This section will discuss the search functionality of MacForensicsLab.
Overview
The ‘Search’ function of MacForensicsLab provides the examiner with an automatic means by which to scan a directory, gather evidence and bookmark that same data for later reference. This helps the examiner to quickly and easily zero in on suspect material. In performing the function, MacForensicsLab creates bookmarks of the selected directory structure, collecting all of the file information and hash values as it scans.
The Search Window Layout
The ‘Search’ window can be split into 5 core portions:
- Search Filter
- Search Terms
- Browse Results
- Bookmarks
- Hash Keys
Search Filter Panel
The ‘Search Filter’ panel is the part of the ‘Search’ window within which the examiner may establish criteria by which to filter the results of the search scan. Filters are based on standard file information, such as, but not limited to: filename; size; date of creation.
Search Terms Panel
The ‘Search Terms’ panel is the portion of the ‘Search’ window within which the examiner can manage specific lookup terms. These can be either HEX or ASCII terms for pattern matching within the files being scanned. The examiner may also quickly and easily select either of two check boxes to search for standard credit card and social security number formats respectively as well as being able to import large databases of terms.
Browse Results
It is now possible to open the results of a searching procedure directly into a browse window making it easier to manually review the results and to perform some manual bookmarking procedures to better identify potential evidence for future reference. Additionally, the results of the Search can be further analyzed by applying MacForensicsLab’s built-in Skin Tone analyzer directly to them.
Bookmarks Panel
When performing a search scan the examiner can use the options contained within the ‘Bookmarks’ panel to auto-generate bookmarks of matched items, and make them available for easy reference at a later date. The text area below the folder drop down is designed for comments or a description pertaining to your customized bookmarks folder.
Hash Panel
The ‘Hash’ panel allows the examiner to define the auto-hashing options for a search scan. Options include adding the hashed file values to the internal database (MacForensicsLab uses the industry standard NSRL format), as well as the ability to export these to an external log file.
Using Custom Search Terms and Filters
In order to zero in on areas of particular interest Positive and Negative filters can be applied using custom checksum databases or those provided by the National Software Reference Library.
Available ‘Search Filters’ include all those in the Log File Format Fields:
- Name
- Creation Date
- Modification Date
- Header
- CRC
- MD5
- SHA1
- SHA256
- Data Size
- Resource Size
- Owner
- Mac Creator
- Mac Type
- Absolute Path
- UID
- GUID
- Permissions
Each of these filter types can be applied against the following operators:
- Is Equal To
- Is Not Equal To
- Contains
- Does Not Contain
- Is Less Than
- Is Greater Than
- Is in database
- Is not in database
Quick Tip: Foreign Languages
MacForensicsLab has the ability to handle filtering based on foreign multi-byte character set such as Russian, Arabic and Chinese, not just English.
Adding & Removing Search Filters & Items
Clicking the (+) button underneath the desired pane will create a new filter/item at the bottom of the current list, after which the examiner can manually edit the filter/item details. To remove an individual filter, select the respective item and then press the (-) button. Clearing an entire list is equally simple; just click the (clear) button under the desired panel. This will, without warning, remove all the items from the list.
Importing A Custom ‘Search Item’ Database
To import a custom checksum database, simply click the Import button at the bottom of the ‘Search Items’ panel. This will bring up an open file dialog box from which the examiner can locate and select the required file. Upon import the information in the database file will populate the ‘Items’ pane.
Searching for Credit Card and Social Security Numbers
In order to ensure that all files containing either credit card or social security numbers are searched and possibly bookmarked the examiner must select either or both of the respective checkboxes in the ‘Search Items’ panel.
Auto-Bookmarking Files
When scanning directories, the search function can be used to auto-generate bookmarks for reference at a later time in the investigation.
To add the items as bookmarks to a respective group, the examiner must select the “Bookmark” checkbox in the ‘Bookmarks’ panel and then select a bookmark group from the drop down menu. If a new one is required, the examiner should do so through the Bookmarks menu (Please refer to the chapter on Bookmarks for more detail).
Performing The Search Operation
Having selected the partition or directory structure for searching, clicked the Search button in the ‘Main’ window, bringing the ‘Search’ window to the fore, and having set up the window with the desired ‘Search Items’, ‘Search Filters’, bookmarking and hashing options, the examiner should be ready to perform the search operation. To initiate the process, he or she should click the highlighted Search button on the bottom right of the ‘Search’ window. If the hash export checkbox has been selected, the examiner will be prompted to define a file name and save location for the exported hash text file before the scan proceeds.
Once the process of scanning and searching the items found has completed. The examiner will be prompted with a screen, advising them as such, which once closed will take him or her back to the ‘Main’ window.
