| Article Image |
Item Name- |
 |
The ability to obtain a valid forensic image is critical to the successful completion of a forensic examination. Therefore, as with all forensic tools, it is encumbant upon the examiner to validate their current tools against well documented and validated tools; this should be done every time there... |
 |
The drug community has a vast array of slang words for illegal substances. Performing a forensics search on these terms takes knowledge and awareness of them (as it does in any other investigation). To this end MacForensicsLab feels it is important for examiners to have access to lists like this.... |
 |
When processing an investigation of a suspect's Mac OS X hard drive using MacForensicsLab there are several places that you may want to start your search. These folders are present on all versions of Mac OS X and contain a great deal of information that will help the investigator to show intent and... |
 |
This lesson demonstrates how to add a case using MacForensicsLab 2.9 Open Preferences Window Select MacForensicsLab from the Main Window and select Preferences (or from the Main Window use the keyboard shortcut of Command + , ). Select Cases Select the Cases Tab from the Preferences Window. ... |
|
This lesson demonstrates how to add a disk image to a case. Attach a Disk Image From the Main Window, select " File " (1) and from the drop down list "Attach Disk Image" (2). Navigate to Disk Image From the Navigation Window that appears, navigate to and select the desired... |
|
This lesson demonstrates how to add exported files back into the case so they can be bookmarked and added into the report. Navigate to exported folder containing the exported files Open a navigation window (Finder) and navigate to the location of the exported files folder. In this example, I have... |
 |
Making a forensic acquisition using a forensic work station and a hardware write blocker is the preferred method of acquiring a suspect drive. Although this setup is ideal, it may not always be an option for investigators. At times this may mean that the hard drive acquisition may need to be done... |
 |
Bootable acquisition drives are very handy for onsite acquisitions of suspect material. Creating a bootable acquisition drive for MacForensicsLab will allow the investigator to simply boot the suspect Mac from their bootable acquisition drive and acquire an image of the machine right to the... |
|
Open Bookmarks Window From MacForensicsLab Main Window select "Bookmarks" (1) and from the drop down list "Show All Bookmarks" (2). Add a Custom Bookmark Folder To add a custom bookmark folder select the "+" button at the bottom of the screen. Name the Custom... |
 |
Identity theft is a growing issue. With phishing scams and corporate theft, it's an issue that can affect everyone, even those not online. MacForensicsLab has a built in credit card and social security number (SSN) scanner. This powerful feature allows investigators to zero in on identity theft... |
|
This lesson will demonstrate how to customize the Report by altering default files and adding files that the examiner wants to be added to every case thereafter. The MacForensicsLab Templates Folder The first time a report is generated using MacForensicsLab, a folder called " MacForensicsLab... |
 |
Securely erasing a drive will overwrite the contents of the device to insure that no data can be recovered. This process involves overwriting every block of data on the drive one or more times to insure that no trace of the previous information on the device remains. Simply deleting the data on a... |
 |
The distribution of child pornography is one of the most disturbing cyber crimes. With the growth of the internet and the ease of file-sharing these days, child pornography has grown to become a world wide issue. Dealing with the exploitation of children in a sexual manner has become a big issue... |
 |
The Amazon Kindle is currently the most popular ebook reader on the market. With expected sales of 5 million Kindles in 2010 and up to 11.5 million in 2012, the popularity looks to continue to increase. The Kindle can store a wealth of information, not only limited to ebooks but also notes, music,... |
 |
When creating an image of a suspect drive, the investigator needs to insure that the evidence is not altered and it remains forensically sound. This can be done through the use of a hardware write blocker, software write blocking, or a combination of the two. It is highly recommended that all... |
 |
Sometimes an investigator may not have access to a hardware write blocker or may not be able to remove the suspect drive from their Mac (we do not recommend investigators attempt to image a drive without a hardware write blocker but at times situations may necessitate it). In this case the... |
 |
Since the release of Mac OS X, Mail.app has been the default email application. Mail stored emails in .mbox files up until the release of Mac OS X Tiger 10.4, at which point Apple changed the default file type to .emlx. The instructions below outline the process used to recover and investigate the... |
 |
When creating a forensically sound image of a suspect drive, care must be taken to insure that the suspect evidence is not compromised. This is usually done through the use of a hardware write blocker connected to the drive. The write blocker allows information to be read from the suspect drive but... |
 |
Does your acquired disk image refuse to mount on the desktop? If you have selected the option to turn off Disk Arbitration when MacForensicsLab launches or disabled Disk Arbitration by selecting the option from the Window menu, Disk Utility will not be able to mount any images until Disk... |
