| Article Image |
Item Name- |
 |
Care needs to be taken when examining suspect USB thumb drives and CDs. These types of media may contain autorun viruses and malware that could potentially infect the investigators workstation. Steps should be taken to disable autorun on Windows computers and decrease the chance of damage by... |
 |
BitLocker is a new drive encryption technology introduced with the Vista operating system. With BitLocker enabled, all files on a personal computer’s hard disk drive are automatically encrypted. BitLocker is included in the Enterprise and Ultimate editions of Vista and is disabled by default. Disk... |
 |
Mac OS X makes connecting to remote servers very easy. Retrieving information about servers a suspect has connected to will help an investigator find other resources they should be investigating or to prove intent. Mac OS X logs these connections along with other information that may be of interest... |
 |
Disk Images (.dmg) are very common on Mac OS X. Disk Images allow both compression and password protection so they are very common for the distribution of software over the internet. When opened Disk Images mount as a drive in the Finder. You can use the MacForensicsLab's Analyze function to... |
 |
iChat is an AIM (AOL Instant Messenger) client and comes built-in to Mac OS X. It is popular with many Mac OS X users as it has an easy to use interface, it works with AIM, and it's well integrated into the operating system. Finding the usernames of a suspect may be of use to the investigator. You... |
 |
The Apple Address Book is the central address book in Mac OS X. In addition to containing user entered names and addresses, it also contains an entry for the computer's owner that is created when the user registers the machine the first time after installation. Even if entries are deleted from the... |
 |
Google is the most popular search engine on the planet. Safari, the default web browser in Mac OS X, has a built in Google search bar in the upper right corner of it's window. This makes it very easy to conduct a search and also means it's very likely that search information can be found if a... |
 |
The default image browsing application in Mac OS X is Preview. It is a popular program for viewing images as it supports a large number of file formats and provides a simple user interface. Finding recently browsed images can help direct an investigator to files of interest or help prove intent.... |
 |
Apple Remote Desktop (sometime abbreviated ARD) allows users to control or monitor another computer over a network or internet connection. You can use the MacForensicsLab's Analyze function to explore the following file: ~/Library/Preferences/com.apple.RemoteDesktop.plist This file shows all the... |
 |
iPod sales have almost topped 10 million world wide. They are also becoming a popular device for suspects to store information other then just MP3s on thanks to their ability to be used as a mass storage device. Every time an iPod is attached to a Mac, the serial number of the iPod is recorded by... |
 |
When Mac OS X is run for the first time after installation, the user is prompted to enter their registration information such as name, address, email, and phone number. This information is then sent to Apple (if an internet connection is present) and also used to populate the administrators... |
 |
Acquiring the computer time from a Mac is a common task for many investigators. Having the computer time allows and investigator to correlate computer events to actual time frames and may help secure a conviction. Macs sold after March of 2001 will most likely have Mac OS X loaded on them and all... |
 |
Mozilla Firefox is fast becoming one of the most popular browsers on the internet today. Current estimates as of June 2007 believe Firefox makes up 14.55% of the world's web browsers. Being free, cross-platform, and updated regularly is just some of the many reasons many users have made the switch... |
 |
USB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They're small, portable, and often contain evidence that can be helpful to an investigation. When examining the Windows registry, one of the interesting things to look at are the... |
 |
Gaining SYSTEM user access in Microsoft Vista is a simple procedure and allows a forensic investigator higher level access then the administrator. This method of gaining access to a Microsoft Vista system doesn't require the investigator to know any of the usernames or passwords for the system. ... |
 |
There may be times when it can be beneficial to an investigation for the investigator to be able to login to a suspect machine as the root user to explore. Such access may allow an investigator access to items that may be locked without root access to the machine. Boot Linux into single-user mode ... |
 |
iPhones and iPod Touch with firmware version 2.0 or later will call home periodicly to see if any applications have been blacklisted by Apple. This allows Apple to disable malicious applications from iPhone and iPod Touch users phones. The iPhone and iPod Touch will check the following URL for any... |
