Documentos de Académico
Documentos de Profesional
Documentos de Cultura
9 Manual
1 Overview
2 System Requirements
3 Installing MacForensicsLab
5 Case Preparation
6 Core Functions
16 Bookmarks
17 Examiner Notes
19 Reporting
20 Keyboard Shortcuts
22 Uninstalling MacForensicsLab
23 Gloassary
25 Copyright Notice
26 Trademarks
This lesson provides an overview of MacForensicsLab, its features, functionality and design.
Welcome to MacForensicsLab Incorporated. If this is your first time using MacForensicsLab software
be assured you made the right decision. MacForensicsLab Inc. is the world-wide leader in
Macintosh-based forensics, with many federal, state and local law enforcement organizations around
the globe using our software. In addition, MacForensicsLab software is used by our military, intelligence
community, and many privately owned and operated organizations seeking a powerful and innovative
forensic solution.
As a company, MacForensicsLab Incorporated is dedicated to providing forensic solutions that not only
meet and exceed your expectations but that change the way modern computer forensics are
performed. Traditional computer forensic software development has mirrored the needs of traditional
law enforcement by developing a solution only as a problem presented itself. In doing so, law
enforcement is left without a timely answer to their technological dillema. When the momentum of an
investigation suffers due to a purley reactive development cycle, criminals go unpunished and victims
are left needing resolution or worse, new victims are created. MacForensicsLab Inc. seeks to change
that paradigm by offering expandable and scalable solutions that can adapt to an organization's needs
and anticipate problems through use of intelligent proactive development.
MacForensicsLab Inc. understands how difficult it has become to keep pace with technology. All too
often, forensic examiners are understaffed and overworked, making the environment ripe for case
backlogs and an increasing potential for errors. In an effort to minimize these conditions,
MacForensicsLab Inc. leverages technology and technological advancements to allow for fewer
mistakes while maximizing the efficiency and effectiveness of its users, thereby getting more done with
less mistakes.
MacForensicsLab is the first comprehensive computer forensic solution that runs natively on a
Macintosh. As such, MacForensicsLab combines the power of modern computing with elegant design
and a feature rich environment. Capable of performing all aspects of the forensic process on any
filesystem the system bus can recognize, these filesystems include: NTFS, UFS, HFS, HFSPlus, ext2,
ext2, ReiserFS and many more.
MacForensicsLab has been designed, from the ground up, to be a powerful easy-to-use forensic
solution. A vital component in achieving this is the software's GUI (Graphical User Interface). By
contrast many modern forensic solutions interface contains 15 or more buttons, making them difficult to
use and due to the crowded space, somewhat overwhelming for the user. By contrast
MacForensicsLab has just 7 buttons representing the core functionality of the software. In addition,
these buttons are laid out in an order that if followed from one to the next will guide the examiner
through the completion of an entire forensic examination.
The second aspect concerning the design of MacForensicsLab is automation. The automation of tasks
has changed the world. First, the Industrial Revolution was marked by automation of the blue collar
workforce, changing the way manufacturing wasa done. In the Information Age, this automation is seen
through computers performing complex repetitive tasks. In computer forensics, this automation refers to
leveraging the computer to collect and collate data so the examiner can analyze the data.
MacForensicsLab, is unique in that it excels at this, allowing the examiner to perform the vital tasks of
analysis, thus providing context to the computer findings. This concept is readily apparent in the
Browse and Audit functions, described below.
Another aspect of MacForensicsLab design is fault tolerance. Unique within the industry
MacForensicsLab provides fault tolerance during both the acquisition and data recovery operations as
well as instant wites to the system, as it is a database-driven application, thus no need for time interval
savings, which inevitably result is data loss.
Interoperability is another design feature that MacForensicsLab takes seriously. The task of modern
computer forensics is one of increasing complexity. As such, no one solution provides all the answers
to the examiner. Therefore, MacForeniscsLab strives enable the examiner to use the results of
MacForensicsLab with other tools. The use of OpenISO imaging and HTML reporting are just two
examples of how MacForensicsLab strives to work well with other tools to assist in accomplishing the
mission of the forensic examiner.
Now that we understand the basic deisgn features of MacForensicsLab, let's take a minute to
familiarize ourselves with the core funtionalities of MacForensicsLab.
The ‘Acquire’ function uses an intelligent algorithm to recover mechanically sound and faulty drives.
Even if the drive has been partially compromised, mechanically or otherwise, MacForensicsLab has the
best chance at recovering evidence to a forensically sound disk and open format, industry standard
disk image for further data salvage and analysis.
The ‘Search’ process examines logical directory structures and files to bookmark files of interest,
helping to zero in on any suspect material. Comparisons can be made against a database of hash
values for known good, or known suspect content. MacForensicsLab creates a list of catalog
information, MD5, SHA1, and SHA256 checksums, as well as other basic file information, using
pre-specified search terms and filters.
The ‘Analyze’ function enables an investigator to examine the contents of files in Hex and Native
modes. ‘Analyze’ allows the investigator to search unallocated space for specific terms and items
including keywords, hex strings, credit card numbers and social security numbers; scanning file sectors
at blazing speeds that no other package can approach.
MacForensicsLab’s ‘Salvage’ functionality is fault tolerant and thorough by design, making it the most
powerful data recovery engine on the market. The 'Salvage' function recognizess over 100 file types
and can readily recover deleted files from hard drives, CD-ROMs, external storage devices, digital
The ‘Browse’ function allows the investigator to quickly and easily thumbnail and preview graphic
images and their metedata. MacForensicLab was the first forensic software application to contain a
built-in Skin Tone Analyzer, radically reducing the time spent manually culling through tens of
thousands of image files to locate files of investigative interest, which are easliy bookmarked and/or
exported for further action.
The ‘Audit’ function quickly and efficiently collects and collates operating system artifacts and user
preferences, to include cached internet history and bookmarks, Instant Messaging buddy lists, WiFi
Access Points, Address Book information, iPhone information and much more. In doing so, the 'Audit'
feature enables the examiner to keep the investigative momentum while allowing for further in-depth
analysis.
The 'Hash' funtion allows the examiner to perform an md5, SHA1 and SHA256 hash on any given file
located on the volume while exporting the results with the full path to a text file for easy reference.
