This section covers some general forensic techniques to use on Macintosh systems. In the preceding sections, you learned about the Macintosh operating system, and you learned where to look for important logs, which is a valuable step in any forensic investigation. Now, you will learn a variety of forensic techniques.
One of the most fundamental steps in forensics is to create a bit-level copy of the suspect drive. If the suspect drive is a Macintosh, all the techniques you know from Linux or Windows can still be used. You can utilize the dd
command along with netcat
to make a forensic copy. You can also use the imaging tools within EnCase or Forensic Toolkit. However, Macintosh provides another way to make a forensically sound copy of a drive. You begin by placing the suspect computer into Target Disk Mode. When you put the computer in that mode, it cannot be written to, so there is no chance of altering the source disk. Then simply connect to the suspect computer with universal serial bus (USB) or FireWire and image the disk.
Also, Target Disk Mode allows you to preview the computer on-site. This allows investigators to do a quick inspection before disconnecting and transporting the computer to a forensic lab. This is important because, just like with Windows or Linux, you will want to check running systems’ processes before shutting the machine down. You simply have to reboot the machine in Target Disk Mode, as shown in FIGURE 10-2.
Checking virtual memory is just as important with a Macintosh as it is with a Windows or Linux computer. With Macintosh OS X, the swap file/virtual memory is located in the folder /var/vm/. You can check it with simple Linux commands like ls
(for listing files). A good option is ls —al
, which gives you a listing of all the files in virtual memory, as well as of who launched the program and when. The best news is that you can use the grep
search tool to search in the virtual memory folder.
Because Mac OS X is based on FreeBSD, you can use shell commands to extract information. A number of commands can be quite useful in your forensic examination. Some additional commands are available that are specific to Macintosh.
date
CommandThe date
command returns the current date and time zone. It is good for documenting when exactly you begin your forensic examination. If you need the date in Coordinated Universal Time (UTC), then use the date −u
version of the command.
ls /dev/disk?
CommandThis command lists the current device files that are in use. You should document this information before shutting the system down for transport to the forensic lab.
/hdiutil partition /dev/disk0
CommandThis command lists the partition table for the boot drive. Clearly, it is important to know the partitions the machine recognizes upon boot-up.
system_profiler SPHardwareDataType
CommandThis command returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination. There are related commands, such as system_profiler SPSerialATA-DataType
. This command gives information on all the attached Serial Advanced Technology Attachment (SATA) devices.
system_profiler SPSoftwareDataType
CommandRelated to system_profiler SPHardwareDataType
, this command returns information about the operating system. This is also important for documenting the system prior to starting the forensic examination.
3.129.249.105