MacLockPick II (2.1) – Extract all incriminating info
on any computer (Linux, Mac, Windows) or iPhone
Reviewed by Robert L Pritchett
Phone +1 (510) 870-7883
Fax +1 (510) 868 3407
Originally Released: April 27, 2007
Only sold through the website for $500 USD.
To use this app, you really should be in Law Enforcement.
This is a critical companion for the MacForensicsLab. It has been also made
available for E-Discovery and IT Managers. For doing "forensic
OS X 10.4 or later; 32MB RAM; CD/DVD-ROM Drive; USB port. QuickTime 6.5 or
later. Use with MacForensicsLab (comes preconfigured).
Comes with Tutorial CD and 2 GB USB flashdrive
"dongle" in a can, formatted in FAT32.
Strengths: Cross-platform access (it works on accessing passwords from Linux, Mac,
Windows devices and even iPhones). Authentication is required for
registration. Comes with ability to access "everything" including
Weaknesses: Requires the dongle to operate. Wait, the tool is the dongle! So " none
MacLockPick™ (MLP) is a valuable
tool for law enforcement professionals to perform live forensics on Mac OS X
systems. The solution is based on a USB Flash drive that can be inserted into a
suspect's Mac OS X computer that is running (or sleeping). Once the software is
run it will extract data from the Apple Keychain and system settings in order
to provide the examiner fast access to the suspect's critical information with
as little interaction or trace as possible.
MacLockPick takes advantage of the
fact that the default state of the Apple Keychain is open, even if the system
has been put to sleep. It also makes use of the openly readable settings files
used to keep track of your suspect's contacts, activities and history. These
data sources even include items that your suspect may have previously deleted
or has migrated from previous Mac OS X computers.
What I Learned
Mark Hurlow loves Computer Forensics and apparently his tool
of choice is Mac OS X. The MacForensics Lab is a "single solution for law
We have reviewed other SubRosaSoft apps before, but all were
done back in 2007 covering;
MacForensicsLab 2.0 (now up to version 2.5.2)
FileSalvage Data Recovery 5.1 (now up to 6.1.5)
Mark and his team have been quite busy with various other
computer forensics tools as well and they do have a few Freeware items that
might be of interest.
The MLP CD does have a tutorial video that discusses the
device. It does come with a keychain so it will have less of a problem getting
lost. Perhaps that is symbolic for the KeyChain on Macs that become captured
when this device is installed into a USB port.
Plug in the stick, double-click on the program and it
collects the passwords from the computer. You can export captured files as
well. If a data capture app is not listed, you may add your own, so the device
Being able to essentially look into any PC or Mac using
captured passwords makes this device either a very dangerous tool in the wrong
hands or an excellent tool for access for someone who cannot ever remember the
password used to access a program. My guess is the latter one is not the person
who would use this device.
Perhaps you can appreciate the power of this little device
and now understand why it is called the MacLockPick. Knowing that it can also
can "pick" PCs, makes this device extremely valuable.
If you are familiar with Windows registries, MacPickLock
goes to the relevant registers and grabs the pertinent information –
including the retrieved databases.
To read files, the MLP will be needed. If you are capturing
large files, an external hard drive can be used to capture the data instead of
the MLP device, but the MLP will be needed to read the files, once back at the
Forensics lab. If the external drive gets lost, nobody will be able to recover
and understand the info located there. The dongle is key, literally, in the
success of analysis.
The tools include an archiver, an authenticator, a reader
and Setup. There are folders for output, plug-ins and report templates.
Each dongle is secured and cannot be reproduced.
There really isn't anything that can be hidden from this
device – on any computer, but you do need to know how to
"eject" the USB drive.
The MLP really is a companion to the MacForensicsLab. Use it
If you are in the business of analyzing data in a law
enforcement role, this tool is one you will want in your arsenal. Macs are so
much easier to deal with. Why not get the tools that make the job even easier?
FI all you have to do is collect the passwords to access the programs on any
machine and do it in a matter of seconds, why futz around, right? Get in, get
the job done and get out. Quick and easy.