ts.

igh
ll r
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

fu
ins
MACINTOSH FORENSIC ANALYSIS USING OS X eta
rr
ho
ut
,A

GSEC Practical Version 1.4b

02
20

Peter Hawkins
te
tu
sti
In
NS
SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 Introduction

Computer forensic analysis is a method of studying and acquiring digital evidence in a

manner that ensures the data's integrity. The duty to perform such an analysis often
falls upon a police officer in his quest to gather valuable evidence of a crime.
Sometimes, however, system administrators and security professionals are required to
partake in such functions when they suspect that someone has tampered with their
system. The ability to do a proper analysis using sound forensic practices that are

ts.
accepted in a court of law, opens the door to the possibility of pursuing criminal or civil

igh
action against the perpetrator. The purpose of this paper is to describe sound forensic
techniques as they pertain to the Macintosh. In order to accomplish this task, I must

ll r
firstKey
describe basic
fingerprint forensic
= AF19 FA27techniques
2F94 998Dthat
FDB5apply
DE3Dto F8B5
all computer systems.
06E4 A169 4E46 Then I will
provide a brief history of the various Macintosh models and operating systems, as each

fu
one can provide some intriguing problems. Finally, I will follow this up with a specific

ins
outline of how to perform the proper analysis of a Macintosh computer system using an
OS X based system as the analysis machine. The result of this paper will be a useful

eta
reference to those people who may be required to perform a computer forensic analysis
on a Macintosh. rr
Basic Forensic Techniques
ho
ut

In order for evidence to be admissible in a court of l aw, it is important that it not be

,A

modified in any way. This is a fundamental rule that applies to all types of evidence. If
one were to acquire a gun that was used in a crime, it is relatively difficult to modify the
02

physical nature of this form of evidence. Computer evidence, however, is very easily
20

modified. In fact, due to the sheer complexity of computer systems, one often does not
even realize that the data on a hard drive has been changed. On windows systems, for
te

example, when one boots the computer, last access dates and times will be modified,
tu

and recycle bins will be added to new devices. Similarly, the Macintosh tries to mount
all devices it sees on boot-up, which changes the last access dates and times of certain
sti

files. The safest way to prevent any modification of data is to make a mirror image of
In

the hard drive you wish to examine, and then perform your analysis on the copy(1). This
way, the original drive is never modified. There are numerous ways to do this, which I
NS

will elaborate on later in this report. Once you have your mirror image, you are free to
SA

start your analysis, without fear of altering the original data (obviously the original is kept
intact in a secure place where very few people have access to it, and those that do
could testify in court that they did not modify it in any way). It is important to mention
©

that all your actions must be very well documented. It is easy to start off your analysis
in a haphazard manner thinking that you are never going to find anything. If you do find
something and you call the police, you may be told that they can no longer use the
evidence because it has been tainted, or control has not been maintained and
documented. In order
Key fingerprint = AF19forFA27
the 2F94
police to be
998D ableDE3D
FDB5 to use evidence,
F8B5 they4E46
06E4 A169 must be able to
track its movements. Everyone who has been in contact with the evidence may be
required to testify in court describing his or her actions. If you have not controlled

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 access to the evidence, and have not documented your actions clearly, your discovery
of the “smoking gun” may be useless.

When you start your analysis of the suspect computer, it is important that you know
where on the hard drive you could find evidence. There are three basic areas on the
hard drive where evidence could be discovered: active files, unallocated space, and
slack space (there are others, such as the HPA- Host Protected Area, which require an
extremely advanced user to utilize, and thus is beyond the scope of this report). Active
files are self explanatory, but one should be aware that some are hidden. Unallocated

ts.
space is basically the usable sectors of a hard drive that are no longer assigned to a

igh
file. Slack space is “The data storage space that exists from the end of the file to the
end of the last cluster assigned to the file” (New Technologies, Inc. October 4, 2000) (2).

