MacForensicsLab 2.9 Manual

MacForensicsLab 2.
9 Manual
1 Overview
1.1 Overview of MacForeniscsLab 6
2 System Requirements
2.1 System Requirements 11
3 Installing MacForensicsLab
3.1 Installing MacForensicsLab 15
4 Running MacForensicsLab for the First Time
4.1 Running MacForensicsLab for the First Time 20
5 Case Preparation
5.1 Case Preparation 34
6 Core Functions
6.1 Core Functions 39
7 The Preferences Window
7.1 The Preferences Window 41
8 The Main Window
8.1 The Main Window 59
9 The Acquire Function
9.1 The Acquire Function 64
10 The Search Function
10.1 The Search Function 69

11 The Analyze Function
11.1 The Analyze Function 74
12 The Salvage Function
12.1 The Salvage Function 80
13 The Browse Function
13.1 The Browse Function 88
14 The Audit Function
14.1 The Audit Function 92
15 The Hash Function
15.1 The Hash Function 98
16 Bookmarks
16.1 Bookmarks 101
17 Examiner Notes
17.1 Notes in MacForensicsLab 107
18 The MacForensicsLab Database
18.1 The MacForensicsLab Database 112
19 Reporting
19.1 Generating a Report 117
20 Keyboard Shortcuts
20.1 Keyboard Shortcuts 120

21 Getting Help and Technical Support
21.1 Getting Help and Technical Support 122
22 Uninstalling MacForensicsLab
22.1 Uninstalling MacForensicsLab 125
23 Gloassary
23.1 Glossary 127
24 End User's License Agreement (EULA)
24.1 End Users License Agreement 130
25 Copyright Notice
25.1 Copyright Notice 134
26 Trademarks
26.1 Trademarks 136

Overview
MacForensicsLab 2.9 Manual - 5

Overview of MacForeniscsLab
This lesson provides an overview of MacForensicsLab, its features, functionality and design.
About MacForeniscsLab Incorporated
Welcome to MacForensicsLab Incorporated. If this is your first time using MacForensicsLab software
be assured you made the right decision. MacForensicsLab Inc. is the world-wide leader in
Macintosh-based forensics, with many federal, state and local law enforcement organizations around
the globe using our software. In addition, MacForensicsLab software is used by our military, intelligence
community, and many privately owned and operated organizations seeking a powerful and innovative
forensic solution.
As a company, MacForensicsLab Incorporated is dedicated to providing forensic solutions that not only
meet and exceed your expectations but that change the way modern computer forensics are
performed. Traditional computer forensic software development has mirrored the needs of traditional
law enforcement by developing a solution only as a problem presented itself. In doing so, law
enforcement is left without a timely answer to their technological dillema. When the momentum of an
investigation suffers due to a purley reactive development cycle, criminals go unpunished and victims
are left needing resolution or worse, new victims are created. MacForensicsLab Inc. seeks to change
that paradigm by offering expandable and scalable solutions that can adapt to an organization's needs
and anticipate problems through use of intelligent proactive development.
MacForensicsLab Inc. understands how difficult it has become to keep pace with technology. All too
often, forensic examiners are understaffed and overworked, making the environment ripe for case
backlogs and an increasing potential for errors. In an effort to minimize these conditions,
MacForensicsLab Inc. leverages technology and technological advancements to allow for fewer
mistakes while maximizing the efficiency and effectiveness of its users, thereby getting more done with
less mistakes.
MacForensicsLab Inc. is dedicated to our mission of providing powerful, easy-to-use, cost-effective

forensic solutions that help you achieve your organization's forensic needs. To this end, we offer
products that account for the entire spectrum of computer forensics, not just the static lab-based
solution. Modern technologies demand integration throughout the forensic process, MacForensicsLab
Inc acconts for this evolution with solutions for incident reponse, triage, static examinations and
reporting. Additionally, MacForensicsLab utilizes open ISO standards to ensure compatability with other
tools so the examiner is not limited to one tool or one answer to a problem. In summary,
MacForensicsLab Inc views mission accomplishment as a corporate social responsibility, one we take
very seriously and as such we strive to become not only a software development company but a
partner to all our customers.

MacForensicsLab Overview
MacForensicsLab is the first comprehensive computer forensic solution that runs natively on a
Macintosh. As such, MacForensicsLab combines the power of modern computing with elegant design
and a feature rich environment. Capable of performing all aspects of the forensic process on any
filesystem the system bus can recognize, these filesystems include: NTFS, UFS, HFS, HFSPlus, ext2,
ext2, ReiserFS and many more.
In addition to being the premire Macintosh-based forensic application, previous versions of

MacForensicsLab (up to 2.5.5) are cross platform, allowing users to run MacForensicsLab natively on
Windows XP, Windows Vista and Linux (RedHat, Ubuntu and SuSe).
MacForensicsLab Design Features
MacForensicsLab has been designed, from the ground up, to be a powerful easy-to-use forensic
solution. A vital component in achieving this is the software's GUI (Graphical User Interface). By
contrast many modern forensic solutions interface contains 15 or more buttons, making them difficult to
use and due to the crowded space, somewhat overwhelming for the user. By contrast
MacForensicsLab has just 7 buttons representing the core functionality of the software. In addition,
these buttons are laid out in an order that if followed from one to the next will guide the examiner
through the completion of an entire forensic examination.
The second aspect concerning the design of MacForensicsLab is automation. The automation of tasks
has changed the world. First, the Industrial Revolution was marked by automation of the blue collar
workforce, changing the way manufacturing wasa done. In the Information Age, this automation is seen
through computers performing complex repetitive tasks. In computer forensics, this automation refers to
leveraging the computer to collect and collate data so the examiner can analyze the data.
MacForensicsLab, is unique in that it excels at this, allowing the examiner to perform the vital tasks of
analysis, thus providing context to the computer findings. This concept is readily apparent in the
Browse and Audit functions, described below.
Another aspect of MacForensicsLab design is fault tolerance. Unique within the industry
MacForensicsLab provides fault tolerance during both the acquisition and data recovery operations as
well as instant wites to the system, as it is a database-driven application, thus no need for time interval
savings, which inevitably result is data loss.
Interoperability is another design feature that MacForensicsLab takes seriously. The task of modern
computer forensics is one of increasing complexity. As such, no one solution provides all the answers
to the examiner. Therefore, MacForeniscsLab strives enable the examiner to use the results of
MacForensicsLab with other tools. The use of OpenISO imaging and HTML reporting are just two
examples of how MacForensicsLab strives to work well with other tools to assist in accomplishing the
mission of the forensic examiner.

