Mac OS X Forensics

  • Philip Craiger
  • Paul Burke
Conference paper

DOI: 10.1007/0-387-36891-4_13

Part of the IFIP Advances in Information and Communication book series (IFIPAICT, volume 222)
Cite this paper as:
Craiger P., Burke P. (2006) Mac OS X Forensics. In: Olivier M.S., Shenoi S. (eds) Advances in Digital Forensics II. IFIP Advances in Information and Communication, vol 222. Springer, Boston, MA


This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.


Macintosh computers Mac OS X forensics 

Copyright information

© IFIP Internatonal Federation for Information Processing 2006

Authors and Affiliations

  • Philip Craiger
    • 1
  • Paul Burke
    • 1
  1. 1.National Center for Forensic ScienceUniversity of Central FloridaOrlandoUSA

Personalised recommendations