MacForensicsLab

From Forensics Wiki
Revision as of 11:10, 2 January 2007 by SubRosaSoft (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
MacForensicsLab
Maintainer: SubRosaSoft Inc.
OS: Mac OS X
Genre: Disk imaging,Commercial,Analysis,Live CD, Template:Data Recovery, Template:Forensic Suite
License: Commercial
Website: MacForensicsLab.com

MacForensicsLab™ is a complete suite of forensics and analysis tools in one cohesive software package from SubRosaSoft Inc.

Contents

Summary

MacForensicsLab™ combines the power of many individual functions into one application in order to provide a single solution for law enforcement professionals and digital forensic investigators.

Detailed documentation is automatically created while you are performing your forensic examination. Logs are kept of every action performed, every item found, and freeform notes taken during the case, to tie them all together with your thoughts on the process. These can then be exported in a standardized, customizable, easy-to-share, template-driven, HTML report either at the end of, or during the investigation. Click here for a sample output report.

Evidentiary integrity is maintained and protected with the utmost care. Duplicates are made at top speed (perfect for time sensitive acquisition tasks) with careful consideration for protecting the original media. Backups are made with integrated segmenting, granular hashing, and intelligent media fault management. Inline processing allows the creation of dual output images and associated hash files.

Keyword analysis and cataloging is performed in multiple languages and includes MD5, SHA1 and SHA256 checksum calculations. This allows the investigator to seek out items of interest across entire devices, within folders of files, directly inside specific files.

Data recovery allows forensics professionals to find and recover deleted files and those also embedded - then preview those files within MacForensicsLab™. Even swap space and unallocated space can be explored for evidence.

Product Overview

  • Safety first - MacForensicsLab™ takes the utmost care to ensure the integrity of your evidence. Disk Arbitration can be disabled at the click of a button to ensure Mac OS X does not try to mount (and thus alter) the suspects hard drive. Bootable CDs are available for both Intel and PowerPC Macintosh Computers. 

  • Detailed Logs - Every action taken whilst using the software is recorded in highly detailed logs to provide the investigator with as much information as possible when reporting. Freeform notes can be created at any stage and in any context to tie actions to impressions during the process.

  • HTML Case Reports - A combination of data from the case manager and log files (chronology, salvage, analyze, acquisition, catalog, bookmarks, notes) can be exported in standardized, easy-to-share HTML reports for viewing in any web browser.

  • Flexible Hashing - Data Acquisition processes include MD5, SHA1 and SHA256 hashes. Hashes can be created for files and folders at the click of a button. 

  • Recovers evidence after a disk or device has been formatted - Got an initialized disk or other device that had files you want back? MacForensicsLab™ will recover your files, search for keywords, and allow analysis from the newly initialized drive. 

  • Recovers evidence from corrupt media - Corruption does not detain MacForensicsLab™. It will process any intact data on the disk and recover keywords and whole or partial files wherever they are found. 

  • Works with media from other operating systems - MacForensicsLab™ is able to perform data acquisition and analysis on drives from MS Windows, Linux, and other operating systems. 

  • Provides very quick and easy ways to bookmark evidence - with "Browse", MacForensicsLab™ allows the digital forensics investigator to sample files in native view whilst traversing an entire directory structure.

  • Dual bootable DVD - MacForensicsLab™ can now be purchased as a dual bootable DVD that is ready for both the older PowerPC and the newer Intel based Apple Macs.

Features

MacForensicsLab™ combines the power of many individual functions into one application in order to provide a single solution for law enforcement professionals and digital forensic investigators.

Main Window

The main window provides the investigator with a detailed view of the file system and any devices that are attached to the computer. It is from the ‘Main Window’ that the digital forensic investigator can explore the suspect device, drive or media and gain quick access to the core functions of MacForensicsLab™:

  • Case Manager Window
For handling the details of each specific case.
  • Logs Window
For access to the individuals steps, processes, actions, notes and bookmarks of the case.
  • Acquire Window
For creating open standard disk images of suspect devices, drives or media and securing evidential integrity.
  • Catalog Window
For creating catalog lists and bookmarking suspect files and data.
  • Analyze Window
For analyzing data on a block-by-block basis in HEX or ASCII mode, as well as for reviewing data in native mode and search through block data using custom multilingual pattern matching.
  • Salvage Window
For rescuing, recovering, undeleting, and even salvaging files that exist in the directory catalog or have in fact been deleted or erased. After an initial scan files can also be previewed, prior to recovery.
  • Browse Window
For previewing and bookmarking evidence within a directory structure.
  • Notepad & Case Notes
For making notes pertaining to the case on a per need basis.
  • Attaching and Detaching Disk Images
MacForensicsLab™ can handle both physical media and image files of a wide range.

