Difference between revisions of "Mac Marshal"

From Forensics Wiki
Jump to: navigation, search
m
Line 9: Line 9:
  
 
Mac Marshal is a tool to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications.
 
Mac Marshal is a tool to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications.
 +
 +
Mac Marshal Forensic Edition runs on an investigator's Mac workstation to analyze a disk image.
 +
 +
Mac Marshal Field Edition runs on a Mac target machine from a USB drive.  It extracts volatile system state data, including a snapshot of physical
 +
RAM.
  
 
Mac Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It produces reports in RTF, PDF, and HTML formats, and runs on Mac OS X-based analysis machines.
 
Mac Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It produces reports in RTF, PDF, and HTML formats, and runs on Mac OS X-based analysis machines.
  
Version 1.0 was released in January 2009, available at no cost to US law enforcement, with a commercial version available to non-law enforcement.
+
Version 1.0 was released in January 2009, available at no cost to US law enforcement, with a commercial version available to non-law enforcement. Version 2.0 was released in November 2010, adding live analysis in the Field Edition and the ability to take a snapshot of the target machine's physical RAM.
 +
 
  
 
=Authors=
 
=Authors=

Revision as of 10:29, 5 November 2010

Mac Marshal
Maintainer: ATC-NY
OS: Mac OS X
Genre: Template:Macintosh forensics
License: Commercial (free to law enforcement)
Website: macmarshal.com

Mac Marshal is a tool to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications.

Mac Marshal Forensic Edition runs on an investigator's Mac workstation to analyze a disk image.

Mac Marshal Field Edition runs on a Mac target machine from a USB drive. It extracts volatile system state data, including a snapshot of physical RAM.

Mac Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It produces reports in RTF, PDF, and HTML formats, and runs on Mac OS X-based analysis machines.

Version 1.0 was released in January 2009, available at no cost to US law enforcement, with a commercial version available to non-law enforcement. Version 2.0 was released in November 2010, adding live analysis in the Field Edition and the ability to take a snapshot of the target machine's physical RAM.


Authors

Mac Marshal was developed by ATC-NY, supported by a contract with the US National Institute of Justice (NIJ). The project was originally named MEGA.

External Links