Latest News! (updated November 3, 2008)
Mac OS X Forensics is dedicated to making the examination of Apple Macintosh computers easier!

Macintosh Forensics Book
  • I would like to officially announce that the first ever book for Macintosh Forensics is finally finished and will be available in December! It is now available for pre-order thru Amazon and other bookstores under the ISBN of 9781597492973. The title of the book is Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit. Jesse Varsalone is the Technical Editor and deserves the credit for pulling together all of the authors in this project! I truly believe you will find this book to be one of the best purchases you have ever made. It includes many step by step exercises to take you thru exactly what has been discussed in each chapter. It also includes a DVD full of software and test data. Lastly, you will all know how to bombard one of the authors right here on this website! Thank you everyone for your support!

Forums
  • The Forums are now open! We now have a community forum to post questions and answers for everything related to Macintosh Forensics.

Acquisition
  • The Analysis section has been updated to include methodology to acquire Macs in 3 forensically sound manners.


Raptor
  • Available for free download from Forward Discovery is Raptor. Raptor is a Live CD based on the Ubuntu Linux distribution. Raptor is available for both Intel and PowerPC based Macintoshes. Raptor also runs on any PC as well. Notable about Raptor is its strong support for the HFS and HFS+ file systems making it simple to acquire forensically sound images of Macs.

Passwords
  • Added a section on Passwords and their shadow hash files. This section should help answer some of the questions about password cracking, empty passwords, and Windows file sharing passwords.

Access Data
  • Today, I have received Access Data’s Forensic Toolkit version 2. This was sent by AD to help answer all of your questions regarding the use of FTK v2 and Macintosh analysis!
  • I can speak directly about Access Data’s commitment to the Macintosh community. AD is aggressively developing FTK v2 to handle the special file and folder type found on a Mac. They are also customizing training classes for specific Macintosh forensic analysis.
  • With the addition of this software, I will now begin to place answers to your questions on the web site, complete with screen shots, on FTK and Macintosh Forensics! Thank you Access Data!

Subrosasoft
  • Subrosasoft has provided a copy of MacForensicsLab v2.5.4. This was sent by Subrosasoft to help answer all of your questions regarding the use of MacForensicsLab and Macintosh analysis!
  • As with AD, I can speak about Subrosasoft’s dedication to the Macintosh community. Offering the only all in one forensic suite on the Macintosh platform, Subrosasoft has shown itself to be true competitor with features not found in other products. They offer training and certification in their products, and continue to work hand-in-hand with the forensic community with MacLockPick II. Thank you Subrosasoft!
Date and Time
  • I have added a procedure to gather the Date and Time as reflected by the Macintosh to the Analysis section!

Incident Response
  • So we have talked about many aspects of the Mac and how it works. Now its time to talk about how to actually take that first step and begin the response. This first page is going to be about intrusion, hacks, and incident response. Check out the all new Analysis section to see more.

MobileMe
  • Dotmac is now MobileMe. This adds a new complexity to our examination of a Macintosh, iPhone, iPod Touch and now a PC as well. Take a look at the MobileMe page.

iPhone 3G, 2.0 Firmware and the App Store
  • The iPhone 3G has arrived! So has the 2.x firmware for the EDGE iPhones and iPod Touch. The App Store is now open too. Check out the iPhone and iPod page for more.

HFS+
  • Today, I added extra indepth information on HFS+, including resources and a walk-thru on interpreting hex values on the volume header! Even better, my HFSDebug page has a breakdown of the great program from Amit Singh that displays useful information from the HFS+ volume header.

iPhone Backup Parser
  • Added to the Files section is the iPhone Backup file parser. It will parse the sync information on a Mac and place the results into a folder on your Desktop along with a text file of the results. Give it a try! Thanks Adam for supplying the Python script!

Time Machine and FileVault Explored
  • Time Machine and FileVault have some interesting interactions. Read about each technology separately, and then read about the interesting discoveries on how they interact together.

Disk Arbitration
  • The Files section has two new Applescripts to turn Disk Arbitration on and off for you.

Cracking Filevault?
  • Ever wanted to try and crack a Filevault image file? Have a bunch of time on your hands or better yet, have a great dictionary file you want to try out? Check out the Files section to see if Spartan and your dictionary has the right password to open the Filevault!

Starting Points
  • Leopard 300 - Apple's List of the new features to be aware of
  • Technologies - My take on the changes to be aware of

Recommendations
  • You asked for it, I have it! Check out the Setup section for the latest on what to buy for your Macintosh examination setup.

Resources
  • Check out the Resources area to stay up to date on the latest offerings on MacOS X training and websites that will help you in digital forensics.