Professional Documents
Culture Documents
MacForensicsLab 3.0 Manual
MacForensicsLab 3.0 Manual
MacForensicsLab 3.0 Manual
0 Manual
About MacForensicsLab
Welcome to MacForensicsLab. If this is your first time using
MacForensicsLab software be assured you made the right decision.
MacForensicsLab Incorporated is the world-wide leader in Macintosh-
based forensics, with many federal, state and local law enforcement
organizations around the globe using our software. In addition,
MacForensicsLab is used by the military, intelligence community, and
many privately owned and operated organizations seeking a powerful
and innovative forensic solution.
MacForensicsLab Overview
MacForensicsLab is the first comprehensive computer forensic solution
that runs natively on a Macintosh. As such, MacForensicsLab combines
the power of modern computing with elegant design and a feature rich
environment. Capable of performing all aspects of the forensic process
on any filesystem the system bus can recognize, these filesystems
include: NTFS, UFS, HFS, HFSPlus, ext2, ext2, ReiserFS and many
more.
System Requirements
System Requirements
Additional Considerations
Providing the system with more resources and faster equipment such
as faster Processor, more RAM and and faster, larger hard disk drive
will improve the performance of MacForensicsLab where data reading,
calculation and verification functions are occurring.
Installing MacForensicsLab
Installing MacForensicsLab
The download page will present the above image. To begin the
download, click on the image.
Downloaded Archive
Installing MacForensicsLab
Launch MacForensicsLab
In this example we will configure a Local File database (this means the
database file will be resident on the local machine and not connected
remotely to a database). The "Database" tab in the upper left of the
window is selected (1), then select the "Local File" (2), next select
"Create" (3).
The Preference Pane appears and the new examiner information can
be noted.
To add a new case to the database, select the "Cases" tab (1) along
the top of the window. Add a case by selecting the "+" radio button in
the lower left (2). Once the radio button is selected a case Details pop-
up window will appear.
The Case Details window allows the user to enter case details.
Once the "Save" button is selected in the previous step, the user is
returned to the Preferences Pane. Be sure to highlight the new case,
as seen above.
Complete all requisite information and select "Test:" (1) to ensure the
connection is properly configured, once the test is successful, select
the "Continue" button (2).
Complete Authentication
Enter the admin password (1) and then select "OK" (2).
Case Preparation
Case Preparation
Overview
During the course of using MacForensicsLab the examiner will come
across a range of different suspect devices, media and disk images.
These will all work with a variety of ‘Read’ and ‘Write’ access settings.
It is therefore important to ensure that the examiner understands how
each of these varies and how the computer interacts with them.
TIPS -- If you have Disk Arbitration turned off and you have quit
MacForensicsLab, you will need to relaunch MacForensicsLab, and
enable Disk Arbitration or your machine will not boot correctly.
It is essential that before the examiner uses any drive for storing the
results of an investigation, that the drive has been cleared properly.
This should mean that the work drive has been formatted at least with
a single pass with zeroing data.
To clear the work drive, select a partition of the designated drive in the
'Devices’ pane of the 'Main’ window'. Having done this, select “Clear
work drive” from the File menu. A confirmation window will come to
the fore, which the examiner should accept, after which the ‘shred’
window will come forward.
The window contains a slider with which the examiner can set the
numbers of passes required to clear the drive. Also, in order to speed
up the process the examiner also has the option to shred only “Free
Space”, so that only the available space on the partition will be
cleared. Having set this, simply click Start and the clearing procedure
will begin. If the examiner picks the wrong partition, and/or decides
to stop, by simply clicking Close, the ‘Shred’ window will disappear and
he or she will be returned to the ‘Main’ window.
Core Functions
Core Functions
Overview
The ‘Preferences’ window allows the examiner to setup and manage
both individual cases and examiners within MacForensicsLab. In
addition, it enables the examiner to configure MacForensicsLab
database settings and even configure an e-mail based notification
feature.