ll r
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
If you decide to boot a computer using your mirror image, you are going to run into

fu
problems. First of all, when you boot, various files are modified so you could lose

ins
valuable evidence that is located in slack and unallocated space. Secondly, unless you
connect another device to the system, your tools will be limited to whatever was already

eta
on the suspect drive. Booting the system with your mirror image can be performed at
the very end of your analysis if you wish to see exactly how the system looked in its
rr
native environment. If you do this, I would recommend that you place your image into
the suspect computer (disconnecting the suspect hard drive of course) so that when you
ho

boot, all the preinstalled drivers will match the hardware.

ut
,A

The recommended method of performing a forensic computer analysis is to use another

computer as your analysis machine. Basically you boot your analysis computer (using
02

your trusted operating system) with the mirror image connected. Your analysis machine
20

can be any type of computer running any type of operating system. The only
requirement is that your forensic tools (software) be compatible with the mirror image’s
te

file format. It is usually preferable for you to use an analysis machine that uses the
tu

same operating and file system (you can usually use a more recent version of operating
system to analyze an older version as they tend to be backwards compatible). There
sti

are forensic software tools that are designed to operate on one system, but can analyze
In

multiple file systems. For example, EnCase forensic software (3) runs on windows
systems, but can recognize “FAT12, FAT16, FAT32, NTFS, Linux, UNIX, Macintosh,
NS

CD-ROM and DVD-R” (4) file systems. Ideally when you connect the mirror image to
SA

your analysis machine, it will be connected via some form of hardware write protect
device such as Fastbloc (5) or Fireblocker (6) that prevent any modification to an IDE
drive (SCSI drives have a built in jumper which allows you to write protect them). If
©

such a device is not available to you, and since you are working with an image and not
the original, you may choose to connect the image directly to your analysis machine,
acknowledging the fact that you may lose some evidence (depends on the operating
system, basic DOS should not alter the image drive under most circumstances, but
most other
Key operating
fingerprint systems
= AF19 FA27 will). SinceFDB5
2F94 998D you are
DE3DnotF8B5
booting
06E4with
A169the4E46
image, however,
the risk of losing some evidence is very small since the changes to the drive will be
limited. Do not forget that modification to the image is tolerable since it is only copy of
our evidence drive. Our only concern is with the evidence, which if it is overwritten, will

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 not be discovered since we will never actually touch the original drive again. In order to
keep the risk of modifying the image to a minimum, you should run some form of
software hard drive lock as soon as the system is booted.

Once you have access to the image on your analysis machine, you can start searching.
I recommend that you go through all the file folders one by one to familiarize yourself
with the suspect system. Deleted files must be recuperated if you are not using forensic
software like ilook (7) or EnCase, which shows these files automatically. In my
experience, approximately 95% of the evidence will be located in active files. Once this

ts.
is done, you should perform keyword searches on the entire drive. This will help you

igh
discover evidence in slack and unallocated space. You must document every item you
find by, in the case of active files, noting the full path and filename. In the case of slack

ll r
or unallocated space,
Key fingerprint you
= AF19 should
FA27 2F94document
998D FDB5 theDE3D
information found,
F8B5 06E4 A169and in which sector
4E46
on the drive. Armed with this information, you will dramatically increase the chances of

fu
police involvement, and possible criminal or civil charges.

ins
eta
The Qwerky Mac
rr
Many of the basic forensic techniques apply to the Macintosh, however, various models
and operating systems present challenging obstacles. Steven Jobs and Steven
ho

Wosniac created the first Apple computer in 1976 (8). It wasn’t until 1986, however, with
ut

the introduction of the Apple IIgs, that apple included the first hard drive in their
,A

machines(9). This is important since prior to this model there is little point in analyzing a
Mac for evidence. Most early Macintosh hard drives were SCSI, which can complicate
02

matters. The biggest problem with the early Macintosh systems, however, was gaining
20

access to the hard drive, since, in some cases, special tools were required to open the
box. In these circumstances, a forensic analysis could be performed by booting the
te

system with a SCSI Zip drive containing your operating system, and your analysis and
tu

back-up tools. One would plug in the SCSI Zip and press and hold the Command,
Option, Shift and Delete keys while powering up. This procedure caused the Macintosh
sti

to check the SCSI chain in reverse order (starting at ID 7 and working towards ID 0,
In

instead of the normal 0 to 7) until it found a bootable system folder. Since the Zip drive
would be set to SCSI ID 6, this would be the drive from which the system would boot (ID
NS

7 is reserved for the Macintosh CPU). The suspect drive would still be mounted, so one
SA

could apply a software write-lock to minimize alterations. This is not ideal, but one has
little choice when you cannot access the hard drive. Fortunately the more modern Macs
make it extremely easy to access the internal components. The G3 was first introduced
©

in 1997 and it allows for easy access to the hard drive.

