MacBook Examination...
 
Notifications
Clear all

MacBook Examination - hacking/tracking/viruses etc.

fuzed
(@fuzed)
Member

Hi guys,

I've got a forensic image of a device that is said to have been hacked and or, is being tracked, I need to examine it to determine if this is the case, any thoughts on a way forward.

I have access to IEF and EnCase, however I know I can't mount the device using MIP on my desktop and scan for viruses as I use a Windows machine.

I have some Hash Sets, but not sure where I can get upto date ones for hacking tools, viruses etc?

Any help appreciated.

Thanks

Quote
Topic starter Posted : 29/09/2016 3:35 pm
hommy0
(@hommy0)
Member

You could try using the "Mount as Network Share" feature in EnCase. This will present the complete volume or folder as a Read-Only network share and hence should be readable in Windows.

I have used this previously with a HFS+ Mac image and could view the folder structure and open files, but have not run a virus scan - so cannot comment on the success when checking for viruses.

However if you have EnCase 7 or 8 this feature is included in the product, so worth a try.

Alternativley try 3rd party Windows software that allows reading HFS+ on a Windows machine. You could then use MIP or EnCase's Mount as Emulated Disk.

ReplyQuote
Posted : 29/09/2016 4:07 pm
passcodeunlock
(@passcodeunlock)
Senior Member

First of all check the forensic image type, so you would know what tools you need to open it.

I recommend Paladin 7 or Kali Linux bootable live medias to mount the image partitions and analyze your data.

ReplyQuote
Posted : 29/09/2016 4:10 pm
Share:
Share to...