Mac Forensics
Mac Forensics: Mac OS X and the HFS+ File System
Philip Craiger, PhD
Assistant Director for Digital Evidence
National Center for Forensic Science &
Department of Engineering Technology
University of Central Florida philip@craiger.net Paul K. Burke
Senior Digital Evidence Research Assistant
National Center for Forensic Science paulkburke@gmail.com ABSTRACT
There are few resources that describe a forensics analysis of an Apple Mac computer. The purpose of this paper is describe procedures to conduct a forensics examination of an Apple Mac running the newest operating system, Mac OS X, and its default file system, the Hierarchical File System Plus (HFS+). Our chapter is divided into four sections. In the first we demonstrate Target Disk Mode to create a forensic duplicate of a Mac hard drive and an on-site preview of a suspect’s computer. In the second we describe the HFS+ file system and describe the data structures used to represent files and are important in the recovery of deleted files. In the third section we describe several procedures one can use to recover evidence at a physical level to recover evidence from unallocated, slack space, and virtual memory. Finally, we describe methods to recover trace evidence from Mac OS X default email, web browser, and instant messaging applications, as well as forensic procedures to recover commands issued from a terminal window.
Keywords: Mac OS X, Mac OS X forensics, digital forensics, computer forensics.
Mac Forensics: Mac OS X and the HFS+ File System
The Apple Macintosh (or Mac) was first introduced to the public in 1984. Since then it has an enjoyed a small, albeit vocal, user base – typically somewhere between 3 and 8% of the installed operating system base. It is not surprising then that there has been very little published regarding digital forensics on Macintosh computers.
To
partially rectify this lack of information in this chapter we present an introduction to
forensics
Philip Craiger, PhD
Assistant Director for Digital Evidence
National Center for Forensic Science &
Department of Engineering Technology
University of Central Florida philip@craiger.net Paul K. Burke
Senior Digital Evidence Research Assistant
National Center for Forensic Science paulkburke@gmail.com ABSTRACT
There are few resources that describe a forensics analysis of an Apple Mac computer. The purpose of this paper is describe procedures to conduct a forensics examination of an Apple Mac running the newest operating system, Mac OS X, and its default file system, the Hierarchical File System Plus (HFS+). Our chapter is divided into four sections. In the first we demonstrate Target Disk Mode to create a forensic duplicate of a Mac hard drive and an on-site preview of a suspect’s computer. In the second we describe the HFS+ file system and describe the data structures used to represent files and are important in the recovery of deleted files. In the third section we describe several procedures one can use to recover evidence at a physical level to recover evidence from unallocated, slack space, and virtual memory. Finally, we describe methods to recover trace evidence from Mac OS X default email, web browser, and instant messaging applications, as well as forensic procedures to recover commands issued from a terminal window.
Keywords: Mac OS X, Mac OS X forensics, digital forensics, computer forensics.
Mac Forensics: Mac OS X and the HFS+ File System
The Apple Macintosh (or Mac) was first introduced to the public in 1984. Since then it has an enjoyed a small, albeit vocal, user base – typically somewhere between 3 and 8% of the installed operating system base. It is not surprising then that there has been very little published regarding digital forensics on Macintosh computers.
To
partially rectify this lack of information in this chapter we present an introduction to
forensics
References: (Eds.), Advances in Digital Forensics. International Association of Information Processing, 2005. (http://developer.apple.com/technotes/tn/tn1150.html), 2004. (http://support.microsoft.com/default.aspx?scid=kb;en-us;136517&Product=w95), 2004. (http://filext.com/detaillist.php?extdetail=.ds_store), 2003. Programs. Submitted to the International Conference on Digital Forensics 11.9, 2005. (http://www.faqs.org/rfcs/rfc4155.html), 2005. (http://developer.apple.com/macosx/spotlight.html), 2005.