(continued)
Mac Marshal - Disk Triage of Mac OS X 10.5.6
From the above window, we can see initial important information regarding the partition “MacbookPro”. All of this information is read from the HFS+ volume itself and is presented in much the same way that one would expect from an OS X environment. This same information gathered from a Windows or Linux based tool can yield lesser results.
Mac Marshal takes full advantage of OS X for an examination using Spotlight.
Mac Marshal - Spotlight searching ability
As seen above, an analyst has the ability to quickly and easily search the given volume for keywords/terms using the built-in OS X technology, Spotlight. Mac Marshal takes advantage of the metadata that resides on the chosen disk and returns results relevant only to your current examination, quickly.
Mac Marshal - Reading the Spotlight metadata from /dev/rdisk3
The above window shows Mac Marshal in the process of reading from the chosen disk.
Lastly, before getting into the examination of the operating system itself, Mac Marshal has a refined Spotlight search available for images. This is extremely useful to any analyst that has a case based upon images, documents containing images, emails containing images, etc. Spotlight does not just look at files that are saved on the disk. Spotlight return hits based upon metadata! Look at the following search of the supplied drive:
Mac Marshal - Spotlight search for images
This is just the initial power of Mac Marshal. On page 3, we will delve into the real features of examination when the operating system itself is chosen for review.
Continue to page 3
Architecture Technology Corporation
www.MacMarshal.com