Difference between pages "Upcoming events" and "Mac OS X"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(Burn Folder)
 
Line 1: Line 1:
Here is a BY DATE listing of '''upcoming conferences and training events''' that pertain to [[digital forensics]]. Some of these duplicate the generic [[conferences]], but have specific dates/locations for the upcoming conference/training event.
+
{{Expand}}
  
<b> The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv</b>
+
Apple Inc.'s Macintosh OS X (pronounced "'''OS Ten'''") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including [[Apple Mail]], a web browser called [[Apple Safari | Safari]], and an [[Apple Address Book]], and [[iCal]].  
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
<b> Any requests for additions, deletions or corrections to this list should be sent by email to David Baker <i>(bakerd AT mitre.org)</i>. </b>
+
  
== Calls For Papers ==
+
== Burn Folder ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Due Date
+
! Website
+
|-
+
|First Annual European DeepSec In-Depth Security Conference
+
|Jun 10, 2007
+
|http://deepsec.net/cfp/
+
|-
+
|DFRWS 2007 File Carving Challenge
+
|Jul 09, 2007
+
|http://www.dfrws.org/2007/challenge/submission.html
+
|-
+
|}
+
  
== Conferences ==
+
Mac OS X Burn Folder:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
$NAME.fpbf
! Title
+
</pre>
! Date/Location
+
! Website
+
|-
+
|2007 Techno-Security Conference
+
|Jun 03-06, Myrtle Beach, SC
+
|http://www.techsec.com/html/Techno2007.html
+
|-
+
|Computer Security Institute NetSec '07
+
|Jun 11-13, Scottsdale, AZ
+
|http://www.gocsi.com/netsec/
+
|-
+
|2007 USENIX Annual Technical Conference
+
|Jun 17-22, Santa Clara, CA
+
|http://www.usenix.org/events/
+
|-
+
|Third Government Forum of Incident Response and Security Teams Conference
+
|Jun 25-29, Orlando, FL
+
|http://www.us-cert.gov/GFIRST/index.html
+
|-
+
|First International Workshop on Cyber-Fraud
+
|Jul 01-06, San Jose, CA
+
|http://www.iaria.org/conferences2007/CYBERFRAUD.html
+
|-
+
|Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2007
+
|Jul 12-13, Lucerne, Switzerland
+
|http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/dimva/
+
|-
+
|BlackHat Briefings
+
|Jul 28-Aug 02, Las Vegas, NV
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|DefCon
+
|Aug 03-05, Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|16th USENIX Security Symposium
+
|Aug 06-10, Boston, MA
+
|http://www.usenix.org/events/
+
|-
+
|GMU 2007 Symposium
+
|Aug 06-10, George Mason University, Fairfax, VA
+
|http://www.rcfg.org
+
|-
+
|[[Digital Forensic Research Workshop|Digital Forensic Research Workshop 2007]]
+
|Aug 13-15, Pittsburgh, PA
+
|http://www.dfrws.org/2007/index.html
+
|-
+
|HTCIA 2007 International Training Conference & Exposition
+
|Aug 27-29, San Diego, CA
+
|http://www.htcia-sd.org/htcia2007.html
+
|-
+
|Recent Advances in Intrusion Detection (RAID) 2007
+
|Sep 05-07, Gold Coast, Queensland, Australia
+
|http://www.isi.qut.edu.au/events/conferences/raid07
+
|-
+
|14th International Conference on Image Analysis and Processing (ICIAP 2007)
+
|Sep 10-14, Modena, Italy
+
|http://www.iciap2007.org
+
|-
+
|3rd International Conference on IT-Incident Management & IT-Forensics
+
|Sep 11-12, Stuttgart, Germany
+
|http://www.imf-conference.org/
+
|-
+
|Black and White Ball
+
|Sep 25-28, London, UK
+
|http://www.theblackandwhiteball.co.uk/
+
|-
+
|BlackHat Japan - Briefings
+
|Oct 23-26, Tokyo, Japan
+
|http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html
+
|-
+
|Techno-Forensics Conference
+
|Oct 29 - 31, Rockville, MD
+
|http://www.techsec.com/html/TechnoForensics2007.html
+
|-
+
|DeepSec IDSC
+
|Nov 22-24, Vienna, Austria
+
|http://deepsec.net/
+
|-
+
|DoD Cyber Crime Conference 2008
+
|Jan 13-18 2008, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|}
+
  