The Preference Window has four sections, each containing their own
preference information. The four sections are: Database (1),
Examiners (2), Cases (3) and eMail (4).
To create a local database file, select Local File (1), and then
"Create." (2)
Once you select "Create" in the previous step, a navigation box will
appear allowing the examiner to select the location of the local
database file (by default it will place the file in the Documents folder
and will be named MacForensicsLab Database.rsd.
Once the examiner has chosen a location for the Local Database file to
be stored, they are returned to the Database Window, where the path
chosen is displayed (1).
Once the examiner specific form fields are filled out, select the "Save"
button, thus returning the examiner to the Preferences Window.
To add a case, select the "Cases" Tab (1) from the Preferences window
and select the "+" button (2). Once selected, a pop-up window will
appear.
The Case Details window has two sections, the Case ID (1) and the
Description (2). The Case ID represents a field where the examiner
would enter the case number. The Case Description field is a simple
text field enabling the examiner to input additional case information.
By selecting the eMail tab (1) and filling out the form fields (2) and
testing the connection (3), The examiner is now able to receive
password notification when MacForensicsLab has completed it current
process. Once configured, press "Continue" (4).
Overview
The ‘Main’ window is the starting point after accessing a case and
provides the examiner with a detailed view of the system, any devices
or disk images attached to it and their directory and file structure. It is
from the ‘Main’ window that the examiner will gain full access to the
wide array of functions and features that MacForensicsLab provides,
each of which will be covered in subsequent chapters of this manual.
In the Main Window, there are two buttons: "Devices" (1) and
"Files" (2). As depicted above, the Device button lists all devices (with
their respective partitions and volumes) attached to the machine in the
leftmost pane (3). When a device is selected the corresponding device
details appear in the Explorer portion of the window (4).
When the Files Tab (1) is selected, the leftmost portion of the window
lists shortcuts (2) to volumes and user folders, with the Explorer
portion of the window (3) allowing for viewing of the directory
structure and individual files, along with their corresponding
information (such as date/times, permissions, etc.).
The ‘Buttons’ panel provides the examiner with access to selected core
functions of MacForensicsLab.
Each button in turn will be highlighted and accessible, or grayed out
and disabled, dependent on the item selected by the examiner in
either of the ‘Access’ panels. The current system information is
displayed along the bottom of the Buttons panel.
Having made the desired changes to the presets, click the Start button
to begin the acquisition process. This will bring up a ‘Save file’ dialog
box, if creating the image rather than resuming, and the examiner will
be prompted to enter a filename for the disk image. By default the file
name appears as “Disk Image”, select and edit this to a preferred
name and then chose a location into which to save the disk image.
The click Save and the process will begin.
Note: Always be sure to save the disk image to a location other than
that which one is creating an image of. Also, make sure that the
device one is saving the new disk image to has enough storage space.
The acquisition of a 60GB hard drive will require the destination disk to
have a minimum of 60GB of free capacity.
To access the disk image, while in the ‘Main’ window, select “Attach
Disk Image” from the File menu, or use the keyboard shortcut
[Command] + [T]; the Attach Disk Image dialog box will appear. Click
the Select button to choose the disk image to mount. There are two
options listed for attaching the image.
Use Shadow File – This option will mount the disk image using a
shadow file which emulates the disk being writable without actually
writing to the disk image itself.
Once you have selected the desired disk image and options, click the
Attach button.
Using this method avoids the need to unlock and lock the image file
from the Finder. After mounting disk images, the examiner may need
to force MacForensicsLab to rescan for new devices or images; this can
be done either by selecting “Rescan Bus” from the file menu, or with
the keyboard shortcut [Command] + [R].
Overview
The ‘Search’ function of MacForensicsLab provides the examiner with
an automatic means by which to scan a directory, gather evidence and
bookmark that same data for later reference. This helps the examiner
to quickly and easily zero in on suspect material. In performing the
function, MacForensicsLab creates bookmarks of the selected directory
structure, collecting all of the file information and hash values as it
scans.