Speed and accuracy are the other tenets of MacForensicsLab design features. The rapid increase in
data volume equates to a longer forensic process. MacForensicsLab uses asynchronous operations to
increase speed making it much faster than other tools such as dd.
Accuracy is a foundational element of computer forensics. Unfortunately many software vendors

sacrifice speed for accuracy. An example of this would be performing data recovery operations based
on the directory structure. The sole use of the directory structure provides fast results, however it does
not account for a corrupted structure. Whent he directory structure is corrupted and that is the only
means of data recovery, then all is lost without attempting to fix the directory structure.
MacForensicsLab takes a different approach, instead of the faster method, it takes the best method for
recovering all files. In doing so, MacForensicsLab demonstrates its understanding that without all the
data, there is no case and in this instance, it is better to sacrifice speed for accuracy.
Now that we understand the basic deisgn features of MacForensicsLab, let's take a minute to
familiarize ourselves with the core funtionalities of MacForensicsLab.
The Acquire Feature
The ‘Acquire’ function uses an intelligent algorithm to recover mechanically sound and faulty drives.
Even if the drive has been partially compromised, mechanically or otherwise, MacForensicsLab has the
best chance at recovering evidence to a forensically sound disk and open format, industry standard
disk image for further data salvage and analysis.
The Search Feature
The ‘Search’ process examines logical directory structures and files to bookmark files of interest,
helping to zero in on any suspect material. Comparisons can be made against a database of hash
values for known good, or known suspect content. MacForensicsLab creates a list of catalog
information, MD5, SHA1, and SHA256 checksums, as well as other basic file information, using
pre-specified search terms and filters.
The Analyze Feature
The ‘Analyze’ function enables an investigator to examine the contents of files in Hex and Native
modes. ‘Analyze’ allows the investigator to search unallocated space for specific terms and items
including keywords, hex strings, credit card numbers and social security numbers; scanning file sectors
at blazing speeds that no other package can approach.
The Salvage Feature
MacForensicsLab’s ‘Salvage’ functionality is fault tolerant and thorough by design, making it the most
powerful data recovery engine on the market. The 'Salvage' function recognizess over 100 file types
and can readily recover deleted files from hard drives, CD-ROMs, external storage devices, digital

camera memory cards, iPods, and much more. In addition, "Salvage' possesses the ability to learn
on-the-fly enabling the examiner to add unknown file types into the 'Salavge' database for recovery.
These features, combined with filters allowing targeted data recovery makes this a foundational feature
for all subsequent forensic processes.
The Browse Feature
The ‘Browse’ function allows the investigator to quickly and easily thumbnail and preview graphic
images and their metedata. MacForensicLab was the first forensic software application to contain a
built-in Skin Tone Analyzer, radically reducing the time spent manually culling through tens of
thousands of image files to locate files of investigative interest, which are easliy bookmarked and/or
exported for further action.
The Audit Feature
The ‘Audit’ function quickly and efficiently collects and collates operating system artifacts and user
preferences, to include cached internet history and bookmarks, Instant Messaging buddy lists, WiFi
Access Points, Address Book information, iPhone information and much more. In doing so, the 'Audit'
feature enables the examiner to keep the investigative momentum while allowing for further in-depth
analysis.
The Hash Feature
The 'Hash' funtion allows the examiner to perform an md5, SHA1 and SHA256 hash on any given file
located on the volume while exporting the results with the full path to a text file for easy reference.

System Requirements

System Requirements
This lesson covers the basic and recommened system requirements for successfully running
MacForensicsLab. Modern forensic processes require not only powerful systems to process the
massive amount of data, but a scalable solution designed to harness the system resources for greater
speed and increased functionality. A database solution provides such potential. Since
MacForensicsLab is database driven, the performance of the software is greatly influenced by the
performance of the computer that is being used to perform the investigations.
Mac OS X Base Requirements
-Apple Macintosh G4 800MHZ or faster

-Mac OS X (version 10.3.9 or newer)
-512 MB of RAM
-DVD-Rom drive for Boot CD/DVD and Installation from DVD
-1 x USB 1.0 Port + HASP license dongle (supplied with MacForensicsLab)
Windows Base Requirements (for use up to and including MacForensicsLab 2.5.5)
-Processor 800MHZ or faster

-Windows 2000/XP/Vista
-512 MB of RAM
Linux Base Requirements (for use up to and including MacForensicsLab 2.5.5)
-Processor 800MHZ or faster

-x86-based Linux distribution with GTK+ 2.0 (or higher), glibc-2.3 (or higher) and CUPS (Common
UNIX Printing System)
We oficially support the following:

