MacOSXForensics.com's review of MacLockPick II can be found at http://www.macosxforensics.com/Resources/maclockpickii/maclockpickii.html
MacLockPick II - SubRosaSoft.com Inc.
MacLockPick II is the evolution of the original MacLockPick that was a Mac OS only tool. What exactly is MacLockPick II? From my perspective, it is a First Responder tool that can quickly gather critical information from 3 different operating systems, without any configuration!
Let’s elaborate on such a bold statement. No configuration? That statement is definitely true. Out of the box, here is what MacLockPick II looks like:
MacLockPick II - USB Key Contents
From here, on a Mac or Windows computer, the USB Key can be custom configured for your organizations needs. Let’s look further into how the tool is a “zero configuration” tool and how that can be so important in our field.
Take a look at this screen capture of the Macintosh tool in action:
MacLockPick II in Action
That screen says it all! No user interaction necessary while MacLockPick is running. The application simply does exactly what it is configured to accomplish. That screen covers the entire display signaling the First Responder that MacLockPick II is working.
Before I even read the directions, I opened the package, inserted the USB key and ran “MacLockPick (OS X).app”. The application is pre-configured to gather critical data from Macintosh, Linux and Windows operating systems upon launch. The gathered data is saved on the USB key. The MacLockPick application will automatically quit and the user simply needs to safely eject the key itself from the machine it is running on.
Just that much of MacLockPick II is superb from a well trained examiner/first responder standpoint. Imagine a highly trained examiner needing to go to every Macintosh, Linux or Windows computer during a large scale operation. This literally would shut down some laboratories. Now imagine equipping First Responders with this device to gather critical information and bring it back to the highly trained examiners at the laboratory. No laboratory shut down and in many cases, a highly successful field operation. To successfully run this application, a First Responder needs to know:
- How to properly recognize a USB port
- How to launch an application on a Macintosh, Linux or
Windows based computer
- How to eject a USB flash device safely
That little bit of training could potentially save an organization huge training costs for field personnel.
MacLockPick II is more than just the pre-configured modules from MacForensicsLab. Look at this screen capture of some of the various modules that come pre-configured:
MacLockPick II Setup
This is the “MacLockPick Setup.app” where modules can be enabled/disabled and more importantly created! Notice in the above screen capture the custom “ARP - Mac OS X Forensics Module” that has been created. How did I do this? By clicking on the “+” sign, you create your own modules to execute each time MacLockPick runs. Here is what my custom module does:
This module will gather the ARP tables from Mac OS X and Linux based computers in the example. Notice this is a “Terminal” type module. It is possible to also make a “Copy files or folders” or “External CLI” module. The USB key is 2GB so be careful what you gather! If you decide you are going to make a “Copy files or folders” modules to get the users Home folder, you are going to need to utilize another feature of MacLockPick, redirecting output to an external drive!
MacLockPick II is not just a collection of various modules running to gather information for First Responders! In fact, that is not where its power begins to shine. Encryption techniques today is where MacLockPick II shows its true power. With Filevault on the Mac and BitLocker on Windows Vista, the shut down of a computer is disastrous to an initial contact and future examination. MacLockPick II runs to gather passwords prior to shut down! MacLockPick II will gather everything stored in the Keychain and SAM and make it a part of your report. You can utilize your own password cracking tools in the laboratory later. It does have the power to attempt a brute force password attack against the login password on the Macintosh system! The downside of this
feature is its for law enforcement only.
Modules are also available for MacLockPick thru the MacForensicsLab website and can be shared amongst each other thru the “Export” feature.
Overall, this tool was extremely simple to understand, yet very powerful in the information it gathers out of the box. MacLockPick II is very extensible is the way you can add you own modules thru command line and external applications to run. With the ability to connect external storage, the possibilities are nearly endless in the data that can be gathered by a First Responder with very little training necessary.