Case Logs Window

Detailed logs are kept of every step, action and points of interest during a forensics investigation to support the evidential case, as and when required, whether in understanding or presenting the digital forensic evidence.

The "Logs Window" provides the investigator with access to comprehensive details of the case. Actions are logged in detail and time-stamped, as are case notes submitted during the course of the investigation.

The logs viewer provides the investigator with access to such logs as:

  • Chronology log - detailing every action taken during the investigation (step-by-step)
  • Bookmarks log - providing access to each and every bookmarked file
  • Acquisition log - detailing every acquisition and details thereof
  • Catalog log - for retaining cataloged file items for further reference
  • Analysis log - contains a step-by-step reference forensics analysis during the case
  • Salvage log - provides notes on and access to the salvaged files
  • Notes log - retains all the notes posted during the course of an investigation

During the course of, or at the end of, the investigation, the forensics investigator can choose to export the log data into a standardized HTML report for sharing within a department or externally, via the web or otherwise. The reports can be viewed on any computer in any web browser and make the sharing of case files and details extremely simple, essentially encapsulating the procedure in a 2 step process.

Forensics Acquisition Window

The acquisition process allows the forensics investigator to replicate and secure evidence from suspect devices, drives or media in the form of disk images for further analysis rather than working on the suspect device, drive or media itself; thus ensuring evidential integrity.

Whether the suspect device, drive or media is sound or faulty, the investigator can make the necessary backup and working copies as MacForensicsLab™ uses a proprietary, fault tolerant technology to work around a wide range of errors to create disk images.

Should the device under forensic investigation encounter problems during the acquisition process, such that the disk image cannot be made in a single pass, the investigator can simply quit and then use the acquisition resume feature to start the process again after restarting the device.

MacForensicsLab™ works on faulty drives with bad blocks, corrupted information, or intermittent errors in read/write, so that the forensics investigator can create a good working disk image of the suspect drive, drive or media.

Other features of the "Acquire" window include, but are not limited to:

  • Disk images created using the acquisition process with MacForensicsLab™ are saved in an open ISO standard and can be read and opened by many standard applications.
  • Segmentation of an acquisition for storage of the data across multiple backup sources, such as DVD-R's.
  • The ability to make a separate "Golden Master" image at the same time.
  • Real time data checks using MD5, SHA1, SHA256 checksums and the ability for the investigator to assign at what intervals MacForensicsLab™ must perform a checksum validation.
  • Automatic block matching for damaged media such as scratched data CDs or physically damaged hard drives

Data Cataloging Window

Automatic analysis of all files in a directory structure, the cataloging process searches through the directory structure in order to catalog all files as well as to zero in on suspect material. MacForensicsLab™ can create a list of all files within a directory structure including all catalog information, MD5, SHA1, and SHA256 checksums, and basic file information.

In order to zero in on areas of particular interest Positive and Negative filters can be applied using custom checksum databases or those provided by the National Software Reference Library. The cataloged information can be customized for any particular requirement, the forensics investigator can also auto-bookmark catalogued items for future reference and just as easily predefine the data that is entered into the catalog log during the procedure at the click of a button.

Forensics Analysis Window

The analysis window is for manual analysis of data, block-by-block. The "Analyze" function allows the digital forensic investigator to explore the data of a file or device in both ASCII, HEX and native views, providing access both to the source as well as the actual content of the file overall. Whether looking at the headers of the file in ASCII mode or reviewing the content of an image, sound file or movie in native mode, "Analyze" can handle the task.

"Analyze" also provides a search feature which allows quick searching for keywords and other strings, created either on an ad hoc basis or imported as a custom database, and the analysis window provides the investigator with 2 means by which to do this:

  • Block-by-block and page-by-page, or
  • With HEX and ASCII search terms.

And once the analysis and search procedures are complete, the forensics investigator can then hash and/or export the analysis data to a file, or files, for further reference and safekeeping. The investigator can now, in version 1.5, also easily bookmark analysis data, assigning it to a category as he or she does so.

File Salvage & Data Recovery Window

MacForensicsLab™'s Salvage function will search a device, volume, or folder and list all the recoverable files. The displayed files can then be recovered to a destination folder.

MacForensicsLab™ has an option to skip all used space when scanning a Mac OS Extended (HFS Plus) volume, thus improving the speed of the recovery and addressing only the files that have been deleted.