-SUSE Linux Enterprise Desktop
-Red Hat Enterprise Linux Desktop
-512 MB of RAM

Recommended Desktop Forensic Workstation
-Apple MacPro (2.66 GHz Quad Core Intel Xeon "Nehalem" processor or better)
-Mac OS X (version 10.5 or newer)
-8GB of RAM
-1TB or more of available hard drive space
-Firewire 800 <-> ATA/SATA hardware write blocker
Recommended Forensic Laptop
-Apple MacBook Pro Intel Core 2 Duo 2.4GHZ or faster

-Mac OS X (version 10.5 or newer)
-4GB of RAM
-Firmtek SeriTek Serial ATA ExpressCard Adapter
-1TB or more of available hard drive space
-DVD-Rom drive for Boot CD/DVD and Installation from DVD,
Additional Considerations
Providing the system with more resources and faster equipment such as faster Processor, more RAM
and and faster, larger hard disk drive will improve the performance of MacForensicsLab where data
reading, calculation and verification functions occurring.
The database/logging functionality is best performed with the fastest possible network interface when
working with a centralized network database server.

The MacForensicsLab Dongle
MacForensicsLab requires a dongle to function. To this end, previous versions of MacForensicsLab

required a HASP dongle, however, starting with MacForensicsLab 2.9, this dongle will be replaced with
a USB key customized for MacForensicsLab. This customized dongle will allow users who have
purchased both MacForensicLab and MacLockPick to use the same dongle for both applications,
providing a seamless integration througout the forensic process.

Installing MacForensicsLab

This lesson demonstrates how to install MacForensicsLab for the upgrade from 2.5.5 to 2.9.
Obtaining the latest version of MacForensicsLab
To install the latest version of MacForensicsLab, open a web browser and navigate to the
MacForeniscsLab web site: http://www.MacForensicsLab.com. Once on the main webpage, select the
"Upgrades" link.

Locate the version of MacForensicsLab
The Upgrades page allows a user to select the version of MacForeniscsLab they wish to download.
Once the correct version is located, select the link (highlighted in blue).

Download
The download page will present the above image. To begin the download, click on the image.
Downloaded Archive
The file that downloads is a .zip file that will be uncompressed automatically by the operating system
and will appear in the Downloads folder as a folder titled: MacForensicsLab.
Locate the MacForensicsLab Folder
Open the folder where MacForensicsLab was downloaded (by dafault this is the Downloads folder).

To install MacForensicsLab, simply drag the MacForensicsLab folder in to the Applications folder, the
application is now ready to be run for the first time.

Running MacForensicsLab for
the First Time

Running MacForensicsLab for the First Time
This lesson demonstrates how to run MacForensicsLab for the first time.
Opening MacForensicsLab
Navigate to the Applications folder and open the MacForensicsLab folder by double clicking on it.
Launch MacForensicsLab
To launch the MacForensicsLab application, double click on the MacForensicsLab.app icon.
Allow MacForensicsLab to Run
The first time MacForensicsLab is launched, a warning banner will appear informing the user that the
application was downloaded from the Internet. Select "Open."

Configure MacForensicsLab Preferences
Once the MacForensicsLab application is launched, the Preferences Pane will open. In order to
successfully run MacForensicsLab, the Preferences Pane must be filled out.

Configure a Local Database File
In this example we will configure a Local File database (this means the database file will be resident on
the local machine and not connected remotely to a database). The "Database" tab in the upper left of
the window is selected (1), then select the "Local File" (2), next select "Create" (3).
Save the Local Database
Once the "Create" button is selected in the previous step, a navigation window appears. The navigation
window allows the user to select the location of the database file. By default the file is named
"MacForeniscsLab Database.rsd" (1) and is located in Documents folder (2), then select "Save."

Configure the Examiners Tab
The next tab to configure in the Preferences Pane is the "Examiners" tab. Select the "Examiners" tab
(1). To add an examiner, select the "+" radio button on the left (2). Once the radio button is selected an
Examiner window will open.

Configure Examiner Window
Fill out the fields to complete the Examiner window, then select "Save."

Confirm Examiner Information
The Preference Pane appears and the new examiner information can be noted.

Configure the Cases Tab
To add a new case to the database, select the "Cases" tab (1) along the top of the window. Add a case
by selecting the "+" radio button in the lower left (2). Once the radio button is selected a case Details
pop-up window will appear.

The Case Details Window
The Case Details window allows the user to enter case details.

Complete Case Details
In the Case Details window enter the case number or Case ID (1) and a description of the case (2).
Once completed, select "Save" (3).

Selecting the Case
Once the "Save" button is selected in the previous step, the user is returned to the Preferences Pane.
Be sure to highlight the new case, as seen above.

The E-Mail Pane
The purpose of the E-Mail pane is to enable the user to be notified upon completion of tasks being
conducted by MacForensicsLab.

Complete the E-Mail Pane
Complete all requisite information and select "Test:" (1) to ensure the connection is properly configured,
once the test is successful, select the "Continue" button (2).
Authenticate MacForeniscsLab
MacForensicsLab requires the user to authenticate by entering the admin password.

Complete Authentication
Enter the admin password (1) and then select "OK" (2).
Disk Arbitration
To complete the configuration of MacForeniscsLab in preparation of running it for the first time, the user
needs to decide whether to ignore disk arbitration (leaving it enabled) or to disable it. The user should
only disable disk arbitration if he/she intends to create a forensic image from the suspect's media. Once
either the "Ignore" or the "Disable" buttons are selected, the main window of MacForensicsLab opens.

