Mac OS X Forensics

  • Philip Craiger
  • Paul Burke
Part of the IFIP Advances in Information and Communication book series (IFIPAICT, volume 222)

Abstract

This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.

Keywords

Macintosh computers Mac OS X forensics 

References

  1. [1]
    Apple Computer, How to use FireWire target disk mode (docs.info.appIe.com/article.html?axtnum=58583), 2002.Google Scholar
  2. [2]
    Apple Computer, Technical Note TN1150: HFS Plus Volume Format (developer.apple.com/technotes/tn/tn1150.html), 2004.Google Scholar
  3. [3]
    Apple Computer, Working with Spotlight (developer.apple.com /macosx/spotlight.html), 2005.Google Scholar
  4. [4]
    BlackBag Tech, FireWire target disk mode guidelines (blackbagtech.com/images/BBT_FireWire_Target_Mode.pdf), 2004.Google Scholar
  5. [5]
    P. Burke and P. Craiger, Assessing trace evidence left by secure deletion programs, in Advances in Digital Forensics II, M. Olivier and S. Shenoi (Eds.), Springer, New York, pp. 185–195, 2006.CrossRefGoogle Scholar
  6. [6]
    P. Craiger, Recovering evidence from a Linux system, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), New York, pp. 233–244, 2005.Google Scholar
  7. [7]
    D. Farmer and W. Venema, Forensic Discovery, Prentice-Hall, Upper Saddle River, New Jersey, 2004.Google Scholar
  8. [8]
    K. Jones, R. Bejtlich and C. Rase, Real Digital Forensics: Computer Security and Incident Response, Addison-Wesley Professional, New York, 2005.Google Scholar
  9. [9]
    Microsoft Corporation, How the recycle bin stores files (support.microsoft.com/default.aspx?scid=kb;en-us;136517), 2004.Google Scholar
  10. [10]
    Network Working Group, RFC 4155 — The Applicatioa/Mbox Media Type (www.faqs.org/rfcs/rfc4155.html), 2005.Google Scholar
  11. [11]
    Sleuthkit.org, Sleuth Kit (www.sleuthkit.org).Google Scholar
  12. [12]
    Sourceforge.net, Foremost (foremost.sourceforge.net).Google Scholar

Copyright information

© IFIP Internatonal Federation for Information Processing 2006

Authors and Affiliations

  • Philip Craiger
    • 1
  • Paul Burke
    • 1
  1. 1.National Center for Forensic ScienceUniversity of Central FloridaOrlandoUSA

Personalised recommendations