This section will cover the organization and layout of the MacForensicsLab database.
When whichever database (local file, RealSQL server, MySQL server) is enabled via the ‘Preferences’ window, detailed logs are kept of every action and all points of interest to support the examiner in the understanding and final presentation of their evidence. In the ‘Database’ window, the examiner has full access to comprehensive details of what has been logged in the forensic examination to date.
Opening the Database
The MacForensicsLab database can be located, from the Main window by selecting "Window -> Database" or using the keyboard shortcut of "Shift + Command + D".
The Database Window Layout
The ‘Database’ window can essentially be split into 2 parts:
The tab bar - consisting of the various database sections:
- Acquisition
- Analyze
- Audit
- Chronology
- Hash
- Notes
- Salvage
The viewing pane(s) - consisting of:
- Device information
- Date/time/description
- Data
Navigating through each individual database tab produces its own unique layout. Each screen’s layout within the ‘Database’ window varies between a single pane with a columnar list and a triple paned layout with bookmarks and note/native viewer.
Viewing the Database Sections
The Views
As each tab is clicked in turn the database will be read, either locally or centrally, and the contents loaded into the new window layout; needless to say, the larger the dataset the longer the process of fetching and loading the data will take to complete.
Accessible through the individual buttons of the tab bar in the ‘Database’ window are:
The Acquisition Log - lists the date and time of an acquisition process, a description of it and the exact block details (offset, length, hash sum etc).
The Analyze Log - keeps track of the details of searches performed, as well as the results associated with them. Details logged include: date and time, file location, results and the associated match and offset.
The Audit Log - lists the date and time of an acquisition process, a description of it and the specific OS artifact information generated, to include folder creation date/times, network preferences, system settings, user preferences, bookmarks, web caches, and much more.
The Chronology Log - lists all the events from the moment the case reference is set up to the latest action performed in MacForensicsLab. It lists the date and time of the actions, the name of the examiner, the action performed (opening windows, pressing buttons etc) and the data returned by the actions.
The Hash Database – provides a means by which the examiner can import, manage and store hash values for use within the various functions provided by MacForensicsLab.
The Notes Log - contains all the notes regarding the investigation as inputted by various examiners. Notes are listed with examiner name, date and initial number of characters, with the ability to view an entire note, as well as manage and edit notes.
The Salvage Log - keeps track of the date and time of the salvage process, the name of the examiner, the actions performed, and the location and specific details of the files salvaged.
Sorting The Data
The examiner can sort by the available columns by clicking on the respective column headers, once highlighted and sorted ascending, clicking the title bar again will sort the column in reverse order.
Managing Records
Certain panes containing log data benefit from the availability of management buttons. That is to say that an assortment of buttons exist to:
- Refresh
- Clear
- Delete
- Add
- Edit
Where available the examiner should use these buttons as in others functions windows to reload data into the respective pane, to remove or clear records, both of which will generate a warning prompt requesting confirmation to delete records, as well as to add items or make amendments.