Case Preparation

Case Preparation
This lesson will discuss how to prepare for a case using MacForensicsLab.
Overview
During the course of using MacForensicsLab the examiner will come across a range of different
suspect devices, media and disk images. These will all work with a variety of ‘Read’ and ‘Write’ access
settings. It is therefore important to ensure that the investigator understands how each of these varies
and how the computer interacts with them.
Before connecting any device to the workstation it makes sense to assume that the device, image or
media may be written to and therefore should be handled with the utmost caution.
In Mac OS X there are a couple of ways in which to handle the issues of possibly tainting and
overwriting data on the suspect drive or device. The first is ‘Disk Arbitration’ and the second is ‘Write
Blocking’. It is also a MUST for the investigator to have a secondary “Work Drive” onto which case data
can be saved, and which will have course been pre-cleared. This avoids the chance of overwriting
possible evidence and thus losing and/or tainting it.
Disabling Disk Arbitration
Whether at start-up or when connecting a suspect device via any data bus (FireWire, USB, ATA) on
your Macintosh Workstation, OS X is notified and will immediately look for mountable partitions on the
device.
If detected, it initiates the mount and the disk’s internal arbitration tables are updated with the
necessary information to work with the system. Having mounted, the Finder is updated with the
information and the volume(s) appear on the desktop. Any other applications that may have subscribed
to disk arbitration notifications are also updated in a cascade effect.

In the process of finding and updating the arbitration tables on devices found and mounted, there runs
the risk of writing to the said devices and therefore tainting the evidence. MacForensicsLab however
has a built in option, accessible via the Window drop menu, or keyboard shortcut [Apple Key] + [B],
menu that allows the investigator to turn off the process.
In addition, to help avoid these issues, as MacForensicsLab reaches the ‘Main’ window it always
automatically prompts the investigator to ensure that Disk Arbitration is enabled or disabled, per his or
her desired behavior.
Enabling Disk Arbitration
As the investigator quits MacForensicsLab he or she will be asked a similar message whether they
wish to enable disk arbitration again.
Hardware Write Blockers
As the investigator will hear over and over, when working with a suspect drive he or she will want to
avoid every single chance of tainting the data on it. MacForensicsLab works effectively with all
available write blocking hardware on the market, and we recommend that investigators use such
devices when performing forensics on suspect drives. SubRosaSoft, Inc. also carries an optional
hardware blocker that works hand-in-hand with MacForensicsLab. Please visit our web site
http://www.subrosasoft.com for more information, or contact us via email: sales@subrosasoft.com; or
telephone: +1 (510) 675 0681.

Clearing the Work Drive
It is essential that before the investigator uses any drive for storing the results of an investigation, that
the drive has been cleared properly. This should mean that the work drive has been formatted at least
with a single pass with zeroing data.
To clear the work drive, select a partition of the designated drive in the 'Devices’ pane of the 'Main’
window'. Having done this, select “Clear work drive” from the File menu. A confirmation window will
come to the fore, which the investigator should accept, after which the ‘shred’ window will come forward.
The window contains a slider with which the investigator can set the numbers of passes required to
clear the drive. Also, in order to speed up the process the investigator also has the option to shred only
“Free Space”, so that only the available space on the partition will be cleared. Having set this, simply
click Start and the clearing procedure will begin. If the investigator picks the wrong partition, and/or
decides to stop, by simply clicking Close the ‘Shred’ window will disappear and he or she will be
returned to the ‘Main’ window.

Terminal Access
MacForensicsLab provides the investigator with quick access via the Window drop menu, or keyboard
shortcut [Apple Key] + [t], to a terminal window, so that he or she does not have to leave
MacForensicsLab in order to run commands through another Terminal application.

Core Functions

Core Functions
This section will outline the core functions of MacForensicsLab for further, detailed discussion.
The Core Functional Areas of MacForensicsLab
-Preferences Window
-Main Window
-Acquire Window
-Search Window
-Analyze Window
-Salvage Window
-Browse Window
-Audit Window
-Hash Window
-Bookmarks & Notes
-Database Window

The Preferences Window

The Preferences Window
This lesson will cover the Preferences Window settings and configuration.
Overview
The ‘Preferences’ window allows the examiner to setup and manage both individual cases and
examiners within MacForensicsLab. In addition, it enables the examiner to configure MacForensicsLab
database settings and even configure an e-mail based notification feature.
Finding the Preferences Window
The ‘Preferences’ window will, by default, appear at start-up once the MacForensicsLab splash screen
has disappeared. To return to the ‘Preferences’ window after progressing to the ‘Main’ window, the
examiner must select “Preferences” from the MacForensicsLab application drop menu, or use the
keyboard shortcut [apple key] + [comma]. In order to disable the ‘Preferences’ window from appearing
at start-up the investigator should deselect the “Show this window at start-up” check box in the bottom
left hand corner of the window.

The Preference Window Layout
The Preference Window has four sections, eash containing their own preference information. The four
sections are: Database (1), Examiners (2), Cases (3) nd eMail (4).

The Database Preference Pane
By default the Database will be disabled (1).

Configuring a Local Database File
MacForensicsLab allows the examiner to harness the power of a database solution without having to
associate with a remote database. The creation of a local database file enables examiners to take
advantage of a database while not requiring the infrastructure incurred with larger solutions.
To create a local database file, select Local File (1), and then "Create." (2)

Selecting a Location for the Local Database File
Once you select "Create" in the previous step, a navigation box will appear allowing the examiner to
select the location of the local database file (by default it will place the file in the Documents folder and
will be named MacForeniscsLab Database.rsd.

Checking the Local File Database Path
Once the examiner has chosen a location for the Local Database file to be stored, they are returned to
the Database Window, where the path chosen is displayed (1).

REAL SQL Setup
If the examiner access to a REAL SQL database, then MacForeniscsLab allows for seamless
integration. Select the REAL SQL tab (1). Then by filling out the form fields (2), and selecting the
"Connect" button (3), the examiner will then be able to take advantage of power of the REAL SQL
database.