Another issue with the Macintosh is the operating system. The Macintosh operating
system is now divided into two types: Classic OS and OS X. OS X is the latest
operating system =offered
Key fingerprint by Macintosh
AF19 FA27 2F94 998D(version 10.2 F8B5
FDB5 DE3D aka Jaguar) and4E46
06E4 A169 will only function
on G3 systems and later. So if you image a pre G3 system, you will not be able to boot
it (you can still mount it though) on your G4 analysis machine. But, as was mentioned
earlier, the necessity to boot a system with your image is minimal. It is important to note

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 that since not all systems will run all operating systems, and since you may need to boot
the computer with a Zip drive containing your trusted operating system and tools, it is
important that you know which models of Macintosh will operate on which version of
operating system(10).

The Specifics of Macintosh Forensic Analysis

Macintosh OS X is an amazing operating system for forensic analysis. It allows you to

ts.
boot from your forensic drive and not mount, and therefore not modify, any other drive

igh
connected to it. However, it still permits you to image unmounted systems. OS X gives
you all the power of Unix commands, such as dd, in its Open BSD Darwin terminal. OS

ll r
X isKey
completely
fingerprintdifferent than 2F94
= AF19 FA27 Classic OS,
998D but itDE3D
FDB5 is still backwards
F8B5 compatible.
06E4 A169 4E46 For the
aforementioned reasons, I think it makes a perfect operating system for an analysis

fu
machine catering to the Macintosh (this design could image any hard drive containing

ins
any filing system, but since the forensic tools currently available only work with
Macintosh systems, it is limited to the analysis of the Mac).

eta
In preparation of the possibility of having to perform a forensic analysis on a Macintosh,
rr
one must configure their analysis machine. I recommend that your analysis machine be
a G4 laptop (portability is necessary in order to conveniently locate it to the suspect
ho

computer) running OS X Jaguar. In order to ensure that all attached drives are not
ut

mounted every time you boot the system, you have to remove the autodiskmount
,A

feature in OS X. To accomplish this task, you need to modify the MacOSX:

System:Library:StartupItems:Disks:Disks file by commenting out the line containing the
02

“/sbin/autodiskmount -va” command (this is done by placing a # in the first position of

20

the line). Here is a printout of what the “Disks” file looks like:
te

#!/bin/sh
tu

##
sti

# Local filesystems
In

##
NS

. /etc/rc.common
SA

StartService ()
{
©

if [ ! -f /var/db/volinfo.database ]; then Uninitialized_VSDB=-YES-; fi

ConsoleMessage "Checking disks"

# /sbin/autodiskmount -va
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
if [ "${Uninitialized_VSDB:=-NO-}" = "-YES-" ]; then vsdbutil -i; fi
}

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 StopService ()
{
return 0;
}

RestartService ()
{
return 0;
}

ts.
igh
RunService "$1"

ll r
Notice
Keythe “#” that=was
fingerprint AF19placed in front
FA27 2F94 of “/sbin/autodi
998D FDB5 DE3D skmount –va”.
F8B5 06E4 A169In4E46
its current state,
the Macintosh computer containing this “Disks” file will only mount the drive from which

fu
it boots. In order to make this modification, you will have to be logged in as root. It is

ins
important to mention that your forensic system disk does not necessarily have to be the
internal laptop hard drive. I use a very large (120GB) external hard drive in a firewire

eta
enclosure as my forensic drive. This is convenient because, since no other drive will be
mounted due to the removal of the autodiskmount feature, this will be the only drive
rr
available to which one can copy the forensic image.
ho