This lesson covers the basic and recommened system requirements for successfully running
MacForensicsLab. Modern forensic processes require not only powerful systems to process the
massive amount of data, but a scalable solution designed to harness the system resources for greater
speed and increased functionality. A database solution provides such potential. Since
MacForensicsLab is database driven, the performance of the software is greatly influenced by the
performance of the computer that is being used to perform the investigations.
-Apple MacPro (2.66 GHz Quad Core Intel Xeon "Nehalem" processor or better)
-Mac OS X (version 10.5 or newer)
-8GB of RAM
-1TB or more of available hard drive space
-DVD-Rom drive for Boot CD/DVD and Installation from DVD
-Firewire 800 <-> ATA/SATA hardware write blocker
-1 x USB 2.0 Port + HASP license dongle (supplied with MacForensicsLab)
Additional Considerations
Providing the system with more resources and faster equipment such as faster Processor, more RAM
and and faster, larger hard disk drive will improve the performance of MacForensicsLab where data
reading, calculation and verification functions occurring.
The database/logging functionality is best performed with the fastest possible network interface when
working with a centralized network database server.
This lesson demonstrates how to install MacForensicsLab for the upgrade from 2.5.5 to 2.9.
To install the latest version of MacForensicsLab, open a web browser and navigate to the
MacForeniscsLab web site: http://www.MacForensicsLab.com. Once on the main webpage, select the
"Upgrades" link.
The Upgrades page allows a user to select the version of MacForeniscsLab they wish to download.
Once the correct version is located, select the link (highlighted in blue).
The download page will present the above image. To begin the download, click on the image.
Downloaded Archive
The file that downloads is a .zip file that will be uncompressed automatically by the operating system
and will appear in the Downloads folder as a folder titled: MacForensicsLab.
Open the folder where MacForensicsLab was downloaded (by dafault this is the Downloads folder).
To install MacForensicsLab, simply drag the MacForensicsLab folder in to the Applications folder, the
application is now ready to be run for the first time.
This lesson demonstrates how to run MacForensicsLab for the first time.
Opening MacForensicsLab
Navigate to the Applications folder and open the MacForensicsLab folder by double clicking on it.
Launch MacForensicsLab
The first time MacForensicsLab is launched, a warning banner will appear informing the user that the
application was downloaded from the Internet. Select "Open."
Once the MacForensicsLab application is launched, the Preferences Pane will open. In order to
successfully run MacForensicsLab, the Preferences Pane must be filled out.
In this example we will configure a Local File database (this means the database file will be resident on
the local machine and not connected remotely to a database). The "Database" tab in the upper left of
the window is selected (1), then select the "Local File" (2), next select "Create" (3).
Once the "Create" button is selected in the previous step, a navigation window appears. The navigation
window allows the user to select the location of the database file. By default the file is named
"MacForeniscsLab Database.rsd" (1) and is located in Documents folder (2), then select "Save."
The next tab to configure in the Preferences Pane is the "Examiners" tab. Select the "Examiners" tab
(1). To add an examiner, select the "+" radio button on the left (2). Once the radio button is selected an
Examiner window will open.
Fill out the fields to complete the Examiner window, then select "Save."
The Preference Pane appears and the new examiner information can be noted.
To add a new case to the database, select the "Cases" tab (1) along the top of the window. Add a case
by selecting the "+" radio button in the lower left (2). Once the radio button is selected a case Details
pop-up window will appear.
The Case Details window allows the user to enter case details.
In the Case Details window enter the case number or Case ID (1) and a description of the case (2).
Once completed, select "Save" (3).
Once the "Save" button is selected in the previous step, the user is returned to the Preferences Pane.
Be sure to highlight the new case, as seen above.
The purpose of the E-Mail pane is to enable the user to be notified upon completion of tasks being
conducted by MacForensicsLab.
Complete all requisite information and select "Test:" (1) to ensure the connection is properly configured,
once the test is successful, select the "Continue" button (2).
Authenticate MacForeniscsLab
Enter the admin password (1) and then select "OK" (2).
Disk Arbitration
To complete the configuration of MacForeniscsLab in preparation of running it for the first time, the user
needs to decide whether to ignore disk arbitration (leaving it enabled) or to disable it. The user should
only disable disk arbitration if he/she intends to create a forensic image from the suspect's media. Once
either the "Ignore" or the "Disable" buttons are selected, the main window of MacForensicsLab opens.
This lesson will discuss how to prepare for a case using MacForensicsLab.
Overview
During the course of using MacForensicsLab the examiner will come across a range of different
suspect devices, media and disk images. These will all work with a variety of ‘Read’ and ‘Write’ access
settings. It is therefore important to ensure that the investigator understands how each of these varies
and how the computer interacts with them.
Before connecting any device to the workstation it makes sense to assume that the device, image or
media may be written to and therefore should be handled with the utmost caution.
In Mac OS X there are a couple of ways in which to handle the issues of possibly tainting and
overwriting data on the suspect drive or device. The first is ‘Disk Arbitration’ and the second is ‘Write
Blocking’. It is also a MUST for the investigator to have a secondary “Work Drive” onto which case data
can be saved, and which will have course been pre-cleared. This avoids the chance of overwriting
possible evidence and thus losing and/or tainting it.
Whether at start-up or when connecting a suspect device via any data bus (FireWire, USB, ATA) on
your Macintosh Workstation, OS X is notified and will immediately look for mountable partitions on the
device.
If detected, it initiates the mount and the disk’s internal arbitration tables are updated with the
necessary information to work with the system. Having mounted, the Finder is updated with the
information and the volume(s) appear on the desktop. Any other applications that may have subscribed
to disk arbitration notifications are also updated in a cascade effect.
In addition, to help avoid these issues, as MacForensicsLab reaches the ‘Main’ window it always
automatically prompts the investigator to ensure that Disk Arbitration is enabled or disabled, per his or
her desired behavior.
As the investigator quits MacForensicsLab he or she will be asked a similar message whether they
wish to enable disk arbitration again.
