Ryan R. Kubasiak
Forensic Analyst & Instructor, BlackBag Technologies
(updated May 16, 2013)
- Cellebrite UFED Physical/Logical Analyzer 3.7 - Cellebrite has just released the latest version of the UFED Physical/Logical Analyzer which includes specific features for iOS devices. Included are enhanced decoding for iOS devices and deleted apps list recovery. See their website for full details.
- File System Comparison - We have posted a quick reference to OS X and its abilities to utilize other file systems. This reference also correlates date stamps from HFS+ to other file systems.
- BlackLight 2013R1.1 released - BlackBag Technologies has released an update to BlackLight, bringing fixes and new features to the OS X, iOS and Windows analysis application. Full details of this update can be found on their website.
- Audit from TwoCanoes - Audit is open source software to control and read the audit logs of an OS X system. The audit logs contain information such as login/logout, authentication, and administrative actions.
- MacQuisition 2013R1.1 released - BlackBag Technologies has released an update to their Mac Incident Response and Imaging tool. This update adds new features and enhances support for all of the latest Macs. See the BlackBag website for complete details.
- Internet Evidence Finder v6 released - IEF v6 has been released today with new support for OS X artifacts. IEF v6 includes support for images and virtual machines with HFS+ and HFSX file systems. Notable features include parsing of many social network artifacts, peer to peer artifacts, unique Mac data with iChat, Adium and Emule, Time Machine, sleepimage file parsing and unencrypted swap file parsing. Details can be found at Magnet Forensics website.
- Lion Disk Maker - This website has a great free Applescript based app to create bootable install media for 10.7 and later. The bootable media is great for system rescue, as well as the included utilities such as ‘passwordreset’.
- Build the Ultimate Mac based imaging and triage workstation - In this article, we offer rationale for using Macs for evidence imaging and triage. Hardware and software is explored as well as a few common situations where this can be used. We build both a field and laboratory, low-cost, solution to image, view, and work with all types of evidence.
- Reflector for OS X - Reflector is an application that allows an iOS device to AirPlay to the Mac screen. Many times, a native picture of data can mean more during a case than just the data itself. This application will show a simulated iOS device (even in white or black) along with the screen of the iOS device you choose to display. Simple screen captures of this can easily be added to a report.
- Safari, Top Sites & Webpage Previews - We have written an article on the current feature in Safari called “Top Sites”. This feature creates PNG files as a part of this function. The pictures can be used as a part of the digital forensic story of a Mac. This article contains the “header” for webpage preview files to assist in your file carving.
Now is a great time to visit our Apple Examiner Store.
- Quick Look, add more functionality to your Mac - OS X Daily has a great blog post on installing the QLStephen Quick Look plug-in. It allows for text files to be viewed, regardless of the extension, or lack thereof.
- AccessData updates - Forensic Toolkit has been updated to include native support for Apple iWork ’09 file types. MPE+ has been updated with additional support for iOS 6.
- USB Entries and Automated Perl Script - Jason Hale has written a Perl Script that automates the process of collecting relevant log file entries for USB device connection to OS X.
- Paladin 4.0 - Sumuri LLC has released their latest version of Paladin this week, and is announcing first thru AppleExaminer.com! The new version is huge upgrade offering re-written code and the following notable features: new XFCE environment, live progress log viewer, support for (Ex01, SMART, AFF, VMDK, EXT4 and ExFAT) file format and systems, new image converter, new disk manager, image mounter, and inclusion of many of the popular open-source forensic tools. The complete set of release notes and details can be found at the Sumuri website.
- Acquisition - Our Mac acquisition page has been updated to discuss Thunderbolt, current Firmware Password methods, and other solutions.
- AccessData PRTK - The latest version of Password Recovery Toolkit from AccessData supports attacking and decrypting OS X 10.7 and later FileVault 2.
- DaveGrohl 2 - DaveGrohl is a tool to assist in password cracking on OS X. The current version allows for distributed attacks and supports a variety of hash types.
- BlackLight 2012.R4 released - BlackBag Technologies has released a significant new version of their Apple data analysis tool, BlackLight. New features include Skype analysis, side-by-side analysis, integrated filters and searches, virtual machine support Time Machine support, secure USB keys and iOS 6/OS X 10.8.2 support.
- OS X Clipboard Managers and digital artifacts - Eli Rosenblatt has written an article detailing artifacts from OS X clipboard managers.
- HFS/HFS+ and Linux - John Lehr has written an excellent article regarding Linux and Mac image files. His article discusses the usage of specific tools to mount and read the HFS and HFS+ file systems on early and new Linux kernel systems.
- AccessData MPE+ 5.0 released - AccessData has released version 5 of MPE+ for cell phone, smart phone and tablet analysis. This release enhances many of the analysis capabilities including visualization for time-lining.
Use our Amazon Store for all of your 2012 shopping this year and support our site at the same time.
New or Updated Macintosh Forensic Tools
- BlackLight 2013R1.1
- MacQuisition 2013.R1.1
- Internet Evidence Finder v6
- Reflector for OS X
- AccessData FTK v 4.2
- AccessData MPE+ v5.2.1
- Paladin v4.0
- AccessData MPE+ 5.0
- Mac Memory Reader 3.0.2
- Mandiant Mac Memoryze
- Elcomsoft iOS Forensic Toolkit v1.15
- Synalyze It!
- Elcomsoft Phone Password Breaker
- MacResponse LE
- Oxygen Forensic Suite 2012
Reader, Vendor and Company Reminder - this website is kept up-to-date by all of us as a community. Please freely send links to great articles, news about Apple digital forensic updates, new versions of programs we all like to use, or simply something we have failed to list in one of the sections. This is our site. Thank you to everyone for your help and contributions! REMINDER: This includes all companies. Please email me with news of your latest versions so I can spread the word!