MySQL Setup
If the examiner access to a MySQL database, then MacForeniscsLab allows for seamless integration.
Select the MySQL tab (1). Then, by filling out the form fields (2), and selecting the "Connect" button (3),
the examiner will then be able to take advantage of power of the MySQL database.

The Examiners Tab
Select the Examiners Tab (1). The Examiners Tab is where an examiner enters their identifiable
information. By default, there is a "Default" examiner (2). To add an examiner, select the "+" radio
button (3) and a pop-up window will appear.

Configuring Examiner Specific Data
The pop-up window allows the examiner to enter specific information by filling out the form fields (1). It
should be noted, that these fields can be changed at any time by selecting the "edit" button from within
the Examiner's tab. Likewise it is important to note that none of these fields are not required.

Save the Form
Once the examiner specific form fields are filled out, select the "Save" button, thus returning the
examiner to the Preferences Window.

Confirm the Correct User
The user information entered will be reflected under the Examiners Tab (1), which is where you will be
automatically returned to upon selecting "Save" in the previous step.

The Cases Tab
To add a case, select the "Cases" Tab (1) from the Preferences window and select the "+" button (2).
Once selected, a pop-up window will appear.

Fill Out Case Details
The Case Details window has two sections, the Case ID (1) and te Description (2). The Case ID
represents a field where the examiner would enter the case number. The Case Description field is a
simple text field enabling the examiner to input additional case information.

Complete Case Details Pop-up
Complete the Case Details pop-up window and select "Save."

Verify Case Information
Upon completing the previous step, the examiner is returned to the Preferences Pane, wherein he/she
can verify the correct case is selected (1).

eMail Tab Setup
By selecting the eMail tab (1) and filling out the form fields (2) and testing the connection (3), The
examiner is now able to receive password notification when MacForeniscsLab has completed it current
process. Once configured, press "Continue" (4).

The Main Window

The Main Window
This lesson will describe the layout and functionlity of MacForeniscsLab's Main Window.
Overview
The ‘Main’ window is the starting point after accessing a case and provides the investigator with a
detailed view of the system, any devices or disk images attached to it and their directory and file
structure. It is from the ‘Main’ that the investigator will gain full access to the wide array of functions and
features that MacForensicsLab provides, each of which will be covered in subsequent chapters of this
manual.
When working with the ‘Main’ window, the investigator should maximize the view of the window either
by clicking the green maximize button at the top left of the window, or by using the resize handle at the
bottom right. Such a move will lessen the need to scroll up and down the various panels
The Main Window Layout
There are 3 key sections to the layout of the ‘Main’ window:
-The ‘Access’ panels (Devices and Files),

-The ‘Explorer’ panel,

-The ‘Buttons’ panel.
The Access Panel - Devices Tab
In the Main Window, there are two buttons: "Devices" (1) and "Files" (2). As depicted above the Device
button lists all devices (with their respective partitions and volumes) attached to the machine in the
leftmost pane (3). When a device is selected the corresponding device details appear in the Explorer
portion of the window (4).
The following information is specified:
Display Name – The volume title

Mounted – Status (true or false)
Leaf
Writable – Write Status (yes or no)
Partition ID
Preferred Block Size
BSD Major & Minor
BSD Name – Mount point
Size – in bytes
Content & Content Hint – Format type and hint
Removable & Ejectable – Status (yes or no)

BSD Unit
Whole
Drive Title – manufacturer’s model number
Serial – manufacturer’s serial number’s serial
number&#
0;
Used - The amount of drive space used
Available - The amount of drive space currently available
Percentage - The percentage of drive space used
The Access Panel - Files Tab
When the Files Tab (1) is selected the leftmost portion of the window lists shortcuts (2) to volumes and
user folders, with the Explorer portion of the window (3) allowing for viewing of the directory structure
and individual files, along with their corresponding information (such as date/times, permissions, etc.).
The following information is specified:
File Name - full filename with extension.

File Size - in bytes, whilst folders display the total items inside them within brackets - hidden files are
included.
Mac Creator Code - the OS creator application code

Mac Type - the OS file type.
Header - the first 32 characters of the file.
CRC - the Cyclic Redundancy Check checksum value of the ‘Header’.
File Reference - starting block number for the file.
User ID - OS user id for file owner permission.
Group ID - OS group id for file access permission.
Finder Flags - OS finder settings.
Permissions - OS permissions for read, write and execution of file.
Creation Date - Date when file/folder was created.
Modification Date- Date when file/folder was modified.
Each column can be sorted in both directions by clicking the column

header.&#
0;
The Buttons Panel
The ‘Buttons’ panel provides the examiner with access to selected core functions of MacForensicsLab.
Each button in turn will be highlighted and accessible, or greyed out and disabled, dependent on the
item selected by the examiner in either of the ‘Access’ panels.

