Morning All,
Just getting into examining Macs using EnCase 6.19.4 (The EnC 7 Licence is firmly in the bottom draw), Emailchemy and a Mini-Mac. I have recently completed GS's Mac Course (which was excellent by the way but has not tempted me to have another go with EnC 7).
I was looking for some feedback on what tools others are using to examine Macs that might improve/enhance my first fumbling steps into the field.
Any/All Comments and suggestions welcome
FTK is very good for examining the OSX operating system.
Although, you can download a free PLIST reader for windows.
Thanks for the reply Dill, I have requested funding for the software and training but that is likely to be a big fat no. No-one else in the office has had any FTK training since V1.x as it fell into disrepute with V2 which came out as I arrived hence I have no training what so ever with FTK.
I have the Windows Plist reader, scalpel and photorec but always interested to find out what everyone else is using.
For LE I would also recommend MacMarshal from ATC-NY. It is free for LE and they will provide free training on how to use it. I was MacMarshal before FTK3 came out to process Macs. ATC-NY also has another great free LE tool called P2PMarshal for processing P2P cases.
File Juicer. http//
Sumuri's Paladin (Intel versions get both v1 and 2).
Forward Discovery's Raptor (PowerPC version).
I'll second MacMarshal.
MacOSX
Learn terminal command line specifically with regards to obtaining disk information, hashing, imaging, show hidden files, and disk arbitration.
Be familiar with Sudo use in the command line.
Be familiar with Inspector/GetInfo
Hopefully your training covered these.
Be sure to check out
Regards,
Chris Currier
+1 on
Consider looking at the products and training available from BlackBag Technologies (