I have been given a MAC iBook G4 to analyze. We know that the OS was reinstalled on 5/24/06 and that Microsoft Office 2004 was also installed on that date. I ran MacForensicLab on a forensic image of the iBook's 30GB hard drive and it discovered 197 salvageable file. I examined many of these files and several files catalogued by MacForensicLab as "RTF text" files appeared to me to have French language license related information (Would this be an indication that a French version of the OS was likely used for the install?). The have drive has no other applications or data on it. When I look at file/folder creation dates it is clear that the OS was installed on 5/24/06 and that the machine was last used on 6/19/06. It was turned on and unknown activities were done on 6/2/06.
Ideally we would like to know what was deleted from this system, the tool used for deletion, and when the deletion took place. In the LIBRARY folder, under the LOGS folder under the subfolder DIRECTORYSERVICE I pulled the file DIRECTORYSERVICE.SERVER.LOG into an editor. This file catalogued 3 startup dates for directory services 2.1 (v351.13) 5/24/06, 6/2/06 and 6/19/06.
Does anyone have any recommendations for what to look at on the hard drive to learn more about what was done on this machine and when? Or suggestions of other tools to consider for examination/analysis of the hard drive.
Thanks,
Ron Kaplan