As the investigator will hear over and over, when working with a suspect drive he or she will want to
avoid every single chance of tainting the data on it. MacForensicsLab works effectively with all
available write blocking hardware on the market, and we recommend that investigators use such
devices when performing forensics on suspect drives. SubRosaSoft, Inc. also carries an optional
hardware blocker that works hand-in-hand with MacForensicsLab. Please visit our web site
http://www.subrosasoft.com for more information, or contact us via email: sales@subrosasoft.com; or
telephone: +1 (510) 675 0681.
It is essential that before the investigator uses any drive for storing the results of an investigation, that
the drive has been cleared properly. This should mean that the work drive has been formatted at least
with a single pass with zeroing data.
To clear the work drive, select a partition of the designated drive in the 'Devices’ pane of the 'Main’
window'. Having done this, select “Clear work drive” from the File menu. A confirmation window will
come to the fore, which the investigator should accept, after which the ‘shred’ window will come forward.
The window contains a slider with which the investigator can set the numbers of passes required to
clear the drive. Also, in order to speed up the process the investigator also has the option to shred only
“Free Space”, so that only the available space on the partition will be cleared. Having set this, simply
click Start and the clearing procedure will begin. If the investigator picks the wrong partition, and/or
decides to stop, by simply clicking Close the ‘Shred’ window will disappear and he or she will be
returned to the ‘Main’ window.
MacForensicsLab provides the investigator with quick access via the Window drop menu, or keyboard
shortcut [Apple Key] + [t], to a terminal window, so that he or she does not have to leave
MacForensicsLab in order to run commands through another Terminal application.
This section will outline the core functions of MacForensicsLab for further, detailed discussion.
-Preferences Window
-Main Window
-Acquire Window
-Search Window
-Analyze Window
-Salvage Window
-Browse Window
-Audit Window
-Hash Window
-Bookmarks & Notes
-Database Window
This lesson will cover the Preferences Window settings and configuration.
Overview
The ‘Preferences’ window allows the examiner to setup and manage both individual cases and
examiners within MacForensicsLab. In addition, it enables the examiner to configure MacForensicsLab
database settings and even configure an e-mail based notification feature.
The ‘Preferences’ window will, by default, appear at start-up once the MacForensicsLab splash screen
has disappeared. To return to the ‘Preferences’ window after progressing to the ‘Main’ window, the
examiner must select “Preferences” from the MacForensicsLab application drop menu, or use the
keyboard shortcut [apple key] + [comma]. In order to disable the ‘Preferences’ window from appearing
at start-up the investigator should deselect the “Show this window at start-up” check box in the bottom
left hand corner of the window.
The Preference Window has four sections, eash containing their own preference information. The four
sections are: Database (1), Examiners (2), Cases (3) nd eMail (4).
MacForensicsLab allows the examiner to harness the power of a database solution without having to
associate with a remote database. The creation of a local database file enables examiners to take
advantage of a database while not requiring the infrastructure incurred with larger solutions.
To create a local database file, select Local File (1), and then "Create." (2)
Once you select "Create" in the previous step, a navigation box will appear allowing the examiner to
select the location of the local database file (by default it will place the file in the Documents folder and
will be named MacForeniscsLab Database.rsd.
Once the examiner has chosen a location for the Local Database file to be stored, they are returned to
the Database Window, where the path chosen is displayed (1).
If the examiner access to a REAL SQL database, then MacForeniscsLab allows for seamless
integration. Select the REAL SQL tab (1). Then by filling out the form fields (2), and selecting the
"Connect" button (3), the examiner will then be able to take advantage of power of the REAL SQL
database.
If the examiner access to a MySQL database, then MacForeniscsLab allows for seamless integration.
Select the MySQL tab (1). Then, by filling out the form fields (2), and selecting the "Connect" button (3),
the examiner will then be able to take advantage of power of the MySQL database.
Select the Examiners Tab (1). The Examiners Tab is where an examiner enters their identifiable
information. By default, there is a "Default" examiner (2). To add an examiner, select the "+" radio
button (3) and a pop-up window will appear.
The pop-up window allows the examiner to enter specific information by filling out the form fields (1). It
should be noted, that these fields can be changed at any time by selecting the "edit" button from within
the Examiner's tab. Likewise it is important to note that none of these fields are not required.
Once the examiner specific form fields are filled out, select the "Save" button, thus returning the
examiner to the Preferences Window.
The user information entered will be reflected under the Examiners Tab (1), which is where you will be
automatically returned to upon selecting "Save" in the previous step.
To add a case, select the "Cases" Tab (1) from the Preferences window and select the "+" button (2).
Once selected, a pop-up window will appear.
The Case Details window has two sections, the Case ID (1) and te Description (2). The Case ID
represents a field where the examiner would enter the case number. The Case Description field is a
simple text field enabling the examiner to input additional case information.
Upon completing the previous step, the examiner is returned to the Preferences Pane, wherein he/she
can verify the correct case is selected (1).
By selecting the eMail tab (1) and filling out the form fields (2) and testing the connection (3), The
examiner is now able to receive password notification when MacForeniscsLab has completed it current
process. Once configured, press "Continue" (4).
This lesson will describe the layout and functionlity of MacForeniscsLab's Main Window.
Overview
The ‘Main’ window is the starting point after accessing a case and provides the investigator with a
detailed view of the system, any devices or disk images attached to it and their directory and file
structure. It is from the ‘Main’ that the investigator will gain full access to the wide array of functions and
features that MacForensicsLab provides, each of which will be covered in subsequent chapters of this
manual.
When working with the ‘Main’ window, the investigator should maximize the view of the window either
by clicking the green maximize button at the top left of the window, or by using the resize handle at the
bottom right. Such a move will lessen the need to scroll up and down the various panels
In the Main Window, there are two buttons: "Devices" (1) and "Files" (2). As depicted above the Device
button lists all devices (with their respective partitions and volumes) attached to the machine in the
leftmost pane (3). When a device is selected the corresponding device details appear in the Explorer
portion of the window (4).
When the Files Tab (1) is selected the leftmost portion of the window lists shortcuts (2) to volumes and
user folders, with the Explorer portion of the window (3) allowing for viewing of the directory structure
and individual files, along with their corresponding information (such as date/times, permissions, etc.).
The ‘Buttons’ panel provides the examiner with access to selected core functions of MacForensicsLab.