== On-going / Continuous Training ==
+
This folder normally contains [[Mac OS X Alias Files|alias files]] (similar to LNK files under Windows). Which should have the following signature.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|
! Title
+
</pre>
! Date/Location or Venue
+
! Website
+
|-
+
|Basic Computer Examiner Course
+
|Computer Forensic Training Online
+
|http://www.cftco.com
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|}
+
  
== Scheduled Training Courses ==
+
These [[Mac OS X Alias Files|alias files]] contain additional date and time values.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
Also check the following files for references to deleted .fpbf paths:
! Title
+
<pre>
! Date/Location
+
/Users/$USERNAME/Library/Preferences/com.apple.finder.plist
! Website
+
</pre>
! Limitation
+
 
|-
+
Actual burning of optical media is logged in:
|Computer Network Investigations Training Program (CNITP)
+
<pre>
|May 15-25, FLETC, Glynco, GA
+
/var/log/system.log
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
/Users/$USERNAME/Library/Logs/DiscRecording.log
|Limited to Law Enforcement
+
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log
|-
+
</pre>
|AccessData Internet Forensics
+
 
|May 22-24 , Solna, Sweden
+
== HFS/HFS+ date and time values ==
|http://www.accessdata.com/training
+
 
|-
+
In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days.
|EnCase v5 Advanced Computer Forensics
+
 
|May 22-25, United Kingdom
+
Converting HFS/HFS+ date and time values with Python:
|http://www.guidancesoftware.com/training/schedule.asp
+
<pre>
|-
+
import datetime
|SARC Steganography Examiner Training
+
 
|May 23 - 24, Orlando, FL (National Center for Forensic Science)
+
print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )
|http://www.sarc-wv.com/training.aspx
+
</pre>
|-
+
 
|First Responder to Digital Evidence Program (FRDE)
+
== Quarantine event database ==
|May 30-Jun 01, FLETC, Glynco, GA
+
See [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
 
|Limited to Law Enforcement
+
Snow Leopard and earlier
|-
+
<pre>
|Computer Forensics First Responder
+
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
|May 31, Indianapolis, IN
+
</pre>
|http://www.ifi-indy.org/ifi%20training/train.html
+
 
|-
+
<pre>
|AccessData BootCamp
+
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;
|May 31-Jun 02, Myrtle Beach, SC
+
</pre>
|http://www.accessdata.com/training
+
 
|-
+
Lion and later
|AccessData Windows Forensics
+
<pre>
|May 31-Jun 02, Myrtle Beach, SC
+
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
|http://www.accessdata.com/training
+
</pre>
|-
+
 
|SMART for Linux
+
== Package Files (.PKG) ==
|Jun 04-07, Austin, TX
+
Package Files (.PKG) are XAR archives [http://en.wikipedia.org/wiki/Xar_(archiver)] that contain a cpio archive and metadata [http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html].
|http://asrdata.com/training/training2.html
+
 
|-
+
== Also see ==
|AccessData BootCamp
+
* [[MacOS Process Monitoring]]
|Jun 05-07, Albuquerque, NM
+
* [[Acquiring a MacOS System with Target Disk Mode]]
|http://www.accessdata.com/training
+
* [[Converting Binary Plists]]
|-
+
* [[FileVault Disk Encryption]]
|Advanced Data Forensics Topics
+
* [[File Vault]]
|Jun 11-13, Austin, TX
+
 
|http://asrdata.com/training/training2.html
+
== External Links ==
|-
+
 
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
* [http://www.apple.com/macosx/ Official website]
|Jun 11-22, FLETC, Glynco, GA
+
* [http://en.wikipedia.org/wiki/OS_X Wikipedia entry on OS X]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
* [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/ Quarantine event database]
|Limited to Law Enforcement
+
* [http://www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf Mac Forensics: Mac OS X and the HFS+ File System] by P. Craiger
|-
+
 