The ‘Search Filter’ panel is the part of the ‘Search’ window within
which the examiner may establish criteria by which to filter the results
of the search scan. Filters are based on standard file information, such
as, but not limited to: filename; size; date of creation.
Browse Results
Bookmarks Panel
When performing a search scan the examiner can use the options
contained within the ‘Bookmarks’ panel to auto-generate bookmarks of
matched items, and make them available for easy reference at a later
date. The text area below the folder drop down is designed for
comments or a description pertaining to your customized bookmarks
folder.
Hash Panel
-Is Equal To
-Is Not Equal To
-Contains
-Does Not Contain
-Is Less Than
-Is Greater Than
-Is in database
-Is not in database
Clicking the (+) button underneath the desired pane will create a new
filter/item at the bottom of the current list, after which the examiner
can manually edit the filter/item details. To remove an individual filter,
select the respective item and then press the (-) button. Clearing an
Auto-Bookmarking Files
Overview
There will come a point in the case when an examiner may wish to
analyze the file data block-by-block; the ‘Analyze’ function enables
that to be done. Once analysis has been performed and evidence
located, the examiner can then export and/or hash the requisite
section of the drive to file for safekeeping and later use or further
analysis.
The ‘Hex Content’ pane is the right-hand side of the ‘Analyze’ window
and is where the examiner can read block data piece by piece in ‘Hex’
The ‘Search Items’ pane contains a number of elements that are of use
to the examiner:
Search Fields Pane – This is the first element in the Search Items
Pane, which contains the working list of search terms (or filters) with
which to analyze the data blocks. This is split into 2 columns: type
and value. Type refers to whether the string that should be pattern
match against the HEX content or the text (ASCII) content of the
blocks. Value refers to the content of the string that is going to be
pattern matched against the said format blocks, usually a word.
Found Pane
The ‘Found’ pane permits the examiner to access very quickly and
easily any of the hits that are generated as a result of the terms used
in the search. To view a specific block entry in the ‘Hex Content’ pane,
click on the individual result item and the block data will load into the
Hex viewer in the main panel.
To do so, the examiner must click the (+) button below the ‘Search
Items’ pane; this will add a new field. After this, the examiner should
define the search term type (text or hex) by clicking the up/down
arrows in the centre of the search term row, followed by typing in a
unique search term string in the text entry field to the right hand side
of the arrows.
Custom search lists are essentially ‘CSV Text’ files with each individual
search term on a new line. Custom search lists are also a great way to
keep a database of useful terms and means that running a productive
analysis or cataloguing on a suspect device is a process that is no
more than just a few clicks away from getting started.
To import a list, click on the Import button to the middle of the ‘Search
Items’ drawer. This will bring up a ‘Find File’ dialog box. Once the
examiner has found the file, click ‘Open’.
Each individual line item will then appear as an individual term in the
‘Search Items’ pane. The examiner then has to define whether each
Once the search items have been defined in the ‘Search Items’ pane,
either individually or by import, and when the other settings have
been defined, the examiner need only click the now enabled Search
button to perform the search. Once the scan is complete the results
will appear in the ‘Found’ pane. Clicking on any hit displayed in the
‘Found’ pane will display the location of that hit in the ‘Hex Content’
pane and highlight it. The block number it is found in will be displayed
in at the bottom of the ‘Hex Content’ pane in the Block Number field.
The start and length of the hit will also be populated in the Carve
section.
Once the search has completed (1), the resulting hits are displayed in
the ‘Found’ section of the Analyze window. The user may examine
these hits by clicking on them (2) and the hit location will be displayed
in the ‘Hex Content’ section of the window (3). When clicked, the
search hit will turn red and a check mark will appear next to it. This
allows the examiner to see which results they have reviewed and
which ones they have yet to review, saving them time by making sure
they don’t re-examine search hits.