Each button in turn will be highlighted and accessible, or greyed out and disabled, dependent on the
item selected by the examiner in either of the ‘Access’ panels.
Overview
MacForensicsLab can work with original devices and media, as well as disk image copies of these
same data sources. Using the ‘Acquire’ function ensures that the evidential integrity of the suspect
drive is protected, by allowing the investigator to create a disk image for analysis and investigation,
In performing the acquisition scan ‘Acquire’ benefits from a number of features. These include
checksum hashing for validation, the ability to create a separate golden master, the ability to create a
smeared image in an environment when a volume cannot be unmounted, segmentation for ease of
backup to alternative media, and, proprietary fault tolerant bad block recovery to work around faults,
thus allowing the examiner to create disk images from damaged media or resume a previous acquire
attempt that failed due to faulty media and/or electrical shortages.
When creating a disk image, the investigator can do so directly from either a partition or device, those it
is recommended that copies be made of an entire device rather than of individual partitions.
Having selected the respective device or partition from the ‘Device’ panel the examiner must press the
Acquire button, bringing the function window to the fore.
Segment Size - This refers to the amount of data on each acquired image, thus allowing the
investigator to separate his or her acquisition into multiple images. Each segment can then be limited to
a specific data size, thus allowing for easier backup, for example, if the investigator plans to burn the
image to a set of DVDs. To do so the investigator need only select the “4.36 GB (DVD-R/DVD+R)”
option from the popup list.
Packet Size – Refers to data intervals at which MacForensicsLab will perform a checksum validation
on the data being written to the acquisition image. A lower setting means many more checksum
verifications are performed, thus improving overall data integrity but reducing the overall speed of the
acquisition.
Smeared Image – Allows the investigator to generate an image from a drive that cannot, or perhaps
that he or she may not wish to be unmounted. This would apply for example, when the investigator
wishes to acquire the main volume on an operational file server that cannot be taken offline to avoid
alerting users to the actions of the investigator.
Golden Master - In addition to the working copy, this option allows the investigator to save an extra
disk image copy for other purposes.
Resume a Previous Recover – Provides the examiner with the option to continue on from a previous
acquisition, if, for whatever reason, the prior acquisition process was interrupted. This means that the
‘Open’ dialog window rather than the ‘Save’ dialog window will appear when the acquisition is initiated.
Note: always be sure to save the disk image to a location other than that which one is creating an
image of. Also, make sure that the device one is saving the new disk image to has enough storage
space. The acquisition of a 60GB hard drive will require the destination disk to have a minimum of
60GB of free capacity.
Unless the “Create a Smeared Image” option has been selected, MacForensicsLab will first attempt to
unmount the selected volume or volumes of the selected device. A status bar then marks the progress
of the acquisition, along with a variety of other information. This information includes: checksum
mismatch total; total bad blocks; total data remaining to be copied; total data copied; total capacity;
approximate current data transfer rate; and total time remaining till acquisition completed.
During the process of acquisition a DAT file is created in the same location as the image file, and
contains checksum data for the disk image. It is a small file and takes up less than 25 KB of space and
is deleted after the acquisition process is complete.
Once the completed, a dialog window will notify the investigator of such and will provide them with an
error count. The investigator should simply take note of this and then close the said dialog box by
clicking Close, returning to the ‘Main’ window. The disk image can then be found in the previously
specified location. By default the disk image file/segments will be locked, thus avoiding the opportunity
to further modify or to delete it/them.
Once an image file or segment there of has been created, the investigator will want to prepare it for
analysis. In order to do this the investigator must attach the disk image and mount it in the Finder.
To access the disk image, whilst in the ‘Main’ window, select “Attach Disk Image” from the File menu,
or use the keyboard shortcut [Apple Key] + [t]; then navigate to the disk image in the open dialog
window that appears as a result, select the image file and then click "Open." Using this method avoids
the need to unlock and lock the image file from the Finder. After mounting disk images, the investigator
may need to force MacForensicsLab to rescan for new devices or images; this can be done either by
selecting “Rescan Bus” from the file menu, or with the keyboard shortcut [apple key] + [r].
To detach a disk image after analysis, select the item from the ‘Device’ panel in the ‘Main’ window,
followed by “Detach” from the file menu. Alternatively, select the disk image in the main window and
Overview
The ‘Search’ function of MacForensicsLab provides the examiner with an automatic means by which to
scan a directory, gather evidence and bookmark that same data for later reference. This helps the
examiner to quickly and easily zero in on suspect material. In performing the function,
MacForensicsLab creates bookmarks of the selected directory structure, collecting all of the file
information and hash values as it scans.
The ‘Search Filter’ panel is the part of the ‘Search’ window within which the investigator may establish
criteria by which to filter the results of the search scan. Filters are based on standard file information,
such as, but not limited to: filename; size; date of creation.
The ‘Search Terms’ panel is the portion of the ‘Search’ window within which the investigator can
manage specific lookup terms. These can be either HEX or ASCII terms for pattern matching within the
files being scanned. The investigator may also quickly and easily select either of two check boxes to
search for standard credit card and social security number formats respectively as well as being able to
import large databases of terms.
Browse Results
It is now possible to open the results of a searching procedure directly into a browse window making it
easier to manually review the results and to perform some manual bookmarking procedures to better
identify potential evidence for future reference.
Bookmarks Panel
When performing a search scan the investigator can use the options contained within the ‘Bookmarks’
panel to auto-generate bookmarks of matched items, and so make them available for easy reference at
a later date. The text area below the folder drop down is designed for comments or a description
pertaining to your customized bookmarks folder.
Hash Panel
The ‘Hash’ panel allows the investigator to define the auto-hashing options for a search scan. Options
include adding the hashed file values to the internal database, as well as the ability to export these to
an external log file.
Available ‘Search Filters’ include all those in the Log File Format Fields:
-Name
-Creation Date
-Modification Date
-Header
-CRC
-MD5
-SHA1
-SHA256
-Data Size
-Resource Size
-Owner
-Mac Creator
-Mac Type
-Absolute Path
-UID
-GUID
-Permissions
Each of these filter types can be applied against the following operators:
-Is Equal To
-Is Not Equal To
-Contains
-Does Not Contain
-Is Less Than
-Is Greater Than
-Is in database
-Is not in database
MacForensicsLab has the ability to handle filtering based on foreign multi-byte character set such as
Russian, Arabic and Chinese, not just English.
