Abstract
This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.
Chapter PDF
Similar content being viewed by others
References
Apple Computer, How to use FireWire target disk mode (docs.info.appIe.com/article.html?axtnum=58583), 2002.
Apple Computer, Technical Note TN1150: HFS Plus Volume Format (developer.apple.com/technotes/tn/tn1150.html), 2004.
Apple Computer, Working with Spotlight (developer.apple.com /macosx/spotlight.html), 2005.
BlackBag Tech, FireWire target disk mode guidelines (blackbagtech.com/images/BBT_FireWire_Target_Mode.pdf), 2004.
P. Burke and P. Craiger, Assessing trace evidence left by secure deletion programs, in Advances in Digital Forensics II, M. Olivier and S. Shenoi (Eds.), Springer, New York, pp. 185–195, 2006.
P. Craiger, Recovering evidence from a Linux system, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), New York, pp. 233–244, 2005.
D. Farmer and W. Venema, Forensic Discovery, Prentice-Hall, Upper Saddle River, New Jersey, 2004.
K. Jones, R. Bejtlich and C. Rase, Real Digital Forensics: Computer Security and Incident Response, Addison-Wesley Professional, New York, 2005.
Microsoft Corporation, How the recycle bin stores files (support.microsoft.com/default.aspx?scid=kb;en-us;136517), 2004.
Network Working Group, RFC 4155 — The Applicatioa/Mbox Media Type (www.faqs.org/rfcs/rfc4155.html), 2005.
Sleuthkit.org, Sleuth Kit (www.sleuthkit.org).
Sourceforge.net, Foremost (foremost.sourceforge.net).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP Internatonal Federation for Information Processing
About this paper
Cite this paper
Craiger, P., Burke, P. (2006). Mac OS X Forensics. In: Olivier, M.S., Shenoi, S. (eds) Advances in Digital Forensics II. DigitalForensics 2006. IFIP Advances in Information and Communication, vol 222. Springer, Boston, MA. https://doi.org/10.1007/0-387-36891-4_13
Download citation
DOI: https://doi.org/10.1007/0-387-36891-4_13
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-36890-0
Online ISBN: 978-0-387-36891-7
eBook Packages: Computer ScienceComputer Science (R0)