Difference between pages "Nickfile (NK2)" and "Mac Marshal"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(Update for V3.)
 
Line 1: Line 1:
[[Microsoft]] [[Outlook]] uses the '''Nickfile (NK2)''' to store e-mail address aliases.
+
{{Infobox_Software |
 +
  name = Mac Marshal|
 +
  maintainer = [[ATC-NY]] |
 +
  os = {{Mac OS X}} |
 +
  genre = {{Macintosh forensics}} |
 +
  license = Commercial (free to law enforcement) |
 +
  website = [http://www.macmarshal.com/ macmarshal.com] |
 +
}}
  
The file type is also known as the Outlook AutoComplete File or the Nickname file.
+
Mac Marshal is a tool to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications.
  
== MIME types ==
+
Mac Marshal Forensic Edition runs on an investigator's workstation to analyze a Mac disk image.
  
The actual mime type of the NK2 format is unspecified
+
Mac Marshal Field Edition runs on a Mac target machine from a USB drive.  It extracts volatile system state data, including a snapshot of physical RAM.
  
== File signature ==
+
Mac Marshal follows forensic best practices, maintains a detailed log file of all activities it performs, and produces reports in RTF, PDF, and HTML formats.
  
The NK2 has the following file signature:
+
Version 1.0 was released in January 2009, available at no cost to US law enforcement, with a commercial version available to non-law enforcement.  Version 2.0 was released in November 2010, adding live analysis in the Field Edition and the ability to take a snapshot of the target machine's physical RAM.  Version 3.0 was released in November 2011 and can run on both Mac OS X and Windows XP and later.
hexadecimal: 0D F0 AD BA
+
  
Note that other sources claim that the file signature is
 
hexadecimal: 0D F0 AD BA 0A 00 00 00
 
  
== Contents ==
+
=Authors=
 +
Mac Marshal was developed by ATC-NY, supported in part by the US National Institute of Justice (NIJ).  The project was originally named MEGA.
  
The NK2 basically contains a list of items. The attributes of these items are defined by the [[Microsoft]] [[Outlook]] [[Message API (MAPI)]].
+
= External Links =
 +
* [http://www.dfrws.org/2008/proceedings/p83-joyce.pdf DFRWS'08 Mac Marshal paper (pdf)]
 +
* [http://www.macmarshal.com/ www.macmarshal.com]
 +
* [http://www.atc-nycorp.com/ ATC-NY]
  
== See also==
+
[[Category:Macintosh forensics tools]]
 
+
* A great deal of information about the format has been documented by the [http://libnk2.sourceforge.net libnk2 project], including some of the [http://downloads.sourceforge.net/libnk2/Nickfile_format.pdf Nickfile format specifications] and [http://downloads.sourceforge.net/libpff/MAPI_definitions.pdf MAPI definitions].
+
 
+
[[Category:File Formats]]
+

Latest revision as of 10:57, 28 November 2011

Mac Marshal
Maintainer: ATC-NY
OS: Mac OS X
Genre: Template:Macintosh forensics
License: Commercial (free to law enforcement)
Website: macmarshal.com

Mac Marshal is a tool to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications.

Mac Marshal Forensic Edition runs on an investigator's workstation to analyze a Mac disk image.

Mac Marshal Field Edition runs on a Mac target machine from a USB drive. It extracts volatile system state data, including a snapshot of physical RAM.

Mac Marshal follows forensic best practices, maintains a detailed log file of all activities it performs, and produces reports in RTF, PDF, and HTML formats.

Version 1.0 was released in January 2009, available at no cost to US law enforcement, with a commercial version available to non-law enforcement. Version 2.0 was released in November 2010, adding live analysis in the Field Edition and the ability to take a snapshot of the target machine's physical RAM. Version 3.0 was released in November 2011 and can run on both Mac OS X and Windows XP and later.


Authors

Mac Marshal was developed by ATC-NY, supported in part by the US National Institute of Justice (NIJ). The project was originally named MEGA.

External Links