Home |  Log In  
Forensics and eDiscovery technologies for Mac OS X, Microsoft Windows, and Linux

09: The Analyze Function

This section will discuss the Analyze Function within MacForensicsLab.

There will come a point in the case when an examiner may wish to analyze the file data block-by-block; the ‘Analyze’ function enables that to be done.   Once analysis has been performed and evidence located, the examiner can then export and/or hash the requisite section of the drive to file for safekeeping and later use or further analysis.

The Analyze Window Layout
Analyze window layout.

The analysis window can be split into 4 core sections:

  1. ‘Hex Content’ pane
  2. ‘Search Items’ pane
  3. ‘Found’ pane
  4. ‘Carve’ pane

The Hex Content Pane

The ‘Hex Content’ pane is the right-hand side of the ‘Analyze’ window and is where the examiner can read block data piece by piece in ‘Hex’ mode. In MacForensicsLab 3.0, this area has been expanded to display a block at a time with the default view being ASCII.

Search Items Pane

The ‘Search Items’ pane contains a number of elements that are of use to the examiner:

Search Fields Pane – This is the first element in the Search Items Pane, which contains the working list of search terms (or filters) with which to analyze the data blocks.  This is split into 2 columns: type and value. Type refers to whether the string that should be pattern match against the HEX content or the text (ASCII) content of the blocks. Value refers to the content of the string that is going to be pattern matched against the said format blocks, usually a word.

As previously mentioned, MacForensicsLab has the ability to handle foreign language multi-byte character sets such as those used in Russian, Arabic and Oriental languages when searching. The number of characters in a search can be up to 128. The number of search keywords is 128 as well.

Search Fields Management Buttons – Below the ‘Search Fields’ pane are buttons to manage the search fields in that pane.

Clear: to clear all of the search fields in the window above -Import: to bring up a dialog box and import a search terms database file -Plus (+): to manually add individual search fields -Minus (-): to individually delete each selected search field

Quick Tip: Saving Search Fields The ‘Search Fields’ in the ‘Analyze’ window are retained from one investigative session to the next.

Found Pane

The ‘Found’ pane permits the examiner to access very quickly and easily any of the hits that are generated as a result of the terms used in the search.  To view a specific block entry in the ‘Hex Content’ pane, click on the individual result item and the block data will load into the Hex viewer in the main panel.

Search File Data When investigating files with the ‘Analyze’ window it is possible for the examiner to search for strings within the blocks of data that make up the file.

Individual Search Terms

To do so, the examiner must click the (+) button below the ‘Search Items’ pane; this will add a new field.  After this, the examiner should define the search term type (text or hex) by clicking the up/down arrows in the centre of the search term row, followed by typing in a unique search term string in the text entry field to the right hand side of the arrows.

This can be repeated multiple times, building up as complex a filter mechanism as possible. If items are added in error, an item can easily remove them by selecting each one in turn and then clicking the (-) button located under the ‘Search Items’ pane.  When ready, the examiner can proceed by clicking Search.  While processing the data, the examiner will see a progress bar, and upon completion of the search the results will appear in the ‘Found’ pane.

Importing Custom Search Lists

Though an examiner might find it useful to create search terms in an ad hoc manner, as discoveries in the investigation necessitate, at some point he or she will want a more in-depth search, based on hundreds, if not thousands of search terms. The best way to achieve this is to importing custom search lists.

Custom search lists are essentially ‘CSV Text’ files with each individual search term on a new line.  Custom search lists are also a great way to keep a database of useful terms and means that running a productive analysis or cataloguing on a suspect device is a process that is no more than just a few clicks away from getting started.

To import a list, click on the Import button to the middle of the ‘Search Items’ drawer. This will bring up a ‘Find File’ dialog box. Once the examiner has found the file, click ‘Open’.

Each individual line item will then appear as an individual term in the ‘Search Items’ pane.  The examiner then has to define whether each term is in Text or HEX format, though they are all imported as and predefined as ASCII Text format content by default.

Credit Card and Social Security Number Search

By selecting the respective checkboxes below the ‘Search Items’ pane it is possible for the examiner to get MacForensicsLab to look for and find credit card and social security numbers during the search process.

Performing the Search

Once the search items have been defined in the ‘Search Items’ pane, either individually or by import, and when the other settings have been defined, the examiner need only click the now enabled Search button to perform the search.  Once the scan is complete the results will appear in the ‘Found’ pane.  Clicking on any hit displayed in the ‘Found’ pane will display the location of that hit in the ‘Hex Content’ pane and highlight it.  The block number it is found in will be displayed in at the bottom of the ‘Hex Content’ pane in the Block Number field. The start and length of the hit will also be populated in the Carve section. 

Examining Results of a Search

Analyze results.

Once the search has completed (1), the resulting hits are displayed in the ‘Found’ section of the Analyze window. The user may examine these hits by clicking on them (2) and the hit location will be displayed in the ‘Hex Content’ section of the window (3). When clicked, the search hit will turn red and a check mark will appear next to it.  This allows the examiner to see which results they have reviewed and which ones they have yet to review, saving them time by making sure they don’t re-examine search hits.

Carving Data

Carve data function.

When the examiner is ready to export the block-set being analyzed, he or she can do so very easily by clicking the "Carve" button.  Doing so will then invoke the ‘Save’ window, bringing it to the fore.

The examiner may us the Start and Length fields to define the starting byte and the number of bytes after it to be carved out.  These values can be changed by either entering the desired number in the Start and Length fields or by pressing the up and down arrows to the right of those fields.  Clicking the Locked boxes to the right of these fields will lock the field to prevent it from being changed.

It is advisable to rename the default export filename and to apply a suffix to the name so that Mac OS or any other operating system can more easily recognize the expected file type and open it with the appropriate application.

Upon completion a message will pop to the fore and the user can simply close this and continue on with the investigation.


Product 9/19

08: Search FunctionsPrevious
Return to the Product List
Next10: Using The Browse Window To Locate Illegal Pornography
 | Home | 

Copyright © 2006 - 2010 MacForensicsLab Inc.
Phone +1 (510) 870-7883 - Fax +1 (510) 868 3407
Mac and the Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.

Forensics Technologies - designed to perform investigations, for law enforcement and eDiscovery professionals.

MacForensicsLab - The only effective cross-platform weapon in the war on Cyber Crime and Digital Terrorism,
with unique tools designed to combat identity theft and child pornography.

Your IP Address is: 50.16.17.90