MacLockPick™ is a valuable tool for law enforcement professionals to perform live forensics on Mac OS X systems. The solution is based on a USB Flash drive that can be inserted into a suspect's Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect's critical information with as little interaction or trace as possible.
A database of the suspects information is compiled on the Flash Drive to allow for easy transportation away from the suspect's system. This database can be read by the included log readers on Microsoft Windows, Linux, or Apple Mac OS X computers back at base.
Free e-Mail Technical Support
Items recovered from the suspect's computer.
The following is a list of file items that can be extracted using SubRosaSoft.com's MacLockPick:
Apple Keychain Passwords
- System - The user password of the logged in user. Often this is shared for root access and FileVault encryption.
- General - Includes (but is not limited to) passwords for encrypted disk images, wifi base stations, iTunes music store, iChat login, Apple Remote Desktop.
- Internet - Includes (but is not limited to) login and password details for web sites, email accounts, some peer to peer networks, online services and stores, auction sites, and .mac accounts.
- AppleShare - A list of login and password details for appleshare servers this mac has connected to.
Files and Folder details
- Folder Dates - A list of all the key user folders along with their creation date, date of last modification, date of first access, and date of the most recent access.
- Disk Images - Paths to the most recent disk images that have been mounted on this mac.
- Preview - Full paths to recent files that have been viewed in the preview program.
- QuickTime - File names for recently viewed movies fro the QuickTime player applications
- Recent Applications, Documents, and Servers - Program names for the most recently used items on this Macintosh computer.
- Default Login - for iChat instant messenger system.
- Complete buddy list - including buddies who have since been deleted.
- Account Details - login names and server addresses used.
- Address Book - Address details for entries in the address book including contacts that have been deleted. This address book is used by most communication programs on the Mac and is used to synchronize with the iPod and other portable devices.
- Opened Attachments - Paths to files that have been received as an attachment then saved or opened including the date and time of opening.
Web History and Preferences
- Search Strings - The most recent items that the user has searched for using the google toolbar in safari.
- Cached Bookmarks - Sites that have been bookmarked in Safari including items that have been deleted.
- Current Bookmarks - Sites that are currently bookmarked in Safari.
- Cookies - A full list of cookies include the server address the cookie value and the date and time of assignment.
- History - Complete details of browsing history including the number of times visited and the date and time of the most recent visit.
- iPod - Serial numbers of any iPod that have been connected to this Mac along with the date and time it was first used.
- Bluetooth Devices - hardware address of any bluetooth devices that have been paired with this mac along with the most recent time these devices have been paired.
- Wifi Connections - Listings for wifi base stations that have been used on this computer including the base address and the date and time of the first connection.
- Network Interfaces - MAC address for each integrated network interface on the suspect's machine.
Quick Tip: Law Enforcement Only
MacLockPick is not for sale to the general public. Purchasers will be required to provide proof that they are a licensed law enforcement professional. Users are required to ensure that the use of this technology is legal on federal, state, and local level.
MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep.It also makes use of the openly readable settings files used to keep track of your suspect's contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers.
Quick Tip: Advanced Forensics
For the advanced Mac Forensics investigator, SubRosaSoft.com Inc. has released a new, industrial-grade application aimed specifically at high-end users. The software is entitled MacForensicsLab and more information can be found at: http://www.macforensicslab.com/
Written specifically for Mac OS X, MacLockPick also includes log reader tools that can be used to access your suspect's data even if you do not have a Mac.
Safety first - MacLockPick will never write to the disk or device being investigated. This makes the software “risk-free”. Instead MacLockPick simply extracts the data and saves it to it's own flash drive.
Recovers files from sleeping computers – Once awakened a Mac will return it's keychain access levels to the default state found when it was initially put to sleep. Suspects often (and usually) transport portable systems in this sleeping state.
Contacting SubRosaSoft.com Inc.
Comments & Questions
If you have comments, problems, or questions about this product, or if you are interested in a site license, please contact us via email: sales@MacForensicsLab.com. For information regarding technical help, please refer to “Finding Help…” at the end of Chapter 2.