Home |  Log In  
Forensics and eDiscovery technologies for Mac OS X, Microsoft Windows, and Linux

02: Running MacForensicsLab Field Agent

Running MacForensicsLab Field Agent

Step 1: Devices

Selecting a device to search with MacForensicsLab Field Agent

After the initial startup splash screen, the Step 1: Devices screen appears. Here the examiner will click on the device they wish to run their search on. Once you select have selected the device to search, click the button labeled Step 2: Shortcuts in the bottom right corner of the window.

Step 2: Shortcuts

Shortcuts available in MacForensicsLab Field Agent

The shortcuts window displays a listing of common suggestions to areas that evidence may be found. These include pictures folders and user folders. The examiner may select one of the short cuts or to search the entire device, leave the device selected at the top of the shortcuts listing. Once the desired option has been selected, click the button labeled Step 3: Explore in the bottom right corner. To go back to choose a different device, simply click the Step 1: Devices button in the bottom left corner.

Step 3: Explore

Explore within MacForensicsLab Field Agent

The Explore step allows the user to transverse the directory structure of the selected device or shortcut to select items to search more specifically. This allows the search to be broad, searching the entire device, or very specific, searching only a specified folder or file. Click the triangle next to a folder to display the contents of that folder. Click on the folder or file you wish to search. To search the entire device, select the device at the top of the listing, then click the Step 4: Browse button in the bottom right corner.

Step 4: Browse

Browsing within MacForensicsLab Field Agent

Clicking the Step 4: Browse button will bring up the Browse window. Here the user can set the perimeters for their search. The browse options contain the following:

  • Check for file size - When this box is checked, the search will only include images between the Minimum and Maximum size in kilobytes (KB) entered. This allows the examiner to leave out small images such as buttons and thumbnails along with overly large images.
  • Images only - Checking this box will limit the search to include only images, leaving out other files.
  • Check for picture size - Checking this box will limit the search to only pictures meeting the size requirements set forth by the user. These requirements include minimum and maximum size (in pixels) for the horizontal and vertical size of the image.

Once the options have been set, click the Browse button and a search status window will appear, showing the progress of the search. Once the search has completed, the Browse window will appear.

Examining the search results

Examining the results of a search in MacForensicsLab Field Agent

When the search has completed, the Browse window will appear. All images that meet the requirements set forth in the search perimeters will be displayed in the results window. Clicking on any of these images will display information about the image in the information area on the right. This information includes; filename, location, creation and modification dates, dimensions, and much more. Much of the information displayed in the ‘File Information‘ area is dependent on the metadata contained within the image file itself.

The Skin Tone slider below the thumbnails can be used to show or hide images based on percentage of skin tones within the image. By default this slider is set to 15% as that has been found to be the optimal range to eliminate many non-human pictures without hiding too many false positives. Increasing this slider will increase the percentage of skin tone that must be present in the image to be displayed in the thumbnail area. Decreasing the slider to 0% will display all images in the thumbnail area.
Saving images
Users may select one or more images to be saved to the location of their choice. To do this, click on the image (or Command-Click on a Mac and Option-Click on a PC to select multiple images) the user wishes to save. Then select Save from the File menu. The user will be prompted to select a location to save these images. Select the location and click the Save button. The images will be saved in the desired location in a folder labeled with the name of the folder that contains the image(s).

Writing a report

To write a report, first select the images to include in the report. Once the images are selected, click the Step 5: Write Report button at the bottom right. The user will be prompted to select a location to save the report. This is the location the report will be written to in a folder labeled with the website address along with a folder containing thumbnails and the actual images. Once the location has been selected, click the Choose button. A progress window will be displayed briefly while the report is written.

Report generated by MacForensicsLab Field Agent

Once the report has been written, it will automatically be opened in the default web browser. The report will show the selected images along with where the image was found with information about each image plus hash numbers in three different standards (MD-5, SHA-1, and SHA-256).

The report formatting can be change by editing the HTML file titled index.html containing in the MacForensicsLab Field Agent Template folder within the Shared Resources folder in the same directory as the MacForensicsLab Field Agent application.


Product 2/2

Previous
Return to the Product List
Next
 | Home | 

Copyright © 2006 - 2010 MacForensicsLab Inc.
Phone +1 (510) 870-7883 - Fax +1 (510) 868 3407
Mac and the Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.

Forensics Technologies - designed to perform investigations, for law enforcement and eDiscovery professionals.

MacForensicsLab - The only effective cross-platform weapon in the war on Cyber Crime and Digital Terrorism,
with unique tools designed to combat identity theft and child pornography.

Your IP Address is: 54.226.5.29