(contact us to submit your suggestions for any of these sections)
See our Mac Forensic Hardware and Software Setup Pages as well.
Reading
- BlackBag Technologies Blog
- Tenable Guide to Hardening OS X
- GPSForensics has a unique article on acquiring the data from an iPhone with the help of a great utility from Erica Sadun called MDHelper.
- Mounting HFS+ in Linux by Andrew Hoog of viaForensics
- “Mac OS X Malware Analysis” - SANS Reading Room white paper by by Joel Yonts
- “Digital Smoke, The Art of Incident Response” Part 1 and Part 2 - a white paper on OS X and Macintosh incident response by Al Lewis
- "Using the HFS+ journal for deleted file recovery" - an article by Aaron Burghardt and Adam J. Feldman
- "BlackBag MacQuisition CF" - outlines the use of the tool including how to image a Mac without removing the hard drive. This technique includes the Macbook Air
- “Comparing the Mac OS X Property List to the Windows Registry” - great article posted on Forensic Focus by Dennis Browing, Champlain College
- “State of Mac Data Forensics” - Ars Technica article regarding Macs and digitals forensics
- “Mac for Computer Forensics & e-discovery” - Not exactly reading, this is a video seminar from Apple offering procedures, best practices, and tips/tricks for undertaking a forensics examination. The panel includes Detective Mark Honken, Marko Kostyrko, and Derrick Donnelly.
- “Mac OS X 10.5 Security Checklist” - SANS Whitepaper
- “Covering the Tracks on Mac OS X Leopard” - SANS Institute InfoSec Reading Room
- “Mac Forensics” written by Forensic 4Cast author ‘lee’
- “Macbook Air Acquisition” written by Forensic 4Cast author ‘lee’, our friend Lee Whitfield
- Book Review - Mac OS X , iPod, and iPhone Forensic Analysis DVD Toolkit gets reviewed by Gary Kessler, Associate Professor and Program Director at Champlain College in Burlington, VT.
- “The Future of Cyber Forensics”, a white paper by Dr. Marc Rogers about the Macintosh and its importance in digital forensics
- “Examining the seedy world of Mac OS X Forensics” - Macenstein article interviewing the authors of this site
- “How To: Forensically Sound Mac Acquisition in Target Mode” - by Paul Henry discussing TDM vs. removing the hard drive for imaging and goes into great detail of techniques and tools
- Shadow File and FileVault Crack - Sarah Edwards has written a very nice article on her blog about using John the Ripper to attack the Shadow hash file and using the resulting password to open a user’s FileVault encrypted Home Folder
- “Mounting split disk images under OSX” - a blog posting by Klein&Co that describes in detail how to install open source software to mount E01 to the Mac Desktop for analysis.
- Locating FileVault Sparse Bundles in Digital Forensics - Sean Cavanaugh & John Jackson have written an excellent article on locating multi-linked files in Time Machine Backups using a Windows based environment.
- iPhoto Trash Analysis - an article by Sean Cavanaugh showing how iPhoto “Trash” is separate from the operating system “Trash”
- Sarah Edwards “iamevltwin” Internet Resources: Blog and Presentations
- Safari Cache Revisited - Sean Cavanaugh has written an article exploring the latest in Safari caching and OS X 10.7 Lion.
- iPhone Forensics by Satish Bommisetty - an article about recovery of iOS 5 artifacts on a live iPhone has been posted by author Satish Bommisetty using open-source tools released from Sogeti Labs.
- Demystifying iPhone Forensics on iOS 5 - Satish Bommisetty has written an excellent article about the analysis of the iOS backup files and direct analysis of the iOS devices
- “An Evaluation of Windows-Based Computer Forensics Application Software Running on Macintosh” by Dr. Gregory H Carlton - a white paper initially distributed by the Journal of Digital Forensics, Security and Law discussing the value of the Apple Macintosh running the Windows operating system.
- FileVault 2 white paper - Omar Choudary, Felix Grobert and Joachim Metz have written an excellent white paper regarding FileVault 2.
- HFS/HFS+ and Linux - John Lehr has written an excellent article regarding Linux and Mac image files. His article discusses the usage of specific tools to mount and read the HFS and HFS+ file systems on early and new Linux kernel systems.
Video Training
- Apple Seminars Online - Apple offers video seminars about their desktop and server environments.
- “Forensics on Mac OS X - Learning how to recover and analyze data” - a free Podcast from Subrosasoft
- BlackBag TV - BlackBag Technologies has launched new videos on Mac forensics available at their website. They describe the videos as “preview segments of our incredible Mac forensic training, our software products, as well as tidbits on Mac forensics.”
- F-Response training videos - F-Response has created a series of training videos to educate analysts on the use of their products and the integration with many other forensic products in use.
- iOS Scripts from Jonathan Zdziarski demonstrated in this
21 minute training video(broken link)
Take-Apart Guides
- Other World Computing - Step by Step take Macintosh take apart guides and iPod
- iFixit - Do It Yourself Guides for Repair of Macintosh, iPhones and iPod
- BlackBag Technologies - BlackBag Suite
- SubRosaSoft, Inc. - MacForensicLab software, MacLockPick II
- AccessData - Ultimate Toolkit (Windows based but recognizes HFS)
- File Juicer - Extract multiple file formats from almost any file!
- Emailchemy - Weird Kid Software Products
Reviews
- MobileSyncBrowser v3
- FTK 3.0 - Mac Features
- MacLockPick II by SubrosaSoft
- Nessus by Tenable Network Security
- Mac Marshal
- Apple Technical Docs