The examiner may us the Start and Length fields to define the starting
byte and the number of bytes after it to be carved out. These values
can be changed by either entering the desired number in the Start and
Length fields or by pressing the up and down arrows to the right of
those fields. Clicking the Locked boxes to the right of these fields will
lock the field to prevent it from being changed.
Upon completion a message will pop to the fore and the user can
simply close this and continue on with the investigation.
The Salvage window is divided into upper and lower sections. The
upper section is responsible for the settings Salvage will invoke upon
starting. These settings include "Supported File Formats, "Import a
Prior Scan," and "Start a New Scan". The Supported File Formats
section allows the examiner to select specific file types or groups of file
types (i.e., all music files, images files and so on), as well as selecting
all file formats (the default). In addition, these settings can be further
defined to search Free Space Only (Deleted Files) or the Entire Device
(All Files). Options for speed can also be selected by choosing either
Fast Scan (Block by Block) or Slow Scan (Byte by Byte).
Once you have scanned for files that Salvage can recover, a window
appears asking if you'd like to save the results of the scan. If you are
not going to Salvage all files possible, it is a good idea to save the
results of the scan. This process will save time later if the examiner
needs to go back and Salvage additional files from the case.
Once the examiner has opted to save the scan results, a pop-up
window appears asking for a destination for the scan results to be
saved, once input, select "Save."
As illustrated above, all possible files are divided by type and number.
Once the files for Salvage have been selected, a navigation box
appears allowing the examiner to select the location to which the
Salvaged files will be exported.
Filename Rebuilder
Only some formats (such as JPEG, MP3, Words, etc...) will get
renamed. Rest will be in number sequence.
This section will describe the core functionality of the Browse function
of MacForensicsLab.
Overview
The ‘Browse’ window provides the examiner with an exceedingly quick
and easy way to search for files (primarily images and multimedia) in
directories, view the results found based on the preset search criteria,
bookmark, make notes and even perform closer analysis.
Image Checks:
-Image-only results (yes or no) (2)
-Horizontal & vertical dimensions (min-max range in pixels) (3) & (4)
To invoke the Browse, select the "Browse" (5) button at the bottom
of the window.
Viewing Bookmark
Overview
The Audit function enables the examiner to quickly and easily locate
relevant OS artifacts as they pertain to the system, the network and
the user.
Getting Started
To invoke the Audit function, the examiner must select the "Files" (1),
the volume/partition (2) with a valid user folder contained within it
from the ‘Device’ pane of the ‘Main’ window. Furthermore, the
examiner must select the "Users" folder (3) for the ‘Audit’ button to
become enabled.
Once the Audit button is enabled, the examiner can select a specific
user (1), or if the system has multiple users, he/she can check "Audit
all users" (2), then select the "Audit" button (3).
Save Report
The report should have a MFL logo. The one listed below may be from
a previous beta.
The examiner can select any hyperlink and be taken directly to that
portion of the report.
Once completed, the Hash window appears. The hash values are
displayed in two separate fields. The first shows the hash data
presented in a form for better human readability. The second field
shows the raw hash data. Both contain the same information, just
formatted differently for interoperability and readability.
The results of the hash can be either saved out as a text file by
clicking the Export button or added directly to the hash database. To
export, simply select the formatting of the has you could like the
export using the radio button, click "Export" and navigate to where the
file is to be saved. To add the hash data to the database, select the
database section from the drop down menu and click the “Add” button.
Overview
MacForensicsLab uses bookmarks to assist the examiner in collecting
files of investigative interest. It is possible to bookmark files and
directories for reference and examination at a later time in the case.
Likewise, the examiner can bookmark any file or folder, or groups of
files. You cannot bookmark devices or specific blocks within a device.
