This section provides an overview of MacForensicsLab, its features, functionality and design.
Welcome to MacForensicsLab. If this is your first time using MacForensicsLab software be assured you made the right decision. MacForensicsLab Incorporated is the world-wide leader in Macintosh-based forensics, with many federal, state and local law enforcement organizations around the globe using our software. In addition, MacForensicsLab is used by the military, intelligence community, and many privately owned and operated organizations seeking a powerful and innovative forensic solution.
As a company, SubRosaSoft.com Incorporated is dedicated to providing forensic solutions that not only meet and exceed your expectations but that change the way modern computer forensics are performed. Traditional computer forensic software development has mirrored the needs of traditional law enforcement by developing a solution only as a problem presented itself. In doing so, law enforcement is left without a timely answer to their technological dilemma. When the momentum of an investigation suffers due to a purely reactive development cycle, criminals go unpunished and victims are left needing resolution or worse, new victims are created. SubRosaSoft.com Inc. seeks to change that paradigm by offering expandable and scalable solutions that can adapt to an organization's needs and anticipate problems through use of intelligent proactive development.
SubRosaSoft.com Inc. understands how difficult it has become to keep pace with technology. All too often, forensic examiners are understaffed and overworked, making the environment ripe for case backlogs and an increasing potential for errors. In an effort to minimize these conditions, SubRosaSoft.com Inc. leverages technology and its advancements to allow for fewer mistakes. By doing so, MacForensicsLab aides in maximizing the efficiency and effectiveness of its users, thereby getting more done with less mistakes.
SubRosaSoft.com Inc. is dedicated to our mission of providing powerful, easy-to-use, cost-effective forensic solutions that help you achieve your organization's forensic goals. To this end, we offer products that account for the entire spectrum of computer forensics, not just the static lab-based solution. Modern technologies demand integration throughout the forensic process, SubRosaSoft.com Inc. accounts for this evolution with solutions for incident response, triage, static examinations and reporting. Additionally, MacForensicsLab utilizes open ISO standards to ensure compatibility with other tools so the examiner is not limited to one tool or one answer to a problem. In summary, SubRosaSoft.com Inc. views mission accomplishment as a corporate social responsibility, one we take very seriously and as such we strive to become not only a software development company but a partner to all our customers.
MacForensicsLab is the first comprehensive computer forensic solution that runs natively on a Macintosh. As such, MacForensicsLab combines the power of modern computing with elegant design and a feature rich environment. Capable of performing all aspects of the forensic process on any filesystem the system bus can recognize, these filesystems include: NTFS, UFS, HFS, HFSPlus, ext2, ext2, ReiserFS and many more.
MacForensicsLab Design Features
MacForensicsLab has been designed, from the ground up, to be a powerful easy-to-use forensic solution. A vital component in achieving this is the software's GUI (Graphical User Interface). By contrast many modern forensic solutions interface contains 15 or more buttons, making them difficult to use and due to the crowded space, somewhat overwhelming for the user. By contrast, MacForensicsLab has just 7 buttons representing the core functionality of the software. In addition, these buttons are laid out in an order that if followed from one to the next will guide the examiner through an entire forensic examination.
The second aspect concerning the design of MacForensicsLab is automation. The automation of tasks has changed the world. First, the Industrial Revolution was marked by automation of the blue-collar workforce, changing the way manufacturing was done. In the Information Age, this automation is seen through computers performing complex repetitive tasks. In computer forensics, this automation refers to leveraging the computer to collect and collate data so the examiner can analyze the data. MacForensicsLab, is unique in that it excels at this, allowing the examiner to perform the vital task of analysis, thus providing context to the computer findings. This concept is readily apparent in the Browse and Audit functions, described below.
Another aspect of MacForensicsLab design is fault tolerance. Unique within the industry, MacForensicsLab provides fault tolerance during both the acquisition and data recovery operations. In addition, it uses instant writes to the system, as it is a database-driven application, thus no need for time interval savings, which inevitably result is data loss.
Interoperability is another design feature that MacForensicsLab takes seriously. The task of modern computer forensics is one of increasing complexity. As such, no one solution provides all the answers to the examiner. Therefore, MacForensicsLab strives to enable the examiner to use its results with other tools. The use of OpenISO imaging and HTML reporting are just two examples of this.
Speed and accuracy are the other tenets of MacForensicsLab design features. The rapid increase in data volume equates to a longer forensic process. MacForensicsLab uses asynchronous operations to increase speed making it much faster than other tools such as dd.
Accuracy is a foundational element of computer forensics. Unfortunately many software vendors sacrifice speed for accuracy. An example of this would be performing data recovery operations based on the directory structure. The sole use of the directory structure provides fast results, however it does not account for a corrupted structure. When the directory structure is corrupted and that is the only means of data recovery, then all is lost without attempting to fix the directory structure. MacForensicsLab takes a different approach, instead of the faster method, it takes the best method for recovering all files. In doing so, MacForensicsLab demonstrates its understanding that without all the data, there is no case and in this instance, it is better to sacrifice speed for accuracy.
Now that we understand the basic design features of MacForensicsLab, let's take a minute to familiarize ourselves with its core functionalities.
The Acquire Feature
The ‘Acquire’ feature uses an intelligent algorithm to recover mechanically sound and faulty drives. Even if the drive has been partially compromised, mechanically or otherwise, MacForensicsLab has the best chance at recovering evidence to a forensically sound disk . The output of this process is an open format, industry standard locked disk image.
The Search Feature
The ‘Search’ feature examines logical directory structures and files to identify items of interest, helping to zero in on any suspect material. Comparisons can be made against a database of hash values for known good, or known suspect content. MacForensicsLab creates a list of catalog information, MD5, SHA1, and SHA256 checksums, as well as other basic file information, using pre-specified search terms and filters.
The Analyze Feature
The ‘Analyze’ feature enables an examiner to analyze the contents of files in ASCII and/or Hex mode. ‘Analyze’ allows the examiner to search the entire disk for specific terms and items including keywords, hex strings, credit card numbers and social security numbers.
The Salvage Feature
MacForensicsLab’s ‘Salvage’ feature is fault tolerant and thorough by design, making it the most powerful data recovery engine on the market. The 'Salvage' function recognizes over 100 file types and can readily recover deleted files from hard drives, CD-ROMs, external storage devices, digital camera memory cards, iPods, and much more. In addition, ‘Salvage’ possesses the ability to learn on-the-fly enabling the examiner to add unknown file types into the 'Salvage' database for recovery. These features, combined with filters allowing targeted data recovery makes this a foundational feature for all subsequent forensic processes.
The Browse Feature
The ‘Browse’ feature allows the examiner to quickly and easily thumbnail and preview graphic images and their metadata. MacForensicLab was the first forensic software application to contain a built-in Skin Tone Analyzer, radically reducing the time spent manually culling through tens of thousands of image files to locate files of investigative interest, which are easily bookmarked and/or exported for further action.
The Audit Feature
The ‘Audit’ feature quickly and efficiently collects and collates operating system artifacts and user preferences, to include cached internet history and bookmarks, Instant Messaging buddy lists, WiFi Access Points, Address Book information, iPhone information and much more. In doing so, the 'Audit' feature enables the examiner to keep the investigative momentum while allowing for further in-depth analysis.
The Hash Feature
The 'Hash' function allows the examiner to perform an md5, SHA1 and SHA256 hash on any given file located on the volume while exporting the results with the full path to a text file for easy reference. Additionally, this feature allows for a complete file listing of a Volume with associated permissions, path and hashes.