Mac Forensics 2017-09-19T13:02:23+00:00

Mac Forensics

D3Forensics provide a whole range of computer forensics services for Mac computers. If you are facing legal action and require dependable Mac forensics data and are lacking internal knowledge and expertise to obtain it, D3Forensics have qualified Mac forensics analysts, fully capable of utilising a whole range of Mac forensics techniques. The Apple Mac differs from the PC in many ways and it is important that you have a qualified and knowledgeable technician gathering your critical forensics data.

Much of the basic types of evidence which can be found easily on a PC are just not available on a Mac; therefore Mac forensics requires a somewhat different approach. Possibly the main difference between PC forensics and Mac forensics is in the fact that PC forensics will often rely heavily upon interrogating deleted data. However, with Mac forensics the use of the OSX “secure empty trash” feature by the user will wipe this deleted data entirely from the hard disk. Mac forensics differs in a variety of ways, some of which are listed below:

  • OSX contains a data wiping feature which destroys data completely
  • OSX does not create temporary or pointer files
  • OSX does not keep a log of devices that have been attached
  • OSX stores the Internet browser cache in a single file, which is much harder to interrogate than the PC equivalent data
  • OSX does not store configuration data in a single system registry as does the PC; instead it stores configuration data in multiple folders and files in multiple locations

As we can clearly see, Mac forensics is far less straightforward than similar PC forensics and requires a well-trained Mac forensics analyst to produce effective results. Mac forensics followed a similar pattern or methodology to PC forensics whereby a forensically clean disk image will be created as a first step. Once this disk image has been saved the Mac forensics technician can then begin to interrogate the saved data. Meta data interrogated as part of Mac forensics is less complete than the data obtainable from a PC as the Mac does not record system dates and times, only file creation and modification dates. One final hurdle for the Mac forensics analyst lays in the fact that Mac users often use a larger range of e-mail clients, each of which cannot be interrogated by standard computer forensics tools.

Some other differences or need to knows are as follows:

  • Comprehensive identification and part extraction of resource and data forks. Windows-reliant systems commonly miss one part, rendering the file unreadable
  • Correctly identify bundle files (unique to Mac) and process them as a single file. Windows-reliant systems commonly see bundle files as thousands of separate files containing no data
  • Properly identify and process files within container files unique to Mac OS X such as dmg, .sit., and sparse bundles Windows-reliant systems commonly ‘interpret’ these containers as hollow files as opposed to the storage devices
  • Properly identify and process email archives and file attachments. Windows-reliant systems commonly can not search within email attachments – missing vital data