to many variables to list) so
From "Finder->Go->Connect to server…" you can type in the host name or the IP address after "Server Address"
"SMB//<host name or IP>" (without quotes)
Then "Connect" - enter your login creds and you should be asked what volume to mount. Note On the Windows side depending on flavor and policy set on your boxes you might have to make some tweaks here and there to make the connection work (again Win versions, client policies and active directory if in place will need to be accounted for). The good thing is that Macs play nice and in SMB and you will be able to see your Win host's shares regardless of file system (FAT32, NTFS).
I use EnCase a lot and after running the initial stuff to get case evidence set-up (timezones, hash, sigs etc.), use the conditions to filter all the .plist (and .log files) to export out to a share that I can then see on the Mac. This way I can pop open the plists with Plist Edit Pro (
There are all the Mac analysis platforms listed above but unless you have some better understating of HFS, OS X artifacts and OS X versions you are still going to be coming up short on your analysis. All tools and procedures here are made with out representation or warranty or all inclusive - its just a few things that work for me when doing Macs and might assist you.
Does it mean that macforensics is the best among all, followed by macmarshall and blacklight being the last?
Another option (and I'll get slapped wrists for suggesting this) is a MAC VM.
I've just finished getting one up and running (on both VMWare and VirtualBox - which is free) Its fully working and I can see the network. The only problem so far is mounting an E01 file in Windows and seeing it that way. We also use MacDrive, which is pretty good for what it does for viewing HFS
I know its not the correct and fully "legal" way (even if you legally bought the OSX) but if you are on a tight budget and can't afford a Mac Machine, its an option to think about!
Also, we just got MacForensicLab and so far looks good and plugs into the VM nicely.
Hello to all,
First I have to humbly say thank you for all of the compliments to the website. It is much appreciated, and I thank all of you right back for making it what it is. The ideas come from your suggestions and direction.
With that said, let me try my hand at a bit of opining as well as sticking to NDA as appropriate. I am a beta tester for BlackBag Technologies so I cannot talk about what is to come, but I can say without getting in trouble, that excellent thing are in the next update.
Let's look at each of the 4 software packages mentioned, and then look at the overall analysis itself. First, let's look at FTK v3. It brought in a respect for the Mac on the Windows platform that didn't exist when v3 came out. It has excellent abilities to decode many of the native file formats of the OS X and HFS+ structures such as Safari history, SQLitev3 DB, PLIST files, etc. The downfall of any Windows product though is when you don't have a native feature built-in and you need to "export" a file out for further analysis, you are exporting to Windows where many qualities of the file are going to be lost. This gets even worse when we are talking about a file that is really a special folder, a "bundle". FTK v3 is a good choice, but I really like to advocate having a native platform available for analysis (i.e. use Windows to analyze Windows, use a Mac to analyze a Mac, etc.) Of course this isn't always necessary.
Next up, let's look at Mac Marshal. This tool is produced to be the closest you can get to automation as possible. It was never meant to be analytical. It does an excellent job at finding a wealth of data in its native locations. However, data outside of native locations or data that hasn't been programmed into Mac Marshal will not be found. So, use this tool as a preview of what is to come, but not a full story of what is on the Mac.
Next, BlackLight. BlackLight comes in Mac and Windows applications on the same dongle so you are able to analyze the Mac (OS X and iOS) data on either platform. This truly works out to be a boon. If you have a lab that is primarily Windows based, you are able to run the Windows build of BlackLight and begin the analysis. If and when you come to the point of needing OS X for further analysis, the case and case data is feature for feature compatible with the OS X version on the dongle and you can continue on OS X and use any features of that platform. In other words, you could export files or folders out of the case and use OS X to look at them natively and use OS X applications to work with the data you exported for further analysis. I personally find this to be a leading feature of BlackLight. Above and beyond all of these applications mentioned, BlackLight has the ability to analyze a live connected iOS device.
Lastly, MacForensicsLab. Currently, MFL is at version 3 and should see an update to version 4 with new features. I can't speak for the company on that unfortunately. MFL v3 has always been a well liked product on the Mac and it has especially shined in recovering deleted files and its flesh tone analysis features for reducing your image analysis casework. It is full featured analysis tool, although it does have fewer features than other packages offered currently.
With all of that said, and if you aren't sleeping, let me talk in general about case analysis briefly. I mentioned earlier about using the native platform for analysis. I am a strong believer in this for casework. At the end of every case, presentation of your product is likely the most important part of analysis. Utilizing a native environment and showing data as often as possible in a format that is easily recognizable by jurors, prosectors, or counsel is important. Using email as an example, if you come across Mail.app data in your OS X based case, you certainly will have an excellent view of it within FTK v3. But, if you were on the Mac platform, how much better could that data look if you also were able to use Mail.app to open it and show it in its native format for display? You can't do that when you are using Windows. The same goes for any other data during the case analysis. OS X and the native apps will be the key for end result display, even if they aren't the only means for finding the data.
Thanks again for finding AppleExaminer to be a resource. Always happy to help out.
Ryan
I was told that Macforensics lab version 4 is going to have a Windows user friendly appearance.
Regards,
Chris Currier
Hey all, is http//
I've tried getting to it from my korean ISP and also VPN'ing back to the USA.
Any help would be welcome…