Is there any specific forensic tool for Mac OS data recovery and analysis.
I know I can clone and authenticate using X-Ways forensics but was curious to know if there is any specific tool for Mac OS.
Mac Forensics Lab - http//
I am currently writing a presentation on mac forensics so ask if you need anythign further
Blackbag Technologies - http//
They have a forensic suite specifically for Mac, also a 'MacQuisition Boot Disk'
I use both and are very good
Regards
Paul
Mac Forensics Lab - http//
www.macforensicslab.com/ I am currently writing a presentation on mac forensics so ask if you need anythign further
Any chance of seeing it when you are done ?
I have utilized the BlackBag Technologies products as well, and do recommend them if you use the MAC platform.
Regards,
farmerdude
I may be wrong, but I think FTK 2.0 can parse through an HFS/HFS+ volume. Of course, if you have it/can afford it I'd go with Blackbag or Subrosasoft.
For all Mac investigations we typically use blackbag and ASR Data's SMART.
I have yet to do any Mac acquisitions but given the new Intel Macs, wouldn't a bootable Linux distro work just as well? I've booted a live Ubuntu disc before (installing dual boot OS X and Ubuntu on my Intel MacBook Pro) and it seemed like I could just as easily boot Helix or another x86 linux distro boot cd in order to make an image. I suppose I should just try it 😉
Seems better than a $300 boot disk.
Thoughts?
Greetings,
Imaging a Mac is pretty trivial. You can put a Mac into firewire target mode.
Long explaination - http//
Short version - reboot, holding down the "T" key.
Plug your firewire cable into a write blocker and away you go.
For analysis, Black Bag and Sub Rosa Soft.
If you just need to do data recovery, you can try UFS Explorer.
FTK 1.7 (Asia version) can handle HFS+ file systems. FTK 2.0 should but I've not tried it yet.
I did a complete analysis using standard Linux tools since the user spent most of his time using shells rather than the GUI and OS X applications.
-David