It is also a good idea to modify your ENV firmware to perform a multiboot every time you
ut

start the computer (the multiboot option can be selected each time you boot by holding
,A

the shift key while powering up, but by modifying the ENV firmware, it is done
automatically). The multiboot is basically a boot manager that scans all connected
02

drives looking for blessed system folders, and gives you the option from which partition
20

and drive to boot. This does not modify the connected drives in any way. In order to
modify the ENV firmware, you must power on your computer while pressing and holding
te

the Command, Option, “F” key, and “O” key. Then you type in “setenv boot-command
tu

multi-boot” followed by the enter key. Then to exit, you can type multi-boot and you will
be sent to the boot selection window. From now on, your computer will give you the
sti

option from which system folder to boot (this can easily be reversed by entering the
In

ENV firmware again and typing “setenv boot-command mac-boot”). By always using
the multi-boot feature, you will be confident that when you attach the suspect drive, it
NS

will not be mounted.

SA

You should create a user account called “Analysis” on your system. Give this user
normal user rights, and not admin rights. This is important because when you create
©

your image of the suspect’s hard drive, you will be logged in as root. Therefore, the
image you create will automatically be read only for all other users. So once your image
had been created, you will log in as “Analysis” and therefore will not be able to modify it
in any way. It is important that you keep the “desktop” of your Analysis account
completely free of= AF19
Key fingerprint any links,
FA27 files
2F94or folders.
998D This isF8B5
FDB5 DE3D because, when4E46
06E4 A169 you mount your
suspect drive image, everything that was on his desktop, will now appear on your
desktop. In order to easily differentiate between the two, it is best to have nothing at all
on your desktop thus eliminating any possible confusion.

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 The last step in the preparation of your analysis machine is to ensure that you have the
necessary forensic software installed. Some of the software comes with OS X, such as
the dd command and file search capabilities. However, there are other, third party
software that are useful when performing your analysis. Basically you need:

1. A program that allows you to view and peruse all active files, including those that
are hidden. I would suggest Canopener by Abbott Systems Inc.(11), which is now
available for OS X.

ts.
igh
2. A program that allows you to search the entire physical hard drive for key words,
including slack space and unallocated space. For this, I would recommend

ll r
Key Expert Witness
fingerprint = AF19byFA27
ASR2F94
Data998D
(12). It is considered
FDB5 DE3D F8B5OS X savvy,
06E4 which means it is
A169 4E46
OS 9 native, but will operate well in OS X. I have tried the latest version 3.9.4

fu
and it works very well under OS X. Another, less expensive option would be

ins
RescueTXT by Abbott Systems Inc.(13).

eta
3. A program that can recuperate deleted files. I suggest Norton SystemWorks 2.0
for Macintosh (14). This product contains Norton Unerase, which will recuperate
rr
deleted files. It also contains anti-virus software, which is important to protect
you from being infected by the suspect files. One more useful program
ho

SystemWorks contains is Norton Disk Editor. This is a very powerful piece of

ut

software that allows you to analyze all parts of a hard drive sector by sector.
,A

4. Programs that allow you to view a wide range of file formats. CanOpener can
02

view a great many file types. If this doesn’t work, you can try Graphic Converter
20

by Lemke Software (15). It can import 160 graphic file formats and export 45.
te

I would recommend that you create links to these tools on your task bar for easy
tu

access. This will also allow you to keep your desktop free of links.
sti
In

Step by Step
NS

Now that our analysis machine is prepared, we can focus on a step-by-step procedure
SA

explaining how to safely analyze a Macintosh computer system.

1. Document your actions and all the pertinent details of the suspect computer.
©

This includes noting why you need to perform a computer analysis, the type of
computer and all its components, the names of the individuals who had access to
the computer and its specific physical location.