To import a custom checksum database, simply click the Import button at the bottom of the ‘Search
Items’ panel. This will bring up an open file dialog box from which the investigator can locate and select
the required file. Upon import the information in the database file will populate the ‘Items’ pane.
Auto-Bookmarking Files
When scanning directories, the search function can be used to auto-generate bookmarks for reference
at a later time in the investigation.
To add the items as bookmarks to a respective group, the investigator must tick the “Bookmark”
checkbox in the ‘Bookmarks’ panel and then select a bookmark group from the drop down menu. If a
new one is required, the investigator should do so through the Bookmarks menu (Please refer to the
chapter on Bookmarks for more detail).
Having selected the partition or directory structure for searching, clicked the Search button in the ‘Main’
window, bringing the ‘Search’ window to the fore, and having set up the window with the desired
‘Search Items’, ‘Search Filters’, bookmarking and hashing options, the investigator should be ready to
perform the search operation. To initiate the process, he or she should click the highlighted Search
button on the bottom right of the ‘Search’ window. If the hash export checkbox has been selected, the
investigator will be prompted to define a file name and save location for the exported hash text file
before the scan proceeds.
Once the process of scanning and searching the items found has completed. The investigator will be
prompted with a screen, advising them as such, which once closed will take him or her back to the
‘Main’ window.
Overview
There will come a point in the case when an investigator may wish to analyze the file data
block-by-block; the ‘Analyze’ function enables that to be done. Once analysis has been performed and
evidence located, the investigator can then export and/or hash the requisite section of the drive to file
for safekeeping and later use or further analysis.
The ‘Block View’ pane is the right-hand side of the ‘Analyze’ window and is the from where the
investigator can read block data either piece by piece in ‘Hex’ mode or in its entirety with ‘Native’ view.
The investigator can easily flip between the two separate views by using the tabs directly above the
pane. Native view allows files such as images and movies to be viewed as is, with controllers where
necessary for audio and video.
The ‘Search Fields’ pane contains a number of elements that are of use to the examiner:
Search Fields Pane – The first is the ‘Search Fields’ pane, which contains the working list of search
terms (or filters) with which to analyze the data blocks. This is split into 2 columns: format and term.
Format refers to whether the string in term should be pattern match against the HEX content or the
ASCII content of the blocks. Term refers to the content of the string that is going to be pattern matched
against the said format blocks, usually a word.
As previously mentioned, MacForensicsLab has the ability to handle foreign language multi-byte
character sets such as those used in Russian, Arabic and Oriental languages when searching.
Search Fields Management Buttons – Below the ‘Search Fields’ pane are buttons to manage the
search fields in that pane.
Hash Fields
The ‘Hash Fields’ are located to the left-hand side of the window, directly below the ‘Search Results’
pane. The investigator can use the Hash button to generate the respective hash records (MD5, SHA1,
SHA256) and then copy and paste into his or her database.
The ‘Search Results’ pane permits the investigator to access very quickly and easily any of the hits that
When investigating files with the ‘Analyze’ window it is possible for the examiner to search for strings
within the blocks of data that make up the file.
To do so, the investigator must click the (+) button below the ‘search fields’ pane; this will add a new
field. After this, the investigator should define the search term type (text or hex) by clicking the up/down
arrows in the centre of the search term row, followed by typing in a unique search term string in the text
entry field to the right hand side of the arrows.
This can be repeated multiple times, building up as complex a filter mechanism as possible. If items are
added in error, an item can easily remove them by selecting each one in turn and then clicking the (-)
button located under the ‘Search Terms’ pane. When ready, and having defined the maximum size of
the result set in the “Limit” text entry field, the investigator can proceed by clicking Search. Whilst
processing the data, the investigator will see a progress bar, and upon completion of the search the
results will appear in the ‘Search Results’ pane.
Though an investigator might find it useful to create search terms in an ad hoc manner, as discoveries
in the case investigation necessitate, at some point he or she will want a more in-depth search, based
on hundreds, if not thousands of search terms. The best way to achieve this is to importing custom
search lists.
Custom search lists are essentially just ‘CSV Text’ files with each individual search term on a new line.
Custom search lists are also a great way to keep a database of useful terms and means that running a
productive analysis or cataloguing on a suspect device is a process that is no more than just a few
clicks away from getting started.
To import a list, click on the Import button to the middle of the ‘Search Terms’ drawer. This will bring up
a ‘Find File’ dialog box. Once the investigator has found the file, click ‘Open’.
Each individual line item will then appear as an individual term in the ‘Search Terms’ pane. The
investigator then has to define whether each term is an ASCII or HEX format, though they are all
imported as and predefined as ASCII Text format content by default.
By selecting the respective checkboxes below the ‘Search Fields’ pane it is possible for the investigator
to get MacForensicsLab to use look for and find credit card and social security numbers during the
search process.
Once the search terms have been defined in the ‘Search Fields’ pane, either individually or by import,
and when the other settings have been defined, the investigator need only click the now enabled
Search button to perform the search. Once the scan is complete the results will appear in the ‘Search
Results’ pane
Hashing Data
Clicking the Hash button in the buttons bar of the ‘Analyze’ window invokes a hashing process that
returns the results for an MD5, SHA1 and SHA256 in the ‘Hash’ fields for the entire file or device the
investigator is reviewing.
Needless to say the smaller the data source that requires hashing, the quicker the process will be; the
hashing process can of course be tracked through the progress bar which appears whilst in operation,
the hash results of which will remain in place until the investigator closes the ‘Analyze’ window.
Exporting Data
When the investigator is ready to export the block-set being analyzed, he or she can do so very easily
by clicking the "Export" button. Doing so will then invoke the ‘Export’ window, bringing it to the fore.
Once ready, the examiner need only click "Export" (3), bringing a ‘Save’ dialog to the fore. Having given
the file a name and a location into which to be saved, clicking the Save button will complete the export
process.
It is advisable to rename the default export filename and to apply a suffix to the name so that Mac OS
or any other operating system can more easily recognize the expected file type and open it with the
appropriate application.
