This section describes the Audit function of MacForensicsLab.
The Audit function enables the examiner to quickly and easily locate relevant OS artifacts as they pertain to the system, the network and the user.
To invoke the Audit function, the examiner must select the "Files" (1), the volume/partition (2) with a valid user folder contained within it from the ‘Device’ pane of the ‘Main’ window. Furthermore, the examiner must select the "Users" folder (3) for the ‘Audit’ button to become enabled.
Invoking the Audit
Once the Audit button is enabled, the examiner can select a specific user (1), or if the system has multiple users, he/she can check "Audit all users" (2), then select the "Audit" button (3).
Locate Audit Results
The results of the Audit are stored in the MacForensicsLab database. To access the database from the MacForensicsLab Main window, select "Window -> Database" or use the keyboard shortcut of "Shift + Command + D".
Review Audit Findings
To review the findings of the Audit, select a user, then scroll up or down to view the results. The examiner can highlight findings of interest and export them out to a file by selecting the "Export" button.
Generate a Report
Once the "Export" button is invoked, a dialogue box appears allowing the examiner to choose between an HTML or Plain Text report. Once decided, select "OK."
Select a location to save the Audit report.
Since an HTML report was selected in the example, a browser launches showing the report. All items highlighted and exported are hyperlinked under the "Table of Contents" located to the right.
Reviewing the Hyperlinks
The examiner can select any hyperlink and be taken directly to that portion of the report.