Mac OSX Forensics Introduction

mac_osx8

Project Introduction

Mac OSX is Apple’s most recent operating system for Macintosh computers. Macs are widely used, and knowing how to get information off of them very important for forensic examiners. Just PC expertise is not enough today; Macs have a different way of storing user data and artifacts. Knowledge of the location of potential evidence and what kind of information to be gathered is critical.

We are going to research imaging tools and methods and examination tools and methods, the default locations of artifacts, and OSX features. We want to know the pros and cons of particular tools and methods surrounding Mac forensics. We also want to have an idea of where default artifact locations might be, what OSX features are available, and what information we can glean from them.

Research QuestionS

  1. What tools (open source and paid) can be used to examine/image a mac?
  2. Where are default locations for user data and artifacts?
    1. Internet artifacts, emails, deleted files, created files, USB activity, installed software, Trash, event logs, and printed files.
  3. What Mac specific services are there and what can be found from them?
    1. Ex: Spotlight(More will be added once research is done on all the services OSX provides).

How Will We Do This?

Our team will generate identical data on a PC running Windows 7 and a Mac running OSX. We will then image the Windows 7 PC and the Mac (using the tool and method we decide on). We will compare the Windows 7 image to the Mac image to see if we found all of the information for the artifacts. We will be looking for default locations for common forensic artifacts and some of OSX’s features such as Spotlight. We will put our findings in a report for both experienced and new forensic examiners to read.

Our Goal

We want to create a comprehensive report on Mac OSX forensics that can help forensic examiners that have little to no experience working with Macintosh Computers. Examiners will see what information can be found on OSX, what services are available, and what is left behind from those services. This report could also help experienced examiners that are having trouble finding a certain artifact.