The Acquire Function

The Acquire Function
This lesson will discuss the acquire capabilities of MacForeniscsLab.
Overview
MacForensicsLab can work with original devices and media, as well as disk image copies of these
same data sources. Using the ‘Acquire’ function ensures that the evidential integrity of the suspect
drive is protected, by allowing the investigator to create a disk image for analysis and investigation,

rather than having to work with the suspect drive.
In performing the acquisition scan ‘Acquire’ benefits from a number of features. These include
checksum hashing for validation, the ability to create a separate golden master, the ability to create a
smeared image in an environment when a volume cannot be unmounted, segmentation for ease of
backup to alternative media, and, proprietary fault tolerant bad block recovery to work around faults,
thus allowing the examiner to create disk images from damaged media or resume a previous acquire
attempt that failed due to faulty media and/or electrical shortages.
Creating a Disk Image
When creating a disk image, the investigator can do so directly from either a partition or device, those it
is recommended that copies be made of an entire device rather than of individual partitions.
Having selected the respective device or partition from the ‘Device’ panel the examiner must press the
Acquire button, bringing the function window to the fore.
In performing an acquisition the examiner can set a number of options:
Segment Size - This refers to the amount of data on each acquired image, thus allowing the
investigator to separate his or her acquisition into multiple images. Each segment can then be limited to
a specific data size, thus allowing for easier backup, for example, if the investigator plans to burn the
image to a set of DVDs. To do so the investigator need only select the “4.36 GB (DVD-R/DVD+R)”
option from the popup list.
Packet Size – Refers to data intervals at which MacForensicsLab will perform a checksum validation
on the data being written to the acquisition image. A lower setting means many more checksum
verifications are performed, thus improving overall data integrity but reducing the overall speed of the
acquisition.
Smeared Image – Allows the investigator to generate an image from a drive that cannot, or perhaps
that he or she may not wish to be unmounted. This would apply for example, when the investigator
wishes to acquire the main volume on an operational file server that cannot be taken offline to avoid
alerting users to the actions of the investigator.
Golden Master - In addition to the working copy, this option allows the investigator to save an extra
disk image copy for other purposes.
Resume a Previous Recover – Provides the examiner with the option to continue on from a previous
acquisition, if, for whatever reason, the prior acquisition process was interrupted. This means that the
‘Open’ dialog window rather than the ‘Save’ dialog window will appear when the acquisition is initiated.

Having made the desired changes to the presets, click the Start button to begin the acquisition process.
This will bring up a ‘save file’ dialog box, if creating the image rather than resuming, and the
investigator will be prompted to enter a filename for the disk image. By default the file name appears as
“Disk Image”, select and edit this to a preferred name and then chose a location into which to save the
disk image. The click Save and the process will begin.
Note: always be sure to save the disk image to a location other than that which one is creating an
image of. Also, make sure that the device one is saving the new disk image to has enough storage
space. The acquisition of a 60GB hard drive will require the destination disk to have a minimum of
60GB of free capacity.
Unless the “Create a Smeared Image” option has been selected, MacForensicsLab will first attempt to
unmount the selected volume or volumes of the selected device. A status bar then marks the progress
of the acquisition, along with a variety of other information. This information includes: checksum
mismatch total; total bad blocks; total data remaining to be copied; total data copied; total capacity;
approximate current data transfer rate; and total time remaining till acquisition completed.
During the process of acquisition a DAT file is created in the same location as the image file, and
contains checksum data for the disk image. It is a small file and takes up less than 25 KB of space and
is deleted after the acquisition process is complete.
Once the completed, a dialog window will notify the investigator of such and will provide them with an
error count. The investigator should simply take note of this and then close the said dialog box by
clicking Close, returning to the ‘Main’ window. The disk image can then be found in the previously
specified location. By default the disk image file/segments will be locked, thus avoiding the opportunity
to further modify or to delete it/them.
Attaching Disk Images
Once an image file or segment there of has been created, the investigator will want to prepare it for
analysis. In order to do this the investigator must attach the disk image and mount it in the Finder.
To access the disk image, whilst in the ‘Main’ window, select “Attach Disk Image” from the File menu,
or use the keyboard shortcut [Apple Key] + [t]; then navigate to the disk image in the open dialog
window that appears as a result, select the image file and then click "Open." Using this method avoids
the need to unlock and lock the image file from the Finder. After mounting disk images, the investigator
may need to force MacForensicsLab to rescan for new devices or images; this can be done either by
selecting “Rescan Bus” from the file menu, or with the keyboard shortcut [apple key] + [r].
To detach a disk image after analysis, select the item from the ‘Device’ panel in the ‘Main’ window,
followed by “Detach” from the file menu. Alternatively, select the disk image in the main window and

use the keyboard shortcut [apple key] + [d]

The Search Function

The Search Function
This lesson will discuss the search functionality of MacForensicsLab.
Overview
The ‘Search’ function of MacForensicsLab provides the examiner with an automatic means by which to
scan a directory, gather evidence and bookmark that same data for later reference. This helps the
examiner to quickly and easily zero in on suspect material. In performing the function,
MacForensicsLab creates bookmarks of the selected directory structure, collecting all of the file
information and hash values as it scans.
The Search Window Layout
The ‘Search’ window can be split into 5 core portions:
(1) -Search Filter

(2) -Search Terms
(3) -Browse Results
(4) -Bookmarks
(5) -Hash Keys
Search Filter Panel
The ‘Search Filter’ panel is the part of the ‘Search’ window within which the investigator may establish
criteria by which to filter the results of the search scan. Filters are based on standard file information,
such as, but not limited to: filename; size; date of creation.
Search Terms Panel
The ‘Search Terms’ panel is the portion of the ‘Search’ window within which the investigator can
manage specific lookup terms. These can be either HEX or ASCII terms for pattern matching within the
files being scanned. The investigator may also quickly and easily select either of two check boxes to
search for standard credit card and social security number formats respectively as well as being able to
import large databases of terms.
Browse Results
It is now possible to open the results of a searching procedure directly into a browse window making it
easier to manually review the results and to perform some manual bookmarking procedures to better
identify potential evidence for future reference.
Bookmarks Panel
When performing a search scan the investigator can use the options contained within the ‘Bookmarks’
panel to auto-generate bookmarks of matched items, and so make them available for easy reference at
a later date. The text area below the folder drop down is designed for comments or a description
pertaining to your customized bookmarks folder.
Hash Panel
The ‘Hash’ panel allows the investigator to define the auto-hashing options for a search scan. Options
include adding the hashed file values to the internal database, as well as the ability to export these to
an external log file.
Using Custom Search Terms and Filters