KeyCreate
2. an =
fingerprint image
AF19 of the2F94
FA27 suspect
998Dhard
FDB5drive.
DE3DThis
F8B5is06E4
doneA169
by removing
4E46 the hard
drive from the suspect computer and placing it into a firewire hard drive
enclosure. Plug the firewire enclosure into your analysis machine and power up.
At the multi-boot screen, make sure you choose your forensic boot partition. If

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 you choose the suspect drive by accident, you will modify the data on it, so be
careful at this point! Once your forensic system has booted, log on as root. You
will only see one drive in the upper right hand corner of your screen; this will be
your forensic system. Recall that you modified the autodiskmount line in your
“Disks” file so that only the system partition you chose mounted. Since the
suspect drive partitions did not mount, they were not modified in any way. At this
point you will want to open a terminal window (the terminal program is located in
MacOSX:Applications:Utilities:Terminal). Now you are at a Unix type command
line. Type the command “pdisk”, and then “L”. This will give you a listing of all

ts.
the drives currently connected to the system. You need to determine what drive

igh
number has been assigned to the suspect drive. It is important that you be
familiar with your own system in order to be able to differentiate it from the

ll r
Keysuspect
fingerprintsystem
= AF19(e.g.
FA27 unique partition
2F94 998D names,
FDB5 DE3D number
F8B5 of partitions,
06E4 A169 4E46 size of
partitions, size of drive, etc…). Lets say that the suspect drive was “rdisk1”, then

fu
you simply write this number down in your notes, and exit the pdisk program by

ins
typing “q”. Now you are again at the command line, and we are ready to image
the suspect hard drive. The command to use to create the image is the “dd”

eta
command (if you type “man dd”, you will get a detailed explanation of how to use
it). The syntax is as follows: dd if=”path of the input file” of=”path of the output
rr
file”. There are many other variables that allow you to image only parts of a
drive, but we want the whole thing, so they do not concern us. It is important to
ho

note that Unix/Linux treats drives as files. So our input file will be the path to our
ut

suspect drive : “/dev/rdisk1”. Our output file will be the image file we wish to
,A

create (it is a good idea to give it a meaningful name that connects it uniquely to
the suspect drive, perhaps the name of the sole user, or the serial number of the
02

hard drive), such as “/Users/Shared/hdr-sn1234567.dmg”. So our final command

20

will look like: dd if=”/dev/rdisk1” of=”/Users/Shared/hdr- sn1234567.dmg”.

Once the image is done, you should remove the comment from the
te

autodiskmount line of your “Disks” file, so that when you reboot, you will have
tu

access to all drives and partitions (this is because you will be removing the
suspect drive and will want to mount the image file you just created which is not
sti

possible if you have commented out the autodiskmount line). Turn the computer
In

off, and disconnect the suspect hard drive. Place the hard drive in a safe place
where access to it is controlled (e.g. Locked i n a locker). At a later date, should
NS

you so desire, you can use the same dd command in reverse to write your image
SA

file back to another hard drive (it can be bigger, but not smaller) so that you can
boot the suspect system to see exactly what your suspect was seeing.
©

It should be noted that there are other ways to image a hard drive. One way is to
use a hardware device such as SoloMasster (16), which basically allows you to
mirror a hard drive onto another hard drive that is at least as large. This is a fast
method to make a mirror copy, but in the Macintosh world, we still cannot mount
Keyitfingerprint
without modifying any 2F94
= AF19 FA27 of the data.
998D TheDE3D
FDB5 SoloMasster
F8B5 06E4 is very
A169good
4E46 when all you
want to do is boot the suspect computer with the mirror image you created.
Another method of imaging a hard drive is to use a program called Safeback(17).
Safeback allows you to create an image of a hard drive onto magnetic tape, or

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 some other medium. The problem with this, of course, is that you have to restore
it to be able to analyze the data. And once again, you would have to restore it to
another hard drive, and then in turn go through the “dd” procedure in order to
study it on the Mac. Each of these tools has their place, but when it comes to the
Macintosh, the best method is the one described first. (Another method exists as
well which is called EnCase(3). However, the image you create can only be
analyzed by EnCase, which does not operate on the Macintosh pl atform, and
thus is beyond the scope of this paper).

ts.
3. Boot your analysis machine and log into your Analysis user account (by doing

igh
this you ensure that you cannot modify the image file you just created because
you do not have the appropriate rights, since you created it as root). Now you

ll r
Keyneed to navigate
fingerprint = AF19toFA27
the image you FDB5
2F94 998D just created and mount
DE3D F8B5 it by double
06E4 A169 4E46 clicking on
it. You should see on your desktop, drives representing all the partitions that

fu
were on the suspect’s disk drive. You are now free to peruse these drives to look

ins
for evidence.

eta
4. The first thing you want to do is to recuperate any and all deleted files. A good
tool for this is Norton Unerase. This program will go through the specified drive
rr
and pull out all the files that were deleted. It will tell you what the title of the file
or directory was, its size and the odds of recovery. You should recover all
ho

deleted files you can, and save them to your hard drive. Once you have done
ut

this, you will be able to examine them with CanOpener.

