MacBook Examination - hacking/tracking/viruses etc.
I've got a forensic image of a device that is said to have been hacked and or, is being tracked, I need to examine it to determine if this is the case, any thoughts on a way forward.
I have access to IEF and EnCase, however I know I can't mount the device using MIP on my desktop and scan for viruses as I use a Windows machine.
I have some Hash Sets, but not sure where I can get upto date ones for hacking tools, viruses etc?
Any help appreciated.
You could try using the "Mount as Network Share" feature in EnCase. This will present the complete volume or folder as a Read-Only network share and hence should be readable in Windows.
I have used this previously with a HFS+ Mac image and could view the folder structure and open files, but have not run a virus scan - so cannot comment on the success when checking for viruses.
However if you have EnCase 7 or 8 this feature is included in the product, so worth a try.
Alternativley try 3rd party Windows software that allows reading HFS+ on a Windows machine. You could then use MIP or EnCase's Mount as Emulated Disk.
First of all check the forensic image type, so you would know what tools you need to open it.
I recommend Paladin 7 or Kali Linux bootable live medias to mount the image partitions and analyze your data.