It wasn’t long before the team came up with the Apple II. This computer was based on the same microprocessor, but came in a plastic case with the keyboard built in. It was also the first personal computer with color graphics. This was followed by a series of enhancements to the Apple II: Apple II+, IIe, IIc, IIc+, IIe Enhanced, and IIe Platinum. In 1986, the Apple IIGS was released; this computer was 16-bit rather than 8-bit.

There were multiple operating systems for the Apple II, including the following:

• Apple DOS (Disk Operating System)—The first edition was released as Apple DOS 3.1 in 1978. It had no relationship to Microsoft DOS.

• Apple Pascal—This was based on the p-system, an operating system developed at UC San Diego. It was basically a virtual machine running p-code, and Pascal was the most popular language for it. Apple Pascal was a similar design released in 1979.

• Apple SOS—This operating system was developed for the Apple III. The acronym stands for Sophisticated Operating System. Every program that used SOS loaded the operating system into memory as well. An SOS application disk consisted of a kernel (SOS.kernel); an interpreter (SOS.Interp), which was often the application itself; and a set of drivers (SOS.Driver).

• ProDOS—This was meant as a replacement for Apple DOS 3.3 and was based on SOS. It had more support for programming, including assembly and BASIC. Eventually, this led to a 16-bit version called ProDOS 16.

• Lisa OS—This operating system had a full graphical user interface with a file browser that was navigated with mouse clicks. It also came with some basic office programs.

After the Apple II, the company changed the name to Macintosh and took a new direction with its computers. The main points in that evolution are as follows:

• The Macintosh—Although today many people may think of Apple and Macintosh as synonymous, the Macintosh was actually released by Apple in January 1984. It had an 8-MHz Motorola processor, a black-and-white monitor, and a 3.5-inch floppy drive. The operating system for Macintosh was System 1. This eventually led to the Macintosh II running System 7.

• System 7—This system allowed text dragging between applications, viewing and switching applications from a menu, a control panel, and cooperative multitasking.

• Mac OS for PowerPC—This Mac introduced the System 7.1.2 operating system.

• AIX for PowerPC—In 1996, Apple had a product called Apple Network Server that used a variation of the IBM AIX system. It also used the Common Desktop Environment, a graphical user interface that is popular in the UNIX world. This product did not do well in the market and was discontinued in 1997.

The next major change was the introduction of Mac OS X, which is still used in Macintosh computers today. The public beta version of the product was named Kodiak. The real change with OS X was that the operating system was based on FreeBSD, a UNIX clone. When using Mac OS X, you can navigate to a shell and run UNIX/Linux shell commands. The initial release of OS X was followed by periodic improvements, each with an animal name:

• Mac OS X v10.0, named Cheetah, was released in March 2001.

• Mac OS X v10.1 was released the same year and was named Puma.

• The next release was Mac OS X v10.2 in 2002, called Jaguar. This release included improved graphics and iChat messaging.

• In 2003, Apple released Mac OS X v10.3, named Panther.

• Mac OS X v10.4, named Tiger, was released in 2005. This release had built-in support for FireWire, and it had a new dashboard and updated mail program.

• Mac OS X v10.5, called Leopard, was released in 2007. It had over 300 new features, support for Intel x86 chips, and support for the new G3 processor.

• In 2009, Apple released Mac OS X v10.6, Snow Leopard. Most of the changes in this release were performance enhancements, rather than new features. For example, Snow Leopard had support for multicore processors.

• Mac OS X v10.7 was released in 2011 and code-named Lion. The major interface change with this release was to make it more like the iOS interfaces used on the iPhone and iPad.

• Mac OS X v10.8, named Mountain Lion, was released in 2012. This release had built-in support for iCloud, to support cloud computing.

• Mac OS X v10.10, code-named Yosemite, was released in October 2014. The most important part of this release, from a forensics standpoint, is that it allowed users who had iPhones with iOS 8.1 or later to pass certain tasks to their Macintosh computer. For example they could complete unfinished iPhone emails on the Macintosh computer. This was called the Handoff.

• Mac OS X v10.12, named Sierra, is the most recent version (as of March 2017). It is meant to be more in synch with the style of other Apple systems, such as iOS and WatchOS.

The Mac OS X desktop is shown in FIGURE 10-1.

When performing forensics on an Apple system, you are most likely to encounter OS X, because it is the most widely used Apple operating system today. In fact, it is the only operating system still supported by Apple.

Macintosh File System (MFS) is an older Apple technology that has not been used in over 15 years. You are unlikely to encounter it. It has long since been replaced, first with HFS, and then with HFS+. It shipped with the first Macintosh in 1984.

