Home |  Log In  
Forensics and eDiscovery technologies for Mac OS X, Microsoft Windows, and Linux

04: Case Preparation

This section will discuss how to prepare for a case using MacForensicsLab.

During the course of using MacForensicsLab the examiner will come across a range of different suspect devices, media and disk images. These will all work with a variety of ‘Read’ and ‘Write’ access settings. It is therefore important to ensure that the examiner understands how each of these varies and how the computer interacts with them.

Before connecting any device to the workstation it makes sense to assume that the device, image or media may be written to and therefore should be handled with the utmost caution.

In Mac OS X there are a couple of ways in which to handle the issues of possibly tainting and overwriting data on the suspect drive or device. The first is ‘Disk Arbitration’ and the second is ‘Write Blocking’. It is also a MUST for the examiner to have a secondary “Work Drive” onto which case data can be saved, and which will have been wiped. This avoids the chance of overwriting possible evidence and thus losing and/or tainting it.

Disabling Disk Arbitration
Disabling Disk Arbitration

Whether at start-up or when connecting a suspect device via any data bus (FireWire, USB, ATA) on your Macintosh Workstation, OS X is notified and will immediately look for mountable partitions on the device.

If detected, it initiates the mount and the disk’s internal arbitration tables are updated with the necessary information to work with the system. Having mounted, the Finder is updated with the information and the volume(s) appear on the desktop. Any other applications that may have subscribed to disk arbitration notifications are also updated in a cascade effect.

In the process of finding and updating the arbitration tables on devices found and mounted, there runs the risk of writing to the devices and therefore tainting the evidence. MacForensicsLab however has a built-in option, accessible via the Window drop menu, or keyboard shortcut [Command] + [B], that allows the examiner to turn off the process.

In addition, to help avoid these issues, as MacForensicsLab reaches the ‘Main’ window it always automatically prompts the examiner to ensure that Disk Arbitration is enabled or disabled, per his or her desired behavior.

Enabling Disk Arbitration
Enabling Disk Arbitration.>

As the examiner quits MacForensicsLab he or she will be asked a similar message whether they wish to enable disk arbitration again.

TIPS -- If you have Disk Arbitration turned off and you have quit MacForensicsLab, you will need to relaunch MacForensicsLab, and enable Disk Arbitration or your machine will not boot correctly.
Hardware Write Blockers
MacForensicsLab works effectively with all available write blocking hardware on the market, and we recommend that examiners use these devices, as their organization may dictate, when performing forensics on suspect drives. SubRosaSoft.com Inc. also carries an optional hardware blocker that works hand-in-hand with MacForensicsLab. Please visit our web site http://www.MacForensicsLab.com for more information, or contact us via email: sales@macforensicslab.com; or telephone: +1 (510) 870 7883.

Clearing the Work Drive
Clearing the Working Drive.

It is essential that before the examiner uses any drive for storing the results of an investigation, that the drive has been cleared properly. This should mean that the work drive has been formatted at least with a single pass with zeroing data.

To clear the work drive, select a partition of the designated drive in the 'Devices’ pane of the 'Main’ window'. Having done this, select “Clear work drive” from the File menu. A confirmation window will come to the fore, which the examiner should accept, after which the ‘shred’ window will come forward.

The window contains a slider with which the examiner can set the numbers of passes required to clear the drive. Also, in order to speed up the process the examiner also has the option to shred only “Free Space”, so that only the available space on the partition will be cleared. Having set this, simply click Start and the clearing procedure will begin. If the examiner picks the wrong partition, and/or decides to stop, by simply clicking Close, the ‘Shred’ window will disappear and he or she will be returned to the ‘Main’ window.

Terminal Access
Terminal access.

MacForensicsLab provides the examiner with quick access via the Window drop menu, or keyboard shortcut [Command] + [T], to a terminal window, so that he or she does not have to leave MacForensicsLab in order to run commands through another Terminal application.


Product 4/19

03: Running MacForensicsLab 3 for the first timePrevious
Return to the Product List
Next05: Core Functions
 | Home | 

Copyright © 2006 - 2010 MacForensicsLab Inc.
Phone +1 (510) 870-7883 - Fax +1 (510) 868 3407
Mac and the Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.

Forensics Technologies - designed to perform investigations, for law enforcement and eDiscovery professionals.

MacForensicsLab - The only effective cross-platform weapon in the war on Cyber Crime and Digital Terrorism,
with unique tools designed to combat identity theft and child pornography.

Your IP Address is: 50.16.166.175