Resizing Panes
Once the ‘Add Bookmark Folder…’ window comes to the fore, the
examiner need only enter the name of the new folder (1) into the
“Name” text input field, and click Save (3). If the examiner so wishes,
he or she can enter a note/summary into the “Summary” text field (2)
for reference then and there, or do so at a later date in time from the
‘Bookmarks’ window.
Clearing Actions
Removing Bookmarks
Removing bookmarks, either collectively or individually, can be done
from the ‘Bookmarks’ window.
Examiner Notes
Notes in MacForensicsLab
Overview
Case Notes are an extremely useful function of MacForensicsLab that
allow the examiner to add comments and observations to their case
file at any point during the examination process. Whether browsing the
‘Main’ window or in the middle of a lengthy acquisition, the examiner
can open the ‘Notes’ tab of the ‘Database’ window, using either the
keyboard shortcut ("Command + N") or ‘’Window’ drop menu, and
make the desired entry, before returning to the prior screen when
finished.
Opening Notes
To add a new note, the examiner need only click the (+) button at the
bottom right hand side of the upper ‘Notes Data’ pane . This will
generate a blank new entry, which the examiner needs to then select
and enter his or her notes into, using the lower ‘Note Entry’ pane.
Having completed the note, the examiner can then click the ‘Save’
button and close the ‘Database’ window and return to the previous
screen.
Overview
When whichever database (local file, RealSQL server, MySQL server) is
enabled via the ‘Preferences’ window, detailed logs are kept of every
action and all points of interest to support the examiner in the
understanding and final presentation of their evidence. In the
‘Database’ window, the examiner has full access to comprehensive
details of what has been logged in the forensic examination to date.
The Views
As each tab is clicked in turn the database will be read, either locally
or centrally, and the contents loaded into the new window layout;
needless to say, the larger the dataset the longer the process of
fetching and loading the data will take to complete.
The Audit Log - lists the date and time of an acquisition process, a
description of it and the specific OS artifact information generated, to
The Chronology Log - lists all the events from the moment the case
reference is set up to the latest action performed in MacForensicsLab.
It lists the date and time of the actions, the name of the examiner, the
action performed (opening windows, pressing buttons etc) and the
data returned by the actions.
The Notes Log - contains all the notes regarding the investigation as
inputted by various examiners. Notes are listed with examiner name,
date and initial number of characters, with the ability to view an entire
note, as well as manage and edit notes.
The Salvage Log - keeps track of the date and time of the salvage
process, the name of the examiner, the actions performed, and the
location and specific details of the files salvaged.
Managing Records
Certain panes containing log data benefit from the availability of
management buttons. That is to say that an assortment of buttons
exist to:
-Refresh
-Clear
-Delete
-Add
-Edit
Reporting
Generating a Report
Report Location
Keyboard Shortcuts
Keyboard Shortcuts
This section covers the various ways to obtain help and technical
support when using MacForensicsLab.
On the Web
We provide over 100 links to forensic resources, manuals, a complete
knowledge base and a plethora of additional information on our
website. For updates, resources and additional information please
visit:
http://www.MacForensicsLab.com
Technical Support
We provide free technical support both via email or phone during the
hours 10am to 6pm Pacific Standard Time (GMT -8) Monday to
Friday. By email, we can be reached at the following address:
support@macforensicslab.com. By phone, we can be reached at: +1
(510) 870 7883, or by fax on +1 (510) 868 3407.
Company Address
MacForensicsLab Incorporated
37600 Central Ct, Suite 212
Newark, California 94560
Uninstalling MacForensicsLab
Uninstalling MacForensicsLab
Glossary
Glossary
Glossary
Acquisition
The process through which an examiner can make duplicate working
copies of a suspect drive, media or other data storage hardware.
Device
Could refer to any form of data storage technology, or equipment
required to read data stored on media such as CD’s or DVD’s
Disclosure triangle
Disk Image
A disk image is a computer file containing the complete contents and
structure of a data storage device. The term has been generalized to
cover any such file, whether taken from an actual physical storage
device or not.
