Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
Snow Leopard
(Mac OS X 10.6)
Snow Leopard, Mac OS X 10.6, arrived August 28, 2009. With it, many of the technologies that the operating system comes with have been updated. An excellent article reviewing the new release in great depth is available from Ars Technica, "Mac OS X 10.6 Snow Leopard: the Ars Technica review". On this web page, we will look at the changes that affect you as a digital analyst. Snow Leopard has not radically changed from Leopard in the way you will interpret data. It has changed the amount of data you will interpret. Apple has added new data to the venerable HFS+ file system for instance. They have also added new functionality to applications that didn't exist in Leopard. Let's take out first look into Snow Leopard new technologies.
FIle System Changes
1 gigabyte is different! Snow Leopard now defines 1 gigabyte as power of 10, specifically 10^9 bytes. Leopard and previous defined 1 gigabyte as 2^30 bytes. Keep this in mind when you are viewing media.
File compression - Snow Leopard is compressing files now! If you read the Ars Technica article, you will have read about it already. Let's continue with their example of Apple's bundled application, Mail.app. Look at the actual executable attributes using Amit Singh's "HFSDebug" in this screen capture:
Snow Leopard Compression, Mail.app attributes
When viewed from a Leopard or previous OS, the application executable will have a size of zero bytes!
Application Changes
Quicktime X - we have a great addition here, screen and audio recording! You can now use the Quicktime Player to capture your screen to make a movie of your actions.
Minimize Windows to Dock - take a look at this screen capture:
Dock - Minimize windows into application icon is new
This feature, "Minimize windows into application icon" is new to Snow Leopard and quite interesting to us as first responders. When you see a Dock icon with the 'Dot' indicating an application is running, it may now also indicate one or more windows are also open for this icon. The feature allows a user to click on the orange minimize button in the application and the window now will fade to the icon in the dock with no obvious sign to us that the window is available.
Technologies
Core Location - Snow Leopard is able to set the Time Zone of the Macintosh based upon location that it automatically determines if the user turns this feature on.
Date & Time - Ability to use Core Location technology
Microsoft Exchange Support - Apple has added Microsoft Exchange integration into Snow Leopard throughout the operating system and applications. Examples can best be seen in Mail.app and Address Book where a person will have native listing from an Exchange Server now. If you are investigation this environment (MS Exchange environment), do not forget that a Mac is now a 100% full client.
Active Directory integration - as with Exchange, Apple has added in Microsoft's Active Directory technology support much more than previous versions. If you are investigating an environment that involves a Microsoft Active Directory, Mac clients are going to follow along with many of the rules and you are going to find evidence on the Mac as well as the server in these cases. Apple has excellent documentation available on their AD support if you find yourself in this situation.
Snow Leopard, Mac OS X 10.6, arrived August 28, 2009. With it, many of the technologies that the operating system comes with have been updated. An excellent article reviewing the new release in great depth is available from Ars Technica, "Mac OS X 10.6 Snow Leopard: the Ars Technica review". On this web page, we will look at the changes that affect you as a digital analyst. Snow Leopard has not radically changed from Leopard in the way you will interpret data. It has changed the amount of data you will interpret. Apple has added new data to the venerable HFS+ file system for instance. They have also added new functionality to applications that didn't exist in Leopard. Let's take out first look into Snow Leopard new technologies.
FIle System Changes
1 gigabyte is different! Snow Leopard now defines 1 gigabyte as power of 10, specifically 10^9 bytes. Leopard and previous defined 1 gigabyte as 2^30 bytes. Keep this in mind when you are viewing media.
File compression - Snow Leopard is compressing files now! If you read the Ars Technica article, you will have read about it already. Let's continue with their example of Apple's bundled application, Mail.app. Look at the actual executable attributes using Amit Singh's "HFSDebug" in this screen capture:
Snow Leopard Compression, Mail.app attributes
When viewed from a Leopard or previous OS, the application executable will have a size of zero bytes!
Application Changes
Quicktime X - we have a great addition here, screen and audio recording! You can now use the Quicktime Player to capture your screen to make a movie of your actions.
Minimize Windows to Dock - take a look at this screen capture:
Dock - Minimize windows into application icon is new
This feature, "Minimize windows into application icon" is new to Snow Leopard and quite interesting to us as first responders. When you see a Dock icon with the 'Dot' indicating an application is running, it may now also indicate one or more windows are also open for this icon. The feature allows a user to click on the orange minimize button in the application and the window now will fade to the icon in the dock with no obvious sign to us that the window is available.
Technologies
Core Location - Snow Leopard is able to set the Time Zone of the Macintosh based upon location that it automatically determines if the user turns this feature on.
Date & Time - Ability to use Core Location technology
Microsoft Exchange Support - Apple has added Microsoft Exchange integration into Snow Leopard throughout the operating system and applications. Examples can best be seen in Mail.app and Address Book where a person will have native listing from an Exchange Server now. If you are investigation this environment (MS Exchange environment), do not forget that a Mac is now a 100% full client.
Active Directory integration - as with Exchange, Apple has added in Microsoft's Active Directory technology support much more than previous versions. If you are investigating an environment that involves a Microsoft Active Directory, Mac clients are going to follow along with many of the rules and you are going to find evidence on the Mac as well as the server in these cases. Apple has excellent documentation available on their AD support if you find yourself in this situation.