This section will describe the layout and functionality of MacForensicsLab's Main Window.
Overview
The ‘Main’ window is the starting point after accessing a case and provides the examiner with a detailed view of the system, any devices or disk images attached to it and their directory and file structure. It is from the ‘Main’ window that the examiner will gain full access to the wide array of functions and features that MacForensicsLab provides, each of which will be covered in subsequent chapters of this manual.
When working with the ‘Main’ window, the examiner should maximize the view of the window either by clicking the green maximize button at the top left of the window, or by using the resize handle at the bottom right. Maximizing the window will lessen the need to scroll up and down the various panels.
The Main Window Layout
There are 3 key sections to the layout of the ‘Main’ window:
- The ‘Access’ panels (Devices and Files)
- The ‘Explorer’ panel
- The ‘Buttons’ panel
The Access Panel - Devices Tab
In the Main Window, there are two buttons: "Devices" (1) and "Files" (2). As depicted above, the Device button lists all devices (with their respective partitions and volumes) attached to the machine in the leftmost pane (3). When a device is selected the corresponding device details appear in the Explorer portion of the window (4).
The following information is specified:
- Display Name – The volume title
- Mounted – Status (true or false)
- Leaf
- Writable – Write Status (yes or no)
- Partition ID
- Preferred Block Size
- BSD Major & Minor
- BSD Name – Mount point
- Size – in bytes
- Content & Content Hint – Format type and hint
- Removable & Ejectable – Status (yes or no)
- BSD Unit
- Whole
- Drive Title – manufacturer’s model number
- Serial – manufacturer’s serial number’s serial number
- Used - The amount of drive space used
- Available - The amount of drive space currently available
- Percentage - The percentage of drive space used
The Access Panel - Files Tab
When the Files Tab (1) is selected, the leftmost portion of the window lists shortcuts (2) to volumes and user folders, with the Explorer portion of the window (3) allowing for viewing of the directory structure and individual files, along with their corresponding information (such as date/times, permissions, etc.).
The following information is specified:
- File Name - full filename with extension.
- File Size - in bytes, whilst folders display the total items inside them within brackets - hidden files are included.
- Mac Creator Code - the OS creator application code
- Mac Type - the OS file type.
Header - the first 32 characters of the file.
- CRC - the Cyclic Redundancy Check checksum value of the ‘Header’.
- File Reference - Unique file number.
- User ID - OS user id for file owner permission.
- Group ID - OS group id for file access permission.
- Finder Flags - OS finder settings.
- Permissions - OS permissions for read, write and execution of file.
- Creation Date - Date when file/folder was created.
- Modification Date- Date when file/folder was modified.
Each column can be sorted in both directions by clicking the column header.
The Buttons Panel
The ‘Buttons’ panel provides the examiner with access to selected core functions of MacForensicsLab.
Each button in turn will be highlighted and accessible, or grayed out and disabled, dependent on the item selected by the examiner in either of the ‘Access’ panels. The current system information is displayed along the bottom of the Buttons panel.
