Suites
- BlackBag Technologies BlackLight
- BlackBag Technologies Macintosh Forensic Suite and MacQuisition
- Subrosasoft MacForensicLab
- fileXray from iohead
- Mac Marshal from ATC-NY
- Forensic Toolkit from AccessData
First Responder
- Mac Marshal Field Edition from ATC-NY (USB Stick)
- Paladin from Sumuri
- Subrosasoft MacLockPick
- ASR Data SMART
- e-fense Helix3 Pro
- AD Triage from AccessData
iOS Apps
Imaging and Disk Arbitration Control
- BlackBag Technologies MacQuisition - imaging of Intel and PPC Macs in one solution
- BlackBag Technologies SoftBlock - Disk Arbitration control at the kernel level allowing for internal and external media control
- Disk Arbitrator - from Aaron Burghardt, “Disk Arbitrator continuously monitors for disks to appear and disappear and tracks the disks in the main window. When a new disk is attached, the system notifies Disk Arbitrator and gives it a chance to reject mounting of a disk volume”.
- FTK Imager for Mac GUI - this is the FTK Imager by AccessData with a Graphical User Interface added to it. It is in beta now. Please read the included notes before using.
- MacOSXForensics Imager Release Candidate 2.1! Image physical devices in the Encase or FTK format. MD5 and SHA1 hash support. See the Read Me file for complete documentation.
- Paladin, an Ubuntu based LiveCD for Mac and PC with imaging and analytical tools included
- DCFLDD - combines hashing and imaging into one utility. Based on 'dd' with much more functionality and provides feedback.
- DC3DD - combines hashing and imaging into one utility. Based on 'dd' with much more functionality and provides feedback.
- FTK Imager - Windows only but recognizes HFS+ file format and is free
- FTK Imager CLI for Macintosh - command line version of Access Data’s Imager software available for OS X
- MacForensicsLab Write Controller - disk arbitration control
Virtual Machine
- VMware Fusion, virtualize multiple operating systems including Mac OS X 10.5 Server
- Nova Development Parallels, virtualize multiple operating systems including Mac OS X 10.5 Server
- Sun VirtualBox, virtualize multiple operating systems for free, will not run Mac OS X 10.5 Server
- VMWare vCenter Converter, a new free product from VMWare that allows you to convert physical Windows and Linux machines as well as images to other formats into virtual machines.
Network
- Wireshark - packet sniffing
- F-Response TACTICAL - remote acquisition and analysis of Macs (and other platforms)
- Dropbox Reader - free utility to analyze Dropbox evidence on the local machine
iOS Devices
see our page iOS Device Analysis Tools page for the most up to date information
Decryption
- Passware Kit v11 - login password and Keychain stored passwords among other features
- John the Ripper, free software to attach several different hashes including the OS X salted SHA-1(scroll down to the specific Mac build so you don’t have to compile)
- crowbarKC, a free utility to dictionary attack a Keychain file
- crowbarDMG, a free utility to dictionary attack DMG, sparseimage, and sparsebundle file types
- Mike’s Forensic Tools - Mike Harrison has a website with some great tools, namely a password cracker and SpotLight query tool.
Memory/RAM Analysis
- Mac Memory Reader - ATC-NY has released the singular function from Mac Marshal of gather RAM of a live Mac to the community for free
- “volafox” a.k.a “Memory Analyzer for Mac OS X” - volafox is a python 2.5 application that will analyze images of Macintosh RAM. This utility is free.
Image Analysis
- MacForensicsLab Field Agent, free for law enforcement, application to locate images using flesh tone analysis, available on Mac, Windows, and Linux
- File Juicer, extract images and many other file types from a given source with this great utility by Echo One
- Exiftool, a free utility to extract EXIF data from a huge list of file types by Phil Harvey.
- Exif Data Dump, an Automator Action based on Exiftool by George Starcher that will turn Exif data gathering into a one step action
Image Capture
- SnagIt! for Mac - a utility to capture the screen
Hex Editors
- iBored, a free hex editor for disk sectors written by Thomas Tempelmann
- 0xED is a native, Cocoa based Hex Editor by SuaveTech
Search
- EasyFind - DEVON Technologies free search utility
- Find Any File - free utility from Thomas Tempelmann to search entire volumes
- MacForensicsLab Social - Social Agent™ is designed to get evidence from chats, private messages, and blog activity on Facebook (and other) social networking websites
Reporting
- ThumbsUp - DEVON Technologies free utility to generate thumbnails of images
- MacOSXForensics MetaData Extractor - utility to extract metadata from any file(s) and also plot the lat/long on a Google map if available
Email & Internet
- Emailchemy - Weird Kid Software Products
- TNEF, a free utility to decode WINMAIL.DAT email attachments by Josh Jacob
- SafariCacheView, a Windows based utility to read and extract data from the Safari cache.db
Hardware
- MacTracker - a complete and up-to-date database of all Apple hardware produced since the day they became a company. Excellent reference.
Compatibility
- MacFuse and NTFS 3-g (NTFS read/write for OS X)
- ASR Data Smart Mount (mounts images of Mac systems on Windows operating systems)
Always check out our Files section for the latest in FREE tools from this site.
Sources
- Our Store with Amazon discounts
- Apple Government and Education
- Mac Professionals offers setup of small to large scale roll-outs and Data Recovery
- PowerMax offers our readers excellent prices. Make certain you mention our website in your checkout!
- CDWg offers Government discounts as well as professional services.