In order to zero in on areas of particular interest Positive and Negative filters can be applied using
custom checksum databases or those provided by the National Software Reference Library.
Available ‘Search Filters’ include all those in the Log File Format Fields:
-Name
-Creation Date
-Modification Date
-Header
-CRC
-MD5
-SHA1
-SHA256
-Data Size
-Resource Size
-Owner
-Mac Creator
-Mac Type
-Absolute Path
-UID
-GUID
-Permissions
Each of these filter types can be applied against the following operators:
-Is Equal To
-Is Not Equal To
-Contains
-Does Not Contain
-Is Less Than
-Is Greater Than
-Is in database
-Is not in database
Quick Tip: Foreign Languages
MacForensicsLab has the ability to handle filtering based on foreign multi-byte character set such as
Russian, Arabic and Chinese, not just English.
Adding & Removing Search Filters & Items

Clicking the (+) button underneath the desired pane will create a new filter/item at the bottom of the
current list, after which the investigator can manually edit the filter/item details. To remove an individual
filter, select the respective item and then press the (-) button. Clearing an entire list is equally simple;
just click the (clear) button under the desired panel. This will, without warning, remove all the items
from the list.
Importing A Custom ‘Search Item’ Database
To import a custom checksum database, simply click the Import button at the bottom of the ‘Search
Items’ panel. This will bring up an open file dialog box from which the investigator can locate and select
the required file. Upon import the information in the database file will populate the ‘Items’ pane.
Searching for Credit Card and Social Security Numbers

In order to ensure that all files containing either credit card or social security numbers are searched and
possibly bookmarked the investigator must tick either or both of the respective checkboxes in the
‘Search Items’ panel.
Auto-Bookmarking Files
When scanning directories, the search function can be used to auto-generate bookmarks for reference
at a later time in the investigation.
To add the items as bookmarks to a respective group, the investigator must tick the “Bookmark”
checkbox in the ‘Bookmarks’ panel and then select a bookmark group from the drop down menu. If a
new one is required, the investigator should do so through the Bookmarks menu (Please refer to the
chapter on Bookmarks for more detail).
Performing The Search Operation
Having selected the partition or directory structure for searching, clicked the Search button in the ‘Main’
window, bringing the ‘Search’ window to the fore, and having set up the window with the desired
‘Search Items’, ‘Search Filters’, bookmarking and hashing options, the investigator should be ready to
perform the search operation. To initiate the process, he or she should click the highlighted Search
button on the bottom right of the ‘Search’ window. If the hash export checkbox has been selected, the
investigator will be prompted to define a file name and save location for the exported hash text file
before the scan proceeds.
Once the process of scanning and searching the items found has completed. The investigator will be
prompted with a screen, advising them as such, which once closed will take him or her back to the
‘Main’ window.

The Analyze Function

The Analyze Function
This lesson will discuss the Analyze Function within MacForensicsLab.
Overview
There will come a point in the case when an investigator may wish to analyze the file data
block-by-block; the ‘Analyze’ function enables that to be done. Once analysis has been performed and
evidence located, the investigator can then export and/or hash the requisite section of the drive to file
for safekeeping and later use or further analysis.
The Analyze Window Layout
The analysis window can be split into 4 core sections:
(1) -‘Block View’ pane

(2) -‘Search Fields’ pane
(3) -‘Search Results’ pane
(4) -The ‘Hash Fields’

The Block View (Hex or Native)
The ‘Block View’ pane is the right-hand side of the ‘Analyze’ window and is the from where the
investigator can read block data either piece by piece in ‘Hex’ mode or in its entirety with ‘Native’ view.
The investigator can easily flip between the two separate views by using the tabs directly above the
pane. Native view allows files such as images and movies to be viewed as is, with controllers where
necessary for audio and video.
Search Fields Pane
The ‘Search Fields’ pane contains a number of elements that are of use to the examiner:
Search Fields Pane – The first is the ‘Search Fields’ pane, which contains the working list of search
terms (or filters) with which to analyze the data blocks. This is split into 2 columns: format and term.
Format refers to whether the string in term should be pattern match against the HEX content or the
ASCII content of the blocks. Term refers to the content of the string that is going to be pattern matched
against the said format blocks, usually a word.
As previously mentioned, MacForensicsLab has the ability to handle foreign language multi-byte
character sets such as those used in Russian, Arabic and Oriental languages when searching.
Search Fields Management Buttons – Below the ‘Search Fields’ pane are buttons to manage the
search fields in that pane.
-Clear to clear all of the search fields in the window above

-Import to bring up a dialog box and import a search terms database file
-Plus to manually add individual search fields
-Minus to individually delete each selected search field
Quick Tip: Saving Search Fields

The ‘Search Fields’ in the ‘Analyze’ window are retained from one investigative session to the next.
Hash Fields
The ‘Hash Fields’ are located to the left-hand side of the window, directly below the ‘Search Results’
pane. The investigator can use the Hash button to generate the respective hash records (MD5, SHA1,
SHA256) and then copy and paste into his or her database.
Search Results Pane
The ‘Search Results’ pane permits the investigator to access very quickly and easily any of the hits that