Upon completion a message will pop to the fore and the user can simply close this and continue on with
the investigation ana
Overview
MacForensicsLab’s ‘Salvage’ function will search a device, volume, or folder and list all the recoverable
files held within it, whether erased or not, and then recover the pre-selected files to a selected
destination folder. When salvaging a device, MacForensicsLab scans through the entire media to find
as many recoverable files as possible, as well as scanning through a single directory structure.
The Salvage window is divided into upper (1) and lower sections (2). The upper section is responsible
for the settings Salvage will invoke upon starting. These settings include "Supported File Formats," (3)
"Import a Prior Scan," (4) and "Start a New Scan." (5) In addition, these settings can be further defined
The lower section will display a list of files, by type, that Salvage can recover. Once a file is selected, a
File Previewer application will open and attempt to show the file in its native format. Once the file to be
Salvaged are determined, the "Salvage Selected Files" (8) is invoked.
Once you have scanned for files that Salvage can recover, a window appears asking if you'd like to
save the results of the scan. If you are not going to Salvage all files possible, it is a good idea to save
the results of the scan. This process will save time later if the examiner needs to go back and Salvage
additional files from the case.
Once the examiner has opted to save the scan results, a pop-up window appears asking for a
destination for the scan results to be saved, once input, select "Save."
As illustrated above, all possible files are divided by type and number.
Once a particular file is selected for review, the File Previewer application is launched allowing the
examiner to preview the file in question.
Highlight the files to be Salvaged (1) and select the "Salvage selected files" button (2).
Once the files for Salvage have been selected, a navigation box appears allowing the examiner to
select the location to which the Salvaged files will be exported.
Filename Rebuilder
Once the files have been Salvaged, MacForensicsLab provides an optional process to attempt to
rename the files based on the metadata contained within the files. If the examiner does not wish to do
this simply select "Cancel" (1) conversely, by selecting "OK" (2) MacForensicsLab will attempt to
rebuild all files names.
The Salvaged files are exported, by default, into a folder titled "Salvage (day of the week) and
(month/day/year). Contained within that folder are subfolders broken down by file type for easy review
and categorization.
This lesson will describe the core functionality of the Browse function of MacForensicsLab.
Overview
The ‘Browse’ window provides the examiner with an exceedingly quick and easy way to search for files
(primarily images and multimedia) in directories, view the results found based on the preset search
criteria, bookmark, make notes and even perform closer analysis.
The Browse window allows the examiner a range of variable options to include in his/her search. These
options include:
To invoke the Browse, select the "Browse" (6) button at the bottom of the window.
After clicking Browse, as MacForensicsLab scans the selected location for matching files, a progress
dialog will be displayed providing the examiner with a status report. If the examiner needs to end the
scan prematurely, clicking the Cancel button under the progress bar will end the scan and return to the
‘Main’ window. When the scan is complete a finish prompt will appear and chime can be heard, upon
clicking OK the prompt will close and the ‘Browse’ window will come to the fore.
Upon completion, the Browse window will display a thumbnail view of all files meeting the
aforementioned criteria set forth by the examiner. When an image is selected, it is highlighted in red (as
seen above) and the metadata for that file appears on the right (1).
Once the appropriate images are highlighted, the examiner can bookmark the results by choosing
"Bookmarks" from the Main window or using the keyboard shortcut of command + d. In the above
example, a bookmark labeled "images" (1) was created, with a note "suspicious imges" (2) to save the
previously selected file.
Viewing Bookmark
The examiner can review the bookmark by navigating to the Bookmark window by selecting "Bookmark
-> Show All Bookmarks" from the Main window.
Overview
The Audit function enables the examiner to quickly and easily locate relevant OS artifacts as they
pertain to the system, the network and the user.
Getting Started
To invoke the Audit function, the examiner must select the "Files" (1), the volume/partition (2) with a
valid user folder contained within it from the ‘Device’ pane of the ‘Main’ window. Furthermore, the
examiner must select the "Users" folder (3) for the ‘Audit’ button to become enabled.
Once the Audit button is enabled, the examiner can select a specific user (1), or if the system has
multiple users, he/she can check "Audit all users" (2), then select the "Audit" button (3).
The results of the Audit are stored in the MacForensicsLab database. To access the database from the
MacForensicsLab Main window select "Window -> Database" or use the keyboard shortcut of
"shift+command+d."
To review the findings of the Audit, select a user, then scroll up or down to view the results. The
examiner can highlight findings of interest and export them out to a file by selecting the "Export" button.
Once the "Export" button is invoked, a dialogue box appears allowing the examiner to choose between
an HTML or Plain Text report. Once decided, select "OK."
Save Report
Since an HTML report was selected in the example, a browser launches showing the report. All items
highlighted and exported are hyperlinked under the "Table of Contents" located to the right.
The examiner can select any hyperlink and be taken directly to that portion of the report.
This lesson will describe the hash function contained within MacForensicsLab.
The Hash functionality is a new feature added in MacForensicsLab 2.9. This button allows the examiner
to quickly and easily create a hash of any device of file by highlighting it (1) and invoking the "Hash"
button (2).
Once completed, the Hash window appears, displaying the path of the file, md5, SHA1 and SHA256
hashes respectively.
The results of the hash can be either saved out as a text file or added directly to the hash database. To
export, simply select "Save" and navigate to where the file is to be saved.
Overview
MacForensicsLab uses bookmarks to assist the examiner in collecting files of investigative interest. It is
possible to bookmark files and directories for reference and examination at a later time in the case.
Likewise, the examiner can bookmark any file or folder, or groups of files. You cannot bookmark
devices or specific blocks within a device.
The bookmarks can be viewed and managed from the ‘Bookmarks’ window and are accessible at any
time by selecting “Show All Bookmarks …” from the Bookmarks menu, or by using the keyboard
shortcut "command + option + b.
Resizing Panes
In order to maximize viewing space the examiner can resize the partitions between all four panes of the
‘Bookmarks’ window. To do so, the examiner should click & drag the resize handle of the respective
separator, thus being able to minimize and maximize the required viewing space for each pane.