,A

5. On your task bar, click on your CanOpener icon as this will be the tool of choice
02

for navigating through the suspect drive. One of the main features of CanOpener
20

is that it shows you all hidden files. When you use CanOpener, you will see all
active files. You can then view them quickly and easily since CanOpener can
te

view most file types. I would recommend that you spend most of your time
tu

looking through the user files as this is the most likely place you will find
evidence. By doing this, you also get a feel for the computer you are analyzing
sti

which helps you get the big picture. Don’t forget to examine the undeleted files
In

that you stored on your hard drive.

NS

6. Once you feel that you have gotten all that you can from looking at the active
SA

files, it is time to do some keyword searches. It is important to discuss what

makes a good keyword. You want your keyword to be as unique as possible so
that you are not inundated with false positives. For example, if you are looking
©

for the name “bob”, you risk having a lot of false positives. One reason for this is
because “bob” can easily exist in other words such as “bobsled”. Another reason
you could get false positives is because it is only three letters long, so it will
randomly appear in garbled text more frequently. If you have no other choice but
Keytofingerprint
search for “bob”,
= AF19 you2F94
FA27 might want
998D to try
FDB5 putting
DE3D a 06E4
F8B5 spaceA169
before and/or after to
4E46
minimize the random garbled text results. A good tool for the Macintosh that
allows you to search the entire hard drive (including slack and unallocated space)
is the program Expert Witness, or RescueTXT. Expert Witness is superior in that

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 it allows you to search for multiple search strings at a time, however, it is only
available to law enforcement. RescueTXT is a program that is actually designed
to recuperate lost or deleted text fragments from your hard drive. It is far less
expensive (and powerful) than Expert Witness, but it will do the job.

7. Sometimes it is important to see what images the suspect kept on his hard drive.
All images contained on a hard drive can be viewed easily with a program called
Graphic Converter (13). You simply drag the suspect drive onto the Graphic
Converter program window, and it will pull out all the image files.

ts.
igh
8. One of the features of mounting the suspect’s image on the Macintosh is that you
don’t necessarily need to have the original software to view the files. Quite often

ll r
Keyyou can open
fingerprint files FA27
= AF19 using2F94
the suspect’s
998D FDB5 software, with06E4
DE3D F8B5 no configuration
A169 4E46 necessary.
Sometimes, however, you will be required to make some minor alterations, such

fu
as importing the suspect’s e-mail inbox into your e-mail program.

ins
eta
Conclusion
rr
The purpose of this paper was to provide the reader with a general understanding of
how to extract data from a Macintosh computer, in a manner that is forensically sound.
ho

I explained general computer forensic techniques first to give the reader an

ut

understanding of the basic principals. I then explained how the Macintosh offered some
,A

unique problems that could only be overcome with the appropriate knowledge and tools.
Finally I provided a step-by-step guideline explaining how to prepare one’s Macintosh
02

computer for an analysis and how to perform it on a suspect’s Macintosh hard drive.
20

For those of you who are familiar with EnCase (3), and since EnCase can analyze
te

Macintosh formatted hard drives, you may be wondering why one would go to all the
tu

trouble to set up a Macintosh analysis machine and follow the procedures outlined in
this paper. The main reason is clarity. I have used EnCase to analyze Macintosh hard
sti

drives before, and it does not represent the drive files and folder s very well. As I
In

mentioned earlier, approximately 95% of the evidence you seek will be found in active
files. It is therefore very important that you be able to navigate all the active files and
NS

folders on the suspect’s hard drive. EnCase will perform the string searches very well,
SA

however, once you find the file containing the string, you will not be able to view it in it’s
original format. From my experience, you will discover far more evidence by viewing
the drive in its native environment.
©

