Mac OS X Forensics: Software

Macintosh Forensic Software

Suites

Sponsored Advertisement

First Responder

Imaging

Disk Arbitrator - from Aaron Burghardt, “Disk Arbitrator continuously monitors for disks to appear and disappear and tracks the disks in the main window. When a new disk is attached, the system notifies Disk Arbitrator and gives it a chance to reject mounting of a disk volume”.
MacOSXForensics Imager Release Candidate 2.1! Image physical devices in the Encase or FTK format. MD5 and SHA1 hash support. See the Read Me file for complete documentation.
Forward Discovery Raptor, an Ubuntu based LiveCD with Intel and PPC compilations available free
BlackBag Technologies MacQuisition
BlackBag Technologies SoftBlock
DCFLDD - combines hashing and imaging into one utility. Based on 'dd' with much more functionality and provides feedback.
DC3DD - combines hashing and imaging into one utility. Based on 'dd' with much more functionality and provides feedback.
FTK Imager - Windows only but recognizes HFS+ file format and is free

Virtual Machine

VMware Fusion, virtualize multiple operating systems including Mac OS X 10.5 Server
Nova Development Parallels, virtualize multiple operating systems including Mac OS X 10.5 Server
Sun VirtualBox, virtualize multiple operating systems for free, will not run Mac OS X 10.5 Server
VMWare vCenter Converter, a new free product from VMWare that allows you to convert physical Windows and Linux machines as well as images to other formats into virtual machines.

Network

Wireshark - packet sniffing
F-Response TACTICAL - remote acquisition and analysis of Macs (and other platforms)

iPhone

MobileSyncBrowser 3.1 - utility to view iPhone data in its native format on a Mac or Windows PC
iPhone/iPod Touch Backup Extractor - utility to convert the iPhone and iPod Touch backup files that are created by iTunes into readily usable Mac OS X files.

Decryption

crowbarKC, a free utility to dictionary attack a Keychain file by George Starcher.
crowbarDMG, a free utility to dictionary attack DMG, sparseimage, and sparsebundle file types

Image Analysis

MacForensicsLab Field Agent, free for law enforcement, application to locate images using flesh tone analysis, available on Mac, Windows, and Linux
File Juicer, extract images and many other file types from a given source with this great utility by Echo One
Exiftool, a free utility to extract EXIF data from a huge list of file types by Phil Harvey.
Exif Data Dump, an Automator Action based on Exiftool by George Starcher that will turn Exif data gathering into a one step action

Image Capture

Hex Editors

Search

Reporting

ThumbsUp - DEVON Technologies free utility to generate thumbnails of images
MacOSXForensics MetaData Extractor - utility to extract metadata from any file(s) and also plot the lat/long on a Google map if available

Email

Compatibility

MacFuse and NTFS 3-g (NTFS read/write for OS X)
ASR Data Smart Mount (mounts images of Mac systems on Windows operating systems)

Always check out our Files section for the latest in FREE tools from this site.

Sources

Our Store with Amazon discounts
Apple Government and Education
Mac Professionals offers setup of small to large scale roll-outs and Data Recovery
CDWg offers Government discounts as well as professional services.

Mac OS X Forensics