If adding a new folder while creating a new bookmark, then simply click the (+) button below the folder
title option list in the ‘Add Bookmark’ window.
Once the ‘Add Bookmark Folder…’ window comes to the fore, the investigator need only enter the
name of the new folder (1) into the “Name” text input field, and click Save (3). If the investigator so
wishes, he or she can enter a note/summary into the “Summary” text field (2) for reference then and
there, or do so at a later date in time from the ‘Bookmarks’ window.
Removing Bookmarks
Removing bookmarks, either collectively or individually, can be done from the ‘Bookmarks’ window.
This lesson will describe the Note functionality contained within MacForensicsLab.
Overview
Case Notes are an extremely useful function of MacForensicsLab that allow the examiner to add
comments and observations to their case file at any point during the examination process. Whether
browsing the ‘Main’ window or in the middle of a lengthy acquisition, the investigator can open the
‘Notes’ tab of the ‘Database’ window, using either the keyboard shortcut ("Command + n") or ‘’Window’
drop menu, and make the desired entry, before returning to the prior screen when finished.
Opening Notes
To acces the Notes window at anytime during the investigation, select "Window -> Make Note" from the
Main window.
To add a new note, the examiner need only click the (+) button at the bottom right hand side of the
upper ‘Notes Data’ pane (1) . This will generate a blank new entry, which the examiner needs to then
select and enter his or her notes into, using the lower ‘Note Entry’ pane (2). Having completed the
note, the examiner can then just close the ‘Database’ window and return to the previous screen.
This lesson will cover the organization and layout of the MacForensicsLab database.
Overview
When whichever database (local file, RealSQL server, MySQL server) is enabled via the ‘Preferences’
window, detailed logs are kept of every action and all points of interest to support the examiner in the
understanding and final presentation of their evidence. In the ‘Database’ window, the examiner has full
access to comprehensive details of what has been logged in the forensic examination to date.
The MacForensicsLab database can be located, from the Main window by selecting "Window ->
Database" or using the keyboard shortcut of "shift+command+d."
The Views
As each tab is clicked in turn the database will be read, either locally or centrally, and the contents
loaded into the new window layout; needless to say, the larger the dataset the longer the process of
fetching and loading the data will take to complete.
Accessible through the individual buttons of the tab bar in the ‘Database’ window are:
The Acquisition Log - lists the date and time of an acquisition process, a description of it and the
exact block details (offset, length, hash sum etc).
The Analyze Log - keeps track of the details of searches performed, as well as the results associated
with them. Details logged include: date and time, file location, results and the associated match and
offset.
The Audit Log - lists the date and time of an acquisition process, a description of it and the specific OS
artifact information generated, to include folder creation date/times, network preferences, system
settings, user preferences, bookmarks, web caches, and much more.
The Chronology Log - lists all the events from the moment the case reference is set up to the latest
action performed in MacForensicsLab. It lists the date and time of the actions, the name of the
examiner, the action performed (opening windows, pressing buttons etc) and the data returned by the
actions.
The Hash Database – provides a means by which the examiner can import, manage and store hash
values for use within the various functions provided by MacForensicsLab.
The Notes Log - contains all the notes regarding the investigation as inputted by various examiners.
Notes are listed with examiner name, date and initial number of characters, with the ability to view an
entire note, as well as manage and edit notes.
The Salvage Log - keeps track of the date and time of the salvage process, the name of the examiner,
Managing Records
Certain panes containing log data benefit from the availability of management buttons. That is to say
that an assortment of buttons exist to:
-Refresh
-Clear
-Delete
-Add
-Edit
Where available the examiner should use these buttons as in others functions windows to reload data
into the respective pane, to remove or clear records, both of which will generate a warning prompt
requesting confirmation to delete records, as well as to add items or make amendments.
To open the Report window, from the MacForensicsLab Main window, select "File -> Write Report," or
use the keyboard shortcut "command+p."
The Report window consists of a series of checkboxes that are to be toggled on or off depending on the
information the examiner wants to include in the report. Once the appreopriate checkboxes are
selected, select "Start."
Once the report settings have been determined, a navigation box opens. This box enables the
examiner to dictate where the report will be generated and saved.
Once the report is saved, a browser will open automatically showing the report. The report is divided
into two sections, the navigation section on the left and the reported information on the right.
Shortcuts
This lesson covers the various ways to obtain help and technical support when using MacForensicsLab.
Help can be found both via the small, context sensitive information clips that appear when the
investigator rolls the mouse over a window element, as well as the standard help menu at the top of the
screen. Contextual tool tips include buttons and parts of MacForensicsLab that require some form of
user interaction.
On the Web
We provide over 100 links to forensic resources, manuals, a complete knowledge base and a plethora
of additional information on our website. For updates, resources and additional information please visit:
http://www.MacForensicsLab.com.
Technical Support
We provide free technical support both via email or phone during the hours 10am to 6pm Pacific
Standard Time (GMT -8) Monday to Friday. By email, we can be reached at the following address:
support@subrosasoft.com. By phone, we can be reached at: +1 (510) 870 7883, or by fax on +1 (510)
868 3407.
In addition to any support question(s), the investigator must include ALL of the following pieces of
information:
If you have comments, problems, or questions about this product, or if you are interested in a site
license, please contact us via email: info@subrosasoft.com.
Company Address
SubRosaSoft.com Incorporated
37600 Central Ct, Suite 212
Newark, California 94560
Glossary
Acquisition
The process through which an investigator can make duplicate working copies of a suspect drive,
media or other data storage hardware.
Device
Could refer to any form of data storage technology, or equipment required to read data stored on media
such as CD’s or DVD’s
Disclosure triangle
The small rightward pointing arrow next to folders in the explorer window that when clicked turn
downwards and allow the investigator to view the contents of the said folder.
Disk Image
A disk image is a computer file containing the complete contents and structure of a data storage device.
The term has been generalized to cover any such file, whether taken from an actual physical storage
device or not.
Disk Arbitration
The process by which a workstation will discover and attempt to mount a device connected to it. OS X
is notified of the event by the kernel and will immediately look for mountable partitions on the drive. If
found, the OS initiates the mount, then the internal disk arbitration tables are updated with the proper
information, which eventually updates any programs that subscribed to notifications. During the
process, the suspect’s drive will also be updated.