|Helix Live Forensics and Incident Response Course
+
=== Apple Examiner ===
|Jun 12-14, SEARCH - Sacramento, CA
+
* [http://www.appleexaminer.com/ The Apple Examiner]
|https://www.e-fense.com/register.php
+
* [http://www.appleexaminer.com/MacsAndOS/Analysis/USBOSX/USBOSX.html USB Entries on OS X]
|-
+
* [http://www.appleexaminer.com/Downloads/MacForensics.pdf Macintosh Forensics - A Guide for the Forensically Sound Examination of a Macintosh Computer] by Ryan R. Kubasiak
|AccessData Internet Forensics
+
 
|Jun 12-14 , Boise, ID
+
[[Category:Mac OS X]]
|http://www.accessdata.com/training
+
[[Category:Operating systems]]
|-
+
|AccessData Windows Forensics
+
|Jun 19-21, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|Jul 09-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Cyber Counterterrorism Investigations Training Program (CCITP)
+
|Jul 09-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Windows Data Forensics
+
|Jul 16-18, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Jul 16-27, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData BootCamp
+
|Jul 17-19, Boise, ID
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Jul 24-26, Albuquerque, NM
+
|http://www.accessdata.com/training
+
|-
+
|Network Forensics and Investigations Workshop
+
|Jul 25-27, Washington, DC
+
|http://www.strozllc.com/trainingcenter/
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Jul 31-Aug 02, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|Aug 06-09, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Aug 14-24, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|Aug 13-15, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Network Forensics and Investigations Workshop
+
|Aug 13-15, Los Angeles, CA
+
|http://www.strozllc.com/trainingcenter/
+
|-
+
|Macintosh Forensic Survival Course
+
|Aug 13-17, Fredricksburg, VA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|AccessData Internet Forensics
+
|Aug 14-16 , Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|Helix Live Forensics and Incident Response Course
+
|Aug 28-30, Tennessee Bureau of Investigations - Nashville, TN
+
|https://www.e-fense.com/register.php
+
|-
+
|SMART for Linux
+
|Sep 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Sep 11-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Applied Decryption
+
|Sep 11-13, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|Enterprise Data Forensics
+
|Sep 17-19, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Macintosh Forensic Survival Course
+
|Sep 24-28, Santa Ana, CA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|AccessData Applied Decryption
+
|Sep 25-27, Chicago, IL
+
|http://www.accessdata.com/training
+
|-
+
|AccessData BootCamp
+
|Sep 25-27, Solna, SE
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|Oct 01-04, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART Windows Data Forensics
+
|Oct 08-10, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART for Linux
+
|Nov 05-08, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData BootCamp
+
|Nov 06-08, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Nov 06-08, Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|SMART Linux Data Forensics
+
|Nov 12-14, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART for Linux
+
|Dec 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData Internet Forensics
+
|Dec 04-06 , Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Enterprise Data Forensics
+
|Dec 10-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|}
+

Revision as of 07:04, 21 June 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Apple Inc.'s Macintosh OS X (pronounced "OS Ten") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including Apple Mail, a web browser called Safari, and an Apple Address Book, and iCal.

Burn Folder

Mac OS X Burn Folder:

$NAME.fpbf

This folder normally contains alias files (similar to LNK files under Windows). Which should have the following signature.

00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|

These alias files contain additional date and time values.

Also check the following files for references to deleted .fpbf paths:

/Users/$USERNAME/Library/Preferences/com.apple.finder.plist

Actual burning of optical media is logged in:

/var/log/system.log
/Users/$USERNAME/Library/Logs/DiscRecording.log
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log

HFS/HFS+ date and time values

In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days.

Converting HFS/HFS+ date and time values with Python:

import datetime

print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )

Quarantine event database

See [1]

Snow Leopard and earlier

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;

Lion and later

/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

Package Files (.PKG)

Package Files (.PKG) are XAR archives [2] that contain a cpio archive and metadata [3].

Also see

External Links

Apple Examiner