Different Examination Tools
We have been doing extensive background research in advance of the actual data-generation and forensic aspect of our project. Currently, we have been researching the different examination tools and methods there are for Mac OSX. We have researched open-source tools as well as commercial tools and have chosen the ones we believe to be the best.
- What tools (open-source or paid) can be used to examine/image a Mac?
- What are the best open-source tools for examining a Mac?
- What are the best commercial tools for examining a Mac?
What Have We Found So Far?
What we have found is that there are a great number of different examination tools to choose from. We’ve narrowed it down to our favorites and split those up between “Open-Source” and “Commercial.”
|The Sleuth Kit||A simple forensic software kit that is Mac OS compatible|
|Audit||Organizes and reads Mac OSX logs|
|ChainBreaker||Extracts user’s confidential information such as passwords|
|Disk Arbitrator||Blocks mounting of file systems (compliments write blocker)|
|Epoch Converter||Converts epoch times to local time and UTC|
|IORegInfo||Lists partition information and items connected to the computer|
|Volafox||Forensic toolkit for memory in Mac OSX|
|PMAP Info||Displays physical partitioning of specified device|
|EnCase||Very well-known commercial forensics toolkit. Has a lot of support for Mac OSX|
|AccessData FTK||Another widely known toolkit. Less support for Mac OSX, however.|
We have decided to use EnCase for most of this project, as it showed a lot of new features for Mac OSX in its latest release that we would like to try and it is a trusted forensic toolkit that we are very familiar with. We will also try a few of the open-source software options to see how they compare.