Evidence Item
Refers to an individual file that may be of use to an investigation or case.
Finder
Also referred to as the Desktop by workstation users. This is the Graphical User Interface portion; or
rather Front-End that allows the human User to visually interact with the computer.
Pane
The part of an application window where data may be previewed in columnar or free form style.
Headers may be used to sort columns, whilst free form text can be edited.
Suspect Drive
The drive that is the focus of the investigation and which the investigator should avoid tainting if
evidence collected is required for later use in a legal environment.
Work Drive
Refers to the drive on which an investigator will store files relating to a case. Salvaged files and other
data will be written to the work drive rather than to contaminate or lose data by writing them to the
“Suspect Drive”.
EULA
DO NOT USE THIS SOFTWARE UNTIL YOU HAVE CAREFULLY READ THIS AGREEMENT AND
AGREE TO THE TERMS OF THIS LICENSE. BY USING THE ENCLOSED SOFTWARE, YOU ARE
AGREEING TO THE TERMS OF THIS LICENSE.
The software license agreement for this program is included in this manual so you can read it before
installing the program. INSTALLING THE PROGRAM OR USE OF THE MATERIALS ENCLOSED
WILL CONSTITUTE YOUR ACCEPTANCE OF THE TERMS AND CONDITIONS OF THIS
SOFTWARE LICENSE AGREEMENT. If you do not agree to the terms of this software license
agreement, do not install the software and promptly return the package to the place of purchase for a
full refund of all money that you paid for the product.
In return for purchasing a license to use the computer program known as "MacForensicsLab™" and for
purchasing documentation included in this package, you agree to the following terms and conditions:
1. License. The Software enclosed is licensed, not sold, to you by MacForensicsLab Inc for use under
the terms of this software license. This non-exclusive license allows you to:
i. Use MacForensicsLab™ software only on a SINGLE computer at any one time. You may only use the
MacForensicsLab ™ software and only on drives physically connected to that single CPU.
ii. Only use the Software to monitor systems on a SINGLE computer that is used by you.
iii. Make one copy of Software in machine-readable form, provided that such copy is used only for
backup purposes and the copyright notice is reproduced on the backup copy.
iv. Transfer Software and all rights under this license to another party together with a copy of this
license and all documentation accompanying the Software, provided the other party agrees to accept
the terms and conditions of this license.
As a licensee, you own the media on which the Software is originally recorded. The Software is
copyrighted by MacForensicsLab Inc and proprietary to MacForensicsLab Inc, and MacForensicsLab
Inc retains title and ownership of the Software and all copies of the Software. This license is not a sale
of Software or any copy. You agree to hold Software in confidence and to take all reasonable steps to
prevent disclosure.
3. Termination. This license is effective until terminated. This license will terminate immediately without
any notice from MacForensicsLab Inc if you fail to comply with any of its provisions. Upon termination
you must destroy the Software and all copies thereof. You may terminate this license at any time by
destroying the Software and all copies thereof.
4. Export Law Assurances. You agree and certify that neither the Software nor the documentation will
be transferred or re-exported, directly or indirectly, into any country where such transfer or export is
prohibited by the relevant governmental parties and regulations there under or will be used for any
purpose prohibited by relevant government parties.
This Software and manual are licensed “AS IS.” It is solely the responsibility of the consumer to
determine the Software’s suitability for a particular purpose or use. MacForensicsLab Inc and anyone
else who has been involved in the creation, production, delivery or support of the Software, will in no
event be liable for direct, indirect, special, consequential or incidental damages resulting from any
defect, error or omission in the compact disc, diskettes, manual or Software or from any other events
including, but not limited to, any interruption of service, loss of business, loss of profits or good will,
legal action or any other consequential damages. The user assumes all responsibility arising from the
use of this Software. MacForensicsLab Inc's liability for damages to you or others will in no event
exceed the total amount paid by you for this Software. In particular, MacForensicsLab Inc shall have no
liability for any data or programs stored by or used with MacForensicsLab Inc’s Software, including the
costs of recovering such data or programs. MacForensicsLab Inc will be neither responsible nor liable
for any illegal use of its’ Software. MacForensicsLab Inc reserves the right to make corrections or
improvements to the information provided and to the related Software at any time, without notice.
MacForensicsLab Inc will replace or repair defective distribution media or documentation at no charge,
provided you return the item to be replaced with proof of purchase to MacForensicsLab Inc during the
30-day period after purchase. ALL IMPLIED WARRANTIES ON THE MEDIA AND DOCUMENTATION,
IncLUDING IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
6. Government End-Users. If you are a Government end-user, this license of the Software conveys only
“RESTRICTED RIGHTS”. This Software was developed at private expense, and no part of it was
developed with government funds. The Software is a trade secret of SubRosaSoft.com Inc for all
purposes of the Freedom of Information Act, and is “commercial computer software” subject to limited
utilization as provided in the contract between the vendor and the governmental entity, and in all
respects is proprietary data belonging solely to MacForensicsLab Inc. Government personnel using the
Software, are hereby on notice that the use of this Software is subject to restrictions that are the same
as, or similar to, those specified above.
7. General. This license will be construed under the laws of the state of California, except for that body
of law dealing with conflicts of laws, if obtained in the United States, or the laws of jurisdiction where
obtained if obtained outside the United States. If any provision of this license is held by a court of
competent jurisdiction to be contrary to law, that provision will be enforced to the maximum extent
permissible, and the remaining provisions of this license will remain in full force and effect.
Complete Agreement. This license constitutes the entire agreement between the parties with respect to
the use of the Software and related documentation and supersedes all prior or contemporaneous
understandings or agreements, written or oral, regarding such subject matter.
MacForensicsLab Incorporated copyrights this software, the product design, and design concepts with
all rights reserved. Your rights with regard to the software and manual are subject to the restrictions
and limitations imposed by the copyright laws of the United States of America.
Under the copyright laws, neither the programs nor the manual may be copied, reproduced, translated,
transmitted or reduced to any printed or electronic medium or to any machine-readable form, in whole
or in part, without the written consent of MacForensicsLab Inc.
Trademarks
All other brand and product names are trademarks or registered trademarks of their respective holders.