The Hierarchical File System (HFS) was used on the Macintosh Plus. Apple introduced this file system in 1985, specifically to support its new Apple hard drive. It replaced the earlier Macintosh File System (MFS).

HFS used concepts from the earlier SOS operating system that had been designed for the Apple III. HFS was able to support file names as long as 255 characters, which was not available in FAT (used by DOS).

This is an enhancement of the HFS file system, first used with Mac OS 8.1. Because HFS was the standard for Macintosh, it became known as HFS Standard, while HFS+ became known as HFS Extended. HFS+ is the preferred file system on Mac OS X. Most important, it supports journaling. Journaling is basically the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered. Journaling file systems are fault tolerant because the file system logs all changes to files, directories, or file structures. The log in which changes are recorded is referred to as the file system’s journal—thus, the term journaling file systems.

HFS+ also supports disk quotas. That allows the administrator to limit the amount of disk space a given user can use, keeping that user from taking up all the space. HFS+ has two types of links. The first type is the hard link, which is an inode that links directly to a specific file. A soft link, or symbolic link, is essentially a shortcut.

HFS+ is architecturally similar to HFS, which is not surprising because it is an enhancement to HFS; however, there are some key differences. One such difference is that HFS+ uses 32 bits for allocation blocks, rather than 16 bits. HFS+ also supports long filenames, up to 255 characters. Furthermore, HFS+ uses Unicode, which is the international standard for information encoding (for file naming), rather than ASCII (American Standard Code for Information Interchange), which is a set of codes defining all the various keystrokes you could make, including letters, numbers, characters, and even the spacebar and Return keys.

For forensic examinations, one of the more important differences in HFS+ to keep in mind is aliases. Aliases are like symbolic links; they allow you to have multiple references to a single file or directory. HFS+ also has a very interesting optimization scheme. It essentially does defragmentation on a per-file basis. The following conditions are checked, and if met, the file is defragmented when it is opened:

• The file is less than 20 megabytes in size.

• The file is not already in use.

• The file is not read-only.

• The file is fragmented.

• The system uptime is at least three minutes.

This means an HFS+ volume is routinely defragmenting itself. This is a significant advantage over some other file systems, such as NTFS and FAT.

With an HFS+ volume, the first two sectors (sectors 0 and 1) are the boot blocks and are identical to the boot blocks used in HFS. The third sector (Sector 2) has the volume header. It has a great deal of pertinent forensic information, such as the size of allocation blocks and a timestamp that describes when the volume was created.

The allocation file is important for forensics. It keeps track of which allocation blocks are free and which are not. A 0 indicates the block is free, whereas a 1 indicates the block is in use. The catalog file contains the records for all the files/directories on that volume. It uses a B-tree structure to hold the data. Each record in the catalog file is 8 kilobytes in size.

Of particular interest is the command prompt. The command prompt in Macintosh OS X is a Bash shell so you can execute Linux commands. This means you can use commands such as lsof, pstree, and others.

Because HFS+ is the preferred file system for Mac OS X, it is one you will likely encounter when doing forensic examinations of Apple computers.

ISO9660 is the file system used by compact discs (CDs). ISO9660 is not Macintosh specific, but Apple does have its own set of ISO9660 extensions. Although a CD may be readable on either a PC—Windows or Linux—or a Macintosh, the files on that CD may require a specific operating system in order to be read.

Mac OS X includes support for Microsoft Disk Operating System (MS-DOS) file systems FAT12, FAT16, and FAT32. This allows a Macintosh machine to read floppy disks (FAT12), as well as files created with DOS/Windows 3.1.

Mac OS X includes read-only support for the New Technology File System (NTFS). This means if you have a portable drive that is NTFS, Mac OS X can read that partition. But like ISO9660, the files on that drive may be operating–system specific.

Universal Disk Format (UDF) is the file system used by DVD-ROM discs (both video and audio). Like ISO9660, this only guarantees that Mac OS X can read the partition or drive; it does not guarantee that Mac OS X can read the files.

UNIX File System (UFS) is the file system used by FreeBSD and many other UNIX variants. Being based on FreeBSD, Mac OS X can read UFS volumes.

The GUID Partition Table (GUID stands for “globally unique identifier”) is used primarily with computers that have an Intel-based processor. It requires OS X v10.4 or later. Intel-based Macintosh machines can boot only from drives that use the GUID Partition Table.

The Apple Partition Map is used with any PowerPC-based Mac. Intel-based Macs can mount and use a drive formatted with the Apple Partition Map, but they cannot boot from the device. PowerPC-based Macs can both mount and use a drive formatted with the Apple Partition Map, and they can also use it as a start-up device.

The master boot record (MBR), contained in the boot sector, is used when DOS- or Windows-based computers start up. The MBR contains important information such as a partition table, bootstrap code, and other information.