 |
As Apple guys and forensics experts we are constantly aware of the legendary iPhone We have them ourselves (and love them) and we are aware of the challenge they pose to the law enforcement community. The technology on both sides of the "argument" are constantly changing and we try to tread the... |
 |
The Mac mini is a small, low cost Mac that offers a lot of features in a small package. It's a nice entry level machine for new and old Mac users. The low price along with it's rich feature set make it an ideal machine for general users. Although a forensic examiner can connect the Mac mini to... |
 |
Open Firmware is hardware independent firmware (computer software that loads the operating system). Open Firmware is present on PPC (PowerPC) Macs. Open Firmware does allow the user to set a password to keep other users from changing the boot drive or partition. This can be an issue if the... |
 |
Apple's new MacBook Air is a small light-weight laptop for users on the go. It packs lots of features into a small package. In fact it's just 0.76 inches at it's thickest point. The small and compact size means that all the components are tightly squeezed into the MacBook Air. Take apart can be... |
 |
The iPod has become the most popular MP3 player on the market. Because iPods can also be used as a mass storage device (with the exception of the iPod shuffle), digital evidence may be stored on these devices. The iPod is a computer in it's own right and because of this, it will mount and write to... |
 |
Showing applications, documents, and severs a user most recently accessed can help direct an investigator to files of interest or help show intent. By default, Mac OS X keeps track of the last 10 applications, documents, and servers used. The user can increase of decrease this number but most leave... |
 |
QuickTime is the default movie player in Mac OS X. Because of it's ability to play a wide range of video and audio media, QuickTime Player is a convenient tool for most users. Being able to show the last file played using QuickTime Player can help an investigator show intent. You can use the... |
 |
The following was taken from the United States Secret Service's Best Practices For Seizing Electronic Evidence. We highly recommend you read the entire article located here as it contains lots of good information regarding electronic evidence. Recognizing Potential Evidence Computers and digital... |
 |
With the smaller and more compact design of computers these days, it's becoming increasingly difficult to take them apart to get access to the hard drive for forensic acquisition and examination. Should you choose to take the Mac apart to access the hard drive for forensic investigation, Apple has... |
 |
The easiest way to bypass the administrator password is to remove the drive and attach it to another machine or a forensic station, then use MacForensicsLab to image the drive. That being said if you need to for some reason keep the drive inside the machine, you can reset the system administrator... |
 |
The sleepimage is a file that Mac OS X uses to store the contents of the active RAM when a machine is put to sleep. This information is stored to allow the OS to restore the pre-sleep state of the computer should the batter or power be interupted while the computer is sleeping. For an investigator,... |
 |
On occasion FireWire buses can hang and stop responding. Should you run into this issue, here's are the suggested steps to resolve it. If you have a hard drive freeze your FireWire bus and hang your machine, you can cause the system to reset the bus by plugging in a second device in the chain. The... |
 |
FileDefense changes the way your OS operates by adding a layer of security at the layer that we feel is the most important - the file access layer. The way we see it, the amount of damage any application can do to you is based on whether it can access your personal files. The more you can limit... |
 |
Web caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent. You can use... |
 |
The Windows Registry stores a wealth of information that can be helpful to a forensic investigator during an examination. Knowing which documents were recently accessed on a suspects Windows machine can point an investigator to files of interest along with helping to show proof of intent. The... |
 |
iChat, the default AIM client on Mac OS X, allows Apple .Mac users to encrypt chat if both users are using .Mac accounts. The encryption certificate for the encrypted chat is created on the users machine. When attempting use of certificates that have been stored inside a Keychain, the... |
 |
Although Microsoft has officially dropped support for Windows Media Player for Mac (Microsoft redirects Mac users to the Flip4Mac website as they actively develop a free plugin that allows QuickTime to play Windows Media documents), there are still many users that have Windows Media Player for Mac... |
