Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
BootCamp
Windows is now on a Mac, natively! Windows XP Service Pack 2 and Vista (all of those crazy flavors) can be installed with the ease of a Mac installer. For us, this means a second world of investigation exists everytime we look at an Intel based Macintosh. BootCamp allows the user to natively boot the Macintosh into the Windows operating system without the use of emulators or virtual machine technologies.
When looking at a Mac with BootCamp installed, forensically, you will find 2 partitions of interest now. One will, of course, be the Leopard install and all of its evidence. The second will be a true NTFS partition on a Mac with all Windows XP or Vista evidence.
Although it is not an option under the Apple installation in BootCamp, you should be aware that users have found easy ways to add other operating systems to their Macs as well. Any operating system that could be found on an x86 system can be found on a Mac!
Dealing with NTFS on a Mac (and the Linux/UNIX world) is a read-only world out of the box. For the Mac, an environment has been created through a program called MacFUSE and the add-on called NTFS-3g. The installation of these will allow your Mac to read and write to an NTFS formatted volume. I CAUTION you on this. 2 bad things can happen from this install! First, read the warnings on the install. The enviroment comes with bugs! Especially the one about ejecting the NTFS drives prior to shutdown. Second, you might have become used to the fact that your Mac will not read and write to NTFS and this could lead to carelessness if you have the MacFUSE/NTFS3-g environment installed without thinking one day!
Be careful and know what software you are using when examining the Mac and Windows!
Windows is now on a Mac, natively! Windows XP Service Pack 2 and Vista (all of those crazy flavors) can be installed with the ease of a Mac installer. For us, this means a second world of investigation exists everytime we look at an Intel based Macintosh. BootCamp allows the user to natively boot the Macintosh into the Windows operating system without the use of emulators or virtual machine technologies.
When looking at a Mac with BootCamp installed, forensically, you will find 2 partitions of interest now. One will, of course, be the Leopard install and all of its evidence. The second will be a true NTFS partition on a Mac with all Windows XP or Vista evidence.
Although it is not an option under the Apple installation in BootCamp, you should be aware that users have found easy ways to add other operating systems to their Macs as well. Any operating system that could be found on an x86 system can be found on a Mac!
Dealing with NTFS on a Mac (and the Linux/UNIX world) is a read-only world out of the box. For the Mac, an environment has been created through a program called MacFUSE and the add-on called NTFS-3g. The installation of these will allow your Mac to read and write to an NTFS formatted volume. I CAUTION you on this. 2 bad things can happen from this install! First, read the warnings on the install. The enviroment comes with bugs! Especially the one about ejecting the NTFS drives prior to shutdown. Second, you might have become used to the fact that your Mac will not read and write to NTFS and this could lead to carelessness if you have the MacFUSE/NTFS3-g environment installed without thinking one day!
Be careful and know what software you are using when examining the Mac and Windows!