Home |  Log In  
Forensics and eDiscovery technologies for Mac OS X, Microsoft Windows, and Linux

MacCompanion review of MacLockPick II

MacLockPick II (2.1) – Extract all incriminating info on any computer (Linux, Mac, Windows) or iPhone

Reviewed by Robert L Pritchett

SubRosaSoft.com Inc.

Phone +1 (510) 870-7883


Fax +1 (510) 868 3407


sales@MacForensicsLab.com

http://www.subrosasoft.com/

http://www.macforensicslab.com/

Originally Released: April 27, 2007

Only sold through the website for $500 USD.

To use this app, you really should be in Law Enforcement. This is a critical companion for the MacForensicsLab. It has been also made available for E-Discovery and IT Managers. For doing "forensic triage".

 

Requirements: Mac OS X 10.4 or later; 32MB RAM; CD/DVD-ROM Drive; USB port. QuickTime 6.5 or later. Use with MacForensicsLab (comes preconfigured).

Comes with Tutorial CD and 2 GB USB flashdrive "dongle" in a can, formatted in FAT32.

Strengths: Cross-platform access (it works on accessing passwords from Linux, Mac, Windows devices and even iPhones). Authentication is required for registration. Comes with ability to access "everything" including keychains.

Weaknesses: Requires the dongle to operate. Wait, the tool is the dongle! So " none found".

 

Introduction

MacLockPick™ (MLP) is a valuable tool for law enforcement professionals to perform live forensics on Mac OS X systems. The solution is based on a USB Flash drive that can be inserted into a suspect's Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect's critical information with as little interaction or trace as possible.

MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep. It also makes use of the openly readable settings files used to keep track of your suspect's contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers.

 

What I Learned

Mark Hurlow loves Computer Forensics and apparently his tool of choice is Mac OS X. The MacForensics Lab is a "single solution for law enforcement professionals".

We have reviewed other SubRosaSoft apps before, but all were done back in 2007 covering;

MacForensicsLab 2.0 (now up to version 2.5.2)

FileSalvage Data Recovery 5.1 (now up to 6.1.5)

CopyCatX 4.0

Mark and his team have been quite busy with various other computer forensics tools as well and they do have a few Freeware items that might be of interest.

The MLP CD does have a tutorial video that discusses the device. It does come with a keychain so it will have less of a problem getting lost. Perhaps that is symbolic for the KeyChain on Macs that become captured when this device is installed into a USB port.

Plug in the stick, double-click on the program and it collects the passwords from the computer. You can export captured files as well. If a data capture app is not listed, you may add your own, so the device is extensible.

Being able to essentially look into any PC or Mac using captured passwords makes this device either a very dangerous tool in the wrong hands or an excellent tool for access for someone who cannot ever remember the password used to access a program. My guess is the latter one is not the person who would use this device.

Perhaps you can appreciate the power of this little device and now understand why it is called the MacLockPick. Knowing that it can also can "pick" PCs, makes this device extremely valuable.

If you are familiar with Windows registries, MacPickLock goes to the relevant registers and grabs the pertinent information – including the retrieved databases.

To read files, the MLP will be needed. If you are capturing large files, an external hard drive can be used to capture the data instead of the MLP device, but the MLP will be needed to read the files, once back at the Forensics lab. If the external drive gets lost, nobody will be able to recover and understand the info located there. The dongle is key, literally, in the success of analysis.

The tools include an archiver, an authenticator, a reader and Setup. There are folders for output, plug-ins and report templates.

Each dongle is secured and cannot be reproduced.

There really isn't anything that can be hidden from this device – on any computer, but you do need to know how to "eject" the USB drive.

The MLP really is a companion to the MacForensicsLab. Use it wisely.

 

Conclusion

If you are in the business of analyzing data in a law enforcement role, this tool is one you will want in your arsenal. Macs are so much easier to deal with. Why not get the tools that make the job even easier? FI all you have to do is collect the passwords to access the programs on any machine and do it in a matter of seconds, why futz around, right? Get in, get the job done and get out. Quick and easy.


Product 4/23

Apple Seminars Online - Mac for Computer Forensics & e-discoveryPrevious
Return to the Product List
NextMacForensicsLab 3.0 released
 | Home | 

Copyright © 2006 - 2010 MacForensicsLab Inc.
Phone +1 (510) 870-7883 - Fax +1 (510) 868 3407
Mac and the Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.

Forensics Technologies - designed to perform investigations, for law enforcement and eDiscovery professionals.

MacForensicsLab - The only effective cross-platform weapon in the war on Cyber Crime and Digital Terrorism,
with unique tools designed to combat identity theft and child pornography.

Your IP Address is: 54.234.231.49