are generated as a result of the terms used in the search. To view a specific block entry in the ‘Block
View’ pane, click on the individual result item and the block data will load into the HEX/ASCII viewer in
the central panel.e central panel.
Search File Data
When investigating files with the ‘Analyze’ window it is possible for the examiner to search for strings
within the blocks of data that make up the file.
Individual Search Terms
To do so, the investigator must click the (+) button below the ‘search fields’ pane; this will add a new
field. After this, the investigator should define the search term type (text or hex) by clicking the up/down
arrows in the centre of the search term row, followed by typing in a unique search term string in the text
entry field to the right hand side of the arrows.
This can be repeated multiple times, building up as complex a filter mechanism as possible. If items are
added in error, an item can easily remove them by selecting each one in turn and then clicking the (-)
button located under the ‘Search Terms’ pane. When ready, and having defined the maximum size of
the result set in the “Limit” text entry field, the investigator can proceed by clicking Search. Whilst
processing the data, the investigator will see a progress bar, and upon completion of the search the
results will appear in the ‘Search Results’ pane.
Importing Custom Search Lists
Though an investigator might find it useful to create search terms in an ad hoc manner, as discoveries
in the case investigation necessitate, at some point he or she will want a more in-depth search, based
on hundreds, if not thousands of search terms. The best way to achieve this is to importing custom
search lists.
Custom search lists are essentially just ‘CSV Text’ files with each individual search term on a new line.
Custom search lists are also a great way to keep a database of useful terms and means that running a
productive analysis or cataloguing on a suspect device is a process that is no more than just a few
clicks away from getting started.
To import a list, click on the Import button to the middle of the ‘Search Terms’ drawer. This will bring up
a ‘Find File’ dialog box. Once the investigator has found the file, click ‘Open’.
Each individual line item will then appear as an individual term in the ‘Search Terms’ pane. The
investigator then has to define whether each term is an ASCII or HEX format, though they are all
imported as and predefined as ASCII Text format content by default.

Credit Card and Social Security Number Search
By selecting the respective checkboxes below the ‘Search Fields’ pane it is possible for the investigator
to get MacForensicsLab to use look for and find credit card and social security numbers during the
search process.
Performing the Search
Once the search terms have been defined in the ‘Search Fields’ pane, either individually or by import,
and when the other settings have been defined, the investigator need only click the now enabled
Search button to perform the search. Once the scan is complete the results will appear in the ‘Search
Results’ pane
Hashing Data
Clicking the Hash button in the buttons bar of the ‘Analyze’ window invokes a hashing process that
returns the results for an MD5, SHA1 and SHA256 in the ‘Hash’ fields for the entire file or device the
investigator is reviewing.
Needless to say the smaller the data source that requires hashing, the quicker the process will be; the
hashing process can of course be tracked through the progress bar which appears whilst in operation,
the hash results of which will remain in place until the investigator closes the ‘Analyze’ window.
Exporting Data
When the investigator is ready to export the block-set being analyzed, he or she can do so very easily
by clicking the "Export" button. Doing so will then invoke the ‘Export’ window, bringing it to the fore.

The available options on the ‘Export window’ allow the investigator the choice of either exporting the
selected blocks either in part or in whole. This is done by moving the respective start (1) and length (2)
sliders to the desired position on the axis, or by manually entering the start or end points in the text
entry fields.
Once ready, the examiner need only click "Export" (3), bringing a ‘Save’ dialog to the fore. Having given
the file a name and a location into which to be saved, clicking the Save button will complete the export
process.
It is advisable to rename the default export filename and to apply a suffix to the name so that Mac OS
or any other operating system can more easily recognize the expected file type and open it with the
appropriate application.
Upon completion a message will pop to the fore and the user can simply close this and continue on with
the investigation ana

The Salvage Function

The Salvage Function
This lesson discusses the Salvage function contained within MacForensicsLab.
Overview
MacForensicsLab’s ‘Salvage’ function will search a device, volume, or folder and list all the recoverable
files held within it, whether erased or not, and then recover the pre-selected files to a selected
destination folder. When salvaging a device, MacForensicsLab scans through the entire media to find
as many recoverable files as possible, as well as scanning through a single directory structure.
The Salvage Window
The Salvage window is divided into upper (1) and lower sections (2). The upper section is responsible
for the settings Salvage will invoke upon starting. These settings include "Supported File Formats," (3)
"Import a Prior Scan," (4) and "Start a New Scan." (5) In addition, these settings can be further defined

to search against a device, folder, free space only (6) or to search for embedded files (7).
The lower section will display a list of files, by type, that Salvage can recover. Once a file is selected, a
File Previewer application will open and attempt to show the file in its native format. Once the file to be
Salvaged are determined, the "Salvage Selected Files" (8) is invoked.
Save the Scan
Once you have scanned for files that Salvage can recover, a window appears asking if you'd like to
save the results of the scan. If you are not going to Salvage all files possible, it is a good idea to save
the results of the scan. This process will save time later if the examiner needs to go back and Salvage
additional files from the case.

Choose Destination
Once the examiner has opted to save the scan results, a pop-up window appears asking for a
destination for the scan results to be saved, once input, select "Save."
Examine Files by Type
As illustrated above, all possible files are divided by type and number.

File Previewer
Once a particular file is selected for review, the File Previewer application is launched allowing the
examiner to preview the file in question.

Select Files for Salvage
Highlight the files to be Salvaged (1) and select the "Salvage selected files" button (2).

Save Salvaged Files
Once the files for Salvage have been selected, a navigation box appears allowing the examiner to
select the location to which the Salvaged files will be exported.
Filename Rebuilder
Once the files have been Salvaged, MacForensicsLab provides an optional process to attempt to
rename the files based on the metadata contained within the files. If the examiner does not wish to do
this simply select "Cancel" (1) conversely, by selecting "OK" (2) MacForensicsLab will attempt to
rebuild all files names.

Reviewing Salvaged Files
The Salvaged files are exported, by default, into a folder titled "Salvage (day of the week) and
(month/day/year). Contained within that folder are subfolders broken down by file type for easy review
and categorization.