Disk Arbitration
The process by which a workstation will discover and attempt to mount
a device connected to it. OS X is notified of the event by the kernel
and will immediately look for mountable partitions on the drive. If
found, the OS initiates the mount, then the internal disk arbitration
tables are updated with the proper information, which eventually
updates any programs that subscribed to notifications. During the
process, the suspect’s drive will also be updated.
Evidence Item
Refers to an individual file that may be of use to an investigation or
case.
Finder
Also referred to as the Desktop by workstation users. This is the
Graphical User Interface portion; or rather Front-End that allows the
human User to visually interact with the computer.
Hash or Hashing
Producing hash values for accessing data or for security and
verification. A hash value (or simply hash), also called a message
digest, is a number generated from a string of text. The hash is
substantially smaller than the text itself, and is generated by a formula
in such a way that it is extremely unlikely that some other text will
produce the same hash value. Formulas used to create hash values, in
order of strength ascending, include: MD5. SHA1 and SHA2 otherwise
known as SHA256.
Pane
The part of an application window where data may be previewed in
columnar or free form style. Headers may be used to sort columns,
whilst free form text can be edited.
Suspect Drive
The drive that is the focus of the investigation and which the examiner
should avoid tainting if evidence collected is required for later use in a
legal environment.
Work Drive
Refers to the drive on which an examiner will store files relating to a
case. Salvaged files and other data will be written to the work drive
rather than to contaminate or lose data by writing them to the
“Suspect Drive”.
EULA
DO NOT USE THIS SOFTWARE UNTIL YOU HAVE CAREFULLY READ
THIS AGREEMENT AND AGREE TO THE TERMS OF THIS LICENSE. BY
USING THE ENCLOSED SOFTWARE, YOU ARE AGREEING TO THE
TERMS OF THIS LICENSE.
iv. Transfer Software and all rights under this license to another party
together with a copy of this license and all documentation
accompanying the Software, provided the other party agrees to accept
the terms and conditions of this license.
4. Export Law Assurances. You agree and certify that neither the
Software nor the documentation will be transferred or re-exported,
directly or indirectly, into any country where such transfer or export is
prohibited by the relevant governmental parties and regulations there
under or will be used for any purpose prohibited by relevant
government parties.
This Software and manual are licensed “AS IS.” It is solely the
responsibility of the consumer to determine the Software’s suitability
for a particular purpose or use. MacForensicsLab Inc. and anyone else
who has been involved in the creation, production, delivery or support
of the Software, will in no event be liable for direct, indirect, special,
consequential or incidental damages resulting from any defect, error or
omission in the compact disc, diskettes, manual or Software or from
any other events including, but not limited to, any interruption of
service, loss of business, loss of profits or good will, legal action or any
other consequential damages. The user assumes all responsibility
arising from the use of this Software. MacForensicsLab Inc.'s liability
for damages to you or others will in no event exceed the total amount
paid by you for this Software. In particular, MacForensicsLab Inc. shall
have no liability for any data or programs stored by or used with
MacForensicsLab Inc.’s Software, including the costs of recovering
such data or programs. MacForensicsLab Inc. will be neither
responsible nor liable for any illegal use of its’ Software.
7. General. This license will be construed under the laws of the state of
California, except for that body of law dealing with conflicts of laws, if
obtained in the United States, or the laws of jurisdiction where
obtained if obtained outside the United States. If any provision of this
license is held by a court of competent jurisdiction to be contrary to
law, that provision will be enforced to the maximum extent
permissible, and the remaining provisions of this license will remain in
full force and effect.
Copyright Notice
Copyright Notice
Under the copyright laws, neither the programs nor the manual may
be copied, reproduced, translated, transmitted or reduced to any
printed or electronic medium or to any machine-readable form, in
whole or in part, without the written consent of MacForensicsLab Inc.
Trademarks
Trademarks
Trademarks
"MacForensicsLab” is a trademark of MacForensicsLab Inc.