This section discusses the Salvage function contained within MacForensicsLab.
Overview
MacForensicsLab’s ‘Salvage’ function will search a device, volume, or folder and list all the recoverable files held within it, whether erased or not, and then recover the pre-selected files to a selected destination folder. When salvaging a device, MacForensicsLab scans through the entire media to find as many recoverable files as possible, as well as scanning through a single directory structure.
The Salvage Window
The Salvage window is divided into upper and lower sections. The upper section is responsible for the settings Salvage will invoke upon starting. These settings include "Supported File Formats, "Import a Prior Scan," and "Start a New Scan". The Supported File Formats section allows the examiner to select specific file types or groups of file types (i.e., all music files, images files and so on), as well as selecting all file formats (the default). In addition, these settings can be further defined to search Free Space Only (Deleted Files) or the Entire Device (All Files). Options for speed can also be selected by choosing either Fast Scan (Block by Block) or Slow Scan (Byte by Byte).
The lower section will display a list of files, by type, that Salvage can recover. Once a file is selected, a File Previewer application will open and attempt to show the file in its native format. Once the files to be Salvaged are determined, the "Salvage selected files" is invoked.
Save the Scan
Once you have scanned for files that Salvage can recover, a window appears asking if you'd like to save the results of the scan. If you are not going to Salvage all files possible, it is a good idea to save the results of the scan. This process will save time later if the examiner needs to go back and Salvage additional files from the case.
Choose Destination
Once the examiner has opted to save the scan results, a pop-up window appears asking for a destination for the scan results to be saved, once input, select "Save."
Examine Files by Type
As illustrated above, all possible files are divided by type and number.
File Previewer
Once a particular file is selected for review, the File Previewer application is launched allowing the examiner to preview the file in question.
Select Files for Salvage
Highlight the files to be Salvaged (holding down the Command key to click and select multiple files at a time) and select the "Salvage selected files" button.
Save Salvaged Files
Once the files for Salvage have been selected, a navigation box appears allowing the examiner to select the location to which the Salvaged files will be exported.
Filename Rebuilder
Once the files have been Salvaged, MacForensicsLab provides an optional process to attempt to rename the files based on the metadata contained within the files. If the examiner does not wish to do this simply select "Cancel" (1) conversely, by selecting "OK" (2) MacForensicsLab will attempt to rebuild all files names.
Only some formats (such as JPEG, MP3, Words, etc...) will get renamed. The rest will be in number sequence.
Reviewing Salvaged Files
The Salvaged files are exported, by default, into a folder titled "Salvage (day of the week) and (month/day/year). Contained within that folder are subfolders broken down by file type for easy review and categorization.
