This section covers how a user can install and uninstall MacForensicsLab as well as providing definitions of commonly used terms.
To install MacForensicsLab on your Mac's hard drive, copy both the 'Applications - OS X folder'
and the 'Shared Resources'
folder from the MacForensicsLab USB device to your computers 'Applications'
folder. Note that the folder structure with the 'Shared Resources'
folder being located one directory down from the MacForensicsLab application must be maintained although the name of the folder containing the application can be changed. Some users may choose to create a MacForensicsLab folder and then store the folder containing the application and the 'Shared Resources'
folder within that.
MacForensicsLab is a completely self-contained application and requires no special functionality to uninstall it. The procedure to uninstall MacForensicsLab is to navigate to the directory in which MacForensicsLab is currently installed, highlight the MacForensicsLab folder and either drag and drop it into the Trash or delete it using the delete key.
This section is a Glossary of terms relevant to MacForensicsLab.
The process through which an examiner can make duplicate working copies of a suspect drive, media or other data storage hardware.
- Checksum & Checksum Verification
A checksum is a count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, then one can assume that the complete transmission was received.
Could refer to any form of data storage technology, or equipment required to read data stored on media such as CD’s or DVD’s
- Disclosure triangle
The small rightward pointing arrow next to folders in the explorer window that when clicked turn downwards and allow the examiner to view the contents of the said folder.
- Disk Image
A disk image is a computer file containing the complete contents and structure of a data storage device. The term has been generalized to cover any such file, whether taken from an actual physical storage device or not.
- Disk Arbitration
The process by which a workstation will discover and attempt to mount a device connected to it. OS X is notified of the event by the kernel and will immediately look for mountable partitions on the drive. If found, the OS initiates the mount, then the internal disk arbitration tables are updated with the proper information, which eventually updates any programs that subscribed to notifications. During the process, the suspect’s drive will also be updated.
- Evidence Item
Refers to an individual file that may be of use to an investigation or case.
Also referred to as the Desktop by workstation users. This is the Graphical User Interface portion; or rather Front-End that allows the human User to visually interact with the computer.
- Hash or Hashing
Producing hash values for accessing data or for security and verification. A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Formulas used to create hash values, in order of strength ascending, include: MD5. SHA1 and SHA2 otherwise known as SHA256.
The part of an application window where data may be previewed in columnar or free form style. Headers may be used to sort columns, whilst free form text can be edited.
- Partition (also known as a Volume, when used to store data)
A partition is an individual section of a hard disc or media. Drives must contain at least one partial or complete partition in order to be of use, but can contain multiple partitions to separate the data contained within them. Partitions may be setup write protected and even design not to auto-mount.
- Suspect Drive
The drive that is the focus of the investigation and which the examiner should avoid tainting if evidence collected is required for later use in a legal environment.
- Unallocated Space (also known as a Free Space)
Refers to sectors on the hard drive that are not referenced in the hard drive catalog and therefore may be written to by the computer as they are not reserved.
- Work Drive
Refers to the drive on which an examiner will store files relating to a case. Salvaged files and other data will be written to the work drive rather than to contaminate or lose data by writing them to the “Suspect Drive”.
- Volume (Please refer to “Partition”)
A volume is a partition that can be used to store data.