When salvaging a device, MacForensicsLab™ scans through the entire media to recover as many files as possible from the drive or media. Recovering in device mode is useful when the drive refuses to mount or if the volume’s directory information is corrupted. MacForensicsLab™ can also locate files within files (such as caches, email attachments, and archives).

MacForensicsLab™ can also work with disk images from various sources. It supports standard ISO disk images, as well as EnCase® (unencrypted images only), UNIX dd, Drive Genius™, and SubRosaSoft CopyCatX™.

Other Features

MacForensicsLab™ contains many other features designed to maintain the evidential integrity of hard drives and devices. These features allow an investigator to manage access to devices as well as ensuring a sterile work environment.

These features include (but are not limited to) the following;

  • Dual Boot DVD
  • Disk Arbitration
  • Clearing The Work Drive
  • Rescanning The Hardware Bus
  • Attaching & Detaching Disk Images
  • Online Version Checking
  • Terminal Access

Dual Boot DVD

MacForensicsLab™ now comes either as a download or as a dual boot DVD that is both Intel and PowerPC Mac ready. So whether the forensics investigator is running a new or older workstation, he or she should be able to boot onto the DVD so long as the workstation possesses a DVD-Rom drive.

Disk Arbitration

When connecting a suspect drive via FireWire or USB to the MacForensicsLab™ system that’s already up and running, OS X is notified of the event by the kernel and will immediately look for mountable partitions on the drive. If found, the OS initiates the mount, then the internal disk arbitration tables are updated with the proper information, which eventually updates any programs that subscribed to notifications. During the process, the suspect’s drive will also be updated.

In order to prevent writing to the suspect device accidentally, SubRosaSoft strongly recommends the use of a write blocking device when performing any operations. Without the use of a write blocking device, make sure Disk Arbitration is turned off before connecting the suspect drive to the system running MacForensicsLab™.

Carelessness on this procedure may render the evidence useless and results in many wasted hours and human effort.

Clearing The Work Drive

When you drag a file or a folder into the Trash and select "Empty Trash", your computer informs the operating system that the space the file previously resided is available for new files. The old file or folder still resides on your disk, you just cannot get to it. Similarly, initializing the drive will not rid the drive of data. Data recovery software such as SubRosaSoft’s FileSalvage will easily recover data that wasn't securely erased.

To ensure the data recovered from the drive does not accidentally contain data from the previous case, SubRosaSoft strongly recommends you starting with a new drive with each new case. If a new drive for a new case is not feasible and it is necessary to recycle a drive for evidence gathering, you should use MacForensicsLab™'s Clear Work Drive feature to make sure the drive doesn't contain any data that doesn't belong to the current case.

The Clear Work Drive command can be used to clear a device or a volume by writing repeated passes of various data patterns. MacForensicsLab™ also allows you to permanently erase the free space on your volume in a secure fashion by first filling up your volume with temporary files, and then writing a secure pattern over the files.

Rescanning The Hardware Bus

If an external drive was not on when you started the computer, and only after you launched MacForensicsLab™ that you switched it on, MacForensicsLab™ may not recognize the device until it rescans the hardware bus. To force a rescan, select Rescan under the File menu or enter <Command-R>

Attaching & Detaching Disk Images

MacForensicsLab™ can also work with physical devices or disk images. To access the disk image, select "Attach Disk Image" from the "File" menu. Navigate to and select the image, and click on "Open".

Online Version Checking

MacForensicsLab™ will check our website each time it is used to check if there is a more recent version of itself available for download. You can disable this check by using the menu command "Disable Web Check" at any time and it will not effect the operation of the software in any way. You can re-enable the check at any time by using the menu command "Enable Web Check".

No identifying information is transmitted by the software, and there are no effects from disabling the check or rendering the software incapable of contacting our website by disconnecting from the internet.

Terminal Access

MacForensicsLab™ provides the investigator with quick access via the "File" menu to a terminal window, so that he or she does not have to leave MacForensicsLab™ in order to run commands through the Command Line Interface.

Support

  • Mac Forensics Bulletin Board

Signup for free and share in the advice and discussions on the MacForensicsLab Bulletin Boards. The MacForensicsLab Bulletin Boards are located here.

The same MacForensicsLab™ manual that is available online is also available for download in PDF format for the current version of the application (1.5). The PDF benefits from the ability to browse offline, as well as the in-built PDF bookmarks for quicker browsing and searchability. The PDF version can be downloaded here.

External Links

MacForensicsLab™ Official Site

SubRosaSoft.com Inc. Official Site

MacForensicsLab™ Bulletin Board