My agency just purchased a Mac Pro for Computer Forensics work. I am relatively new to OSx system and wanted to know what other examiners are using as analysis software. I currently use FTK and Encase as examination software and would like what is comparable to these two products for the Mac.
A very similar thread can be found at http//www.forensicfocus.com/Forums/viewtopic/t=8966/
ro63rt.sm1th, I saw that link but that seems to mentioning examination of a Mac product. Although, I did see the link for Mac Forensics Labs, and will look into that further. Besides that, are there any others worth looking into that will run on the Mac OS?
Blackbagtech - Blacklight is pretty good.
For using Windows based tools install VirtualBox and you can load up the usual (XWays, etc.)
mrpumba
If you are looking for forensic tools to run in the MacOS on your MacPro, I again refer to the posts in the other thread. You will need to research those tools to determine what systems they are capable of examining. Some, if not all, of the tools mentioned can be used for examining systems other than MacOS.
Alternatively, you can run Windows or other operating systems of your choice using bootcamp or a VM. This will allow you to install forensic tools that have not been ported to natively install on the MacOS (EnCase, FTK, X-Ways, etc).
I do not know who first made the connection, but I have found it to be very helpful…
When examining a Mac device, use a Mac and related tools to conduct the examination. Likewise with Windows or any other OS.
I have Blacklight and Mac Forensics Lab. I really like Blacklight, and it's much more user friendly. Also if you are LE you can get some free Mac tools through acesle.org and Mac Marshall.
Noted ro63rt.sm1th. darin2 I just picked up P2P and Mac Marshal, I'm working on the use of those programs. I will also check out Blacklight and see what that has to offer.
As was mentioned that link has some good info.
What I can tell you that File Juicer is like Magic.. Magic I tell you. I would suggest you download the demo and just toss a zip file into it and watch as it parses out everything. I have dropped Iphone backup files into it and it produces a long HTML index file of all the images, basically its a long sheet spread out horizontally that you can just scroll through, again a great way to just see quickly what might be on a phone backup.
Mac Marshall is only for LE so you might be out of luck if your not LE with that.
Blacklight is good and its a Mac forensic tool. The Training is great and one of the best ways to look at an Apple product. Not the only way, but again its a Mac tool for Mac IOS devices.
The one good thing I find is if your using Encase you can put encase into a VM and then just share a folder with the Mac so all you need to do is pull files from your VM into your share and then work on them with the Mac as needed. EG using file juicer or sorting out some Plist. You can use FTK but of course it has to be 1.8..
Another good thing is Mac is very friendly with printing out items to PDF. So you could export all your documents from a case then just print them out all to PDF. Of course you could do that with anything. You could convert Emails to Mbox with Emailachemy and then print them to PDF as well. So no worrying about giving someone emails that require some sort of client or look odd in notepad.
Also viewing videos on a Mac is very helpful. It is similar to looking at images. Again quick way to scrub through a videos when needed.
Another solid thing about running your forensic tools on a windows VM on a Mac OS is of course less of an issue of cross contamination.
ATM I have a Macbook Pro I use bootcamped and set up as a forensic Laptop for field work. I boot up to mac and run on the VM unless I need to use firewire or come across something I feel is not working right with the VM, then I have to reboot into Windows on the Laptop. Best of both worlds. Again some tools do not work in a VM environment so I have no choice.
I have a back up of the VM incase the original gets infected or corrupted. I have an image of the whole drive incase the drive just crashes.
On top of this I believe that there is a way to make a VM of your Mac as well. I believe it pretty much says it on VMWare. So on the other side you could probably do the opposite and drag stuff into Mac VM and run window natively when needed but need to again parse out something with a Mac tool.
Without a doubt your gonna have to get more personalized with the Mac to see all it can do. But we have discovered that there are just several things that are just native to Mac that help out. If there is one thing I can say about the Mac I like the most is the print to PDF option.
The one thing I will say is make sure you have a laptop with windows on it that is not a Mac. I have seen some tools that just do not work on apple architecture for some reason. They want what many would consider a windows machine. EG Dell or gateway box. IXAM is one of those such tools.
Hope this helps you out.
I have 3 of those under my desk now.
I just removed the HD that came with it and put it aside - to use for my MAC cases.
I then put in new drives and installed Windows 7 Ultimate and off we went.
I also beefed the RAM as high as I could afford.
No issues whatsoever running Windows on the Mac. That is one of the primary machines we use and we all have basically the same setup with FTK3 and Encase installed.
We use a three drive install to separate out the functions of the OS, pagefile and temp file for FTK. Then our evidence drives are additional.
Cheers
What Bobby said…
Also really depends if you are using the Mac as an
Acquisition platform
Examination platform
If exam
To examine Mac, iOS, *nix, Win
Acquisitions you have some limitation on the external attachments as there is no (affordable) Thunderbolt docks at this point. The option of Firewire and USB 2 leaves much to be desired.
For Mac exams you really can't beat Mac on Mac sexiness. Several of the tools cited work really well - BlackLight being the most robust IMO. If you are doing iOS acqustions and examinations, free tools like Lantern Lite rock for acquisitions and the exam tool is priced moderately.
The OS X platform is also very friendly for programming languages.
Bootcamp and VM's work really well if you want to nest in Windows as well.
Tools are tools - YMMV. So you are at point A - MacBook in hand, where is point B - what you want to accomplish?