I hope that system administrators and security professionals will be able to use this
paper as a guideline to performing computer forensic analyses. I realize that the need
for these individuals to perform such duties is somewhat limited, which is why a
thorough guideline
Key fingerprint is soFA27
= AF19 important. ForFDB5
2F94 998D someone who does
DE3D F8B5 not perform
06E4 A169 4E46 computer
forensic analyses very often, it is very easy to forget (or not even realize) the
importance of doing it correctly. By “doing it correctly” we open the door to the
possibility of pursuing criminal and civil actions. This is a very positive option when

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 one’s system has been hacked, or an employee has stolen important files. One might
wonder why the police wouldn’t be called in immediately in these cases, and the fact is
that sometimes, mere suspicions are not enough to obtain police involvement. If you
were to go to the police and give them evidence in support of your suspicions, you
dramatically increase the chances of them assisting you.

ts.
igh
ll r
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

fu
ins
eta
rr
ho
ut
,A
02
20
te
tu
sti
In
NS
SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 References
1. The International Association of Computer Investigative Specialists.
“Forensic Procedures” September 14, 2002. URL:
http://www.cops.org/forensic_examination_procedures.htm (October 8, 2002).

2. New Technologies, Inc. “File Slack defined.” October 4th, 2000. URL:
http://www.forensics-intl.com/def6.html (September 19, 2002).

3. Guidance Software, Inc. “Home page” 2002. URL: http://www.encase.com

ts.
(September 19, 2002).

igh
4. Guidance Software, Inc. “Features 2.pdf.” URL:

ll r
http://www.encase.com/products/software/encaseforensic.shtm
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46(September
19, 2002).

fu
ins
5. Guidance Software, Inc. “Fastbloc.” 2002. URL:
http://www.encase.com/products/hardware/fastbloc.shtm (September 19,

eta
2002).
rr
6. Digital Intelligence, Inc. “Fireblock, IEEE 1394 to IDE Hardware-based Write
Blocker.” 2001. URL: http://www.digitalintel.com/fireblock.htm (September
ho

19, 2002).
ut
,A

7. Criminal Investigation, Department of Treasury. “CI’s ILook Download Page.”

September 15, 2002. URL: http://www.ilook-forensics.org/ (September 19,
02

2002).
20

8. Apple History. “History 1976-1981.” 1996-2002. URL:

http://www.apple-History.com/history.html (October 4, 2002).
te
tu

9. Apple History. “The Apple IIgs.” 1996-2002. URL:

http://www.apple-history.com/quickgallery.html?where=aIIgs.html (October 4,
sti

2002).
In

10. Everymac.com, “Mac Systems” 1996-2001. URL:

NS

http://www.everymac.com/systems/index.html (October 4, 2002).

SA

11. Abbott Systems Inc, “CanOpener Emergency access to any file! ” 1997-1999.
URL: http://www.abbottsystems.com/co.html (October 1, 2002).
©

12. ASR Data, “Expert Witness for Macintosh” URL:

http://www.asrdata.com/ExpertWitness/ (October 1, 2002).

13. Abbott Systems

Key fingerprint Inc, 2F94
= AF19 FA27 “RescueTXT Recover
998D FDB5 DE3Dtext
F8B5that hasA169
06E4 gone!” 1997-1999.
4E46
URL: http://www.abbottsystems.com/rtxt.html (October 1, 2002).

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
 14. Symantec, “Norton SystemWorks 2.0 For Macintosh” 1995-2002. URL:
http://www.symantec.com/sabu/sysworks/mac/ (October 1, 2002).

15. Lemke Software, “About GraphicConverter”. URL:

http://www.graphicconverter.net/us_gcabout.html (October 1, 2002).

16. Intelligent Computer Solutions, “Image Masster Solo Forensics Hard Drive
Duplicator” URL: http://www.imagemasster.org/imagemasstersolo2for.html
(October 4, 2002).

ts.
igh
17. New Technologies Inc., “SafeBack Mirror Image Backup Software” July 15,
2002. URL: http://www.forensics-intl.com/safeback.html (October 4, 2002).

ll r
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

fu
ins
eta
rr
ho
ut
,A
02
20
te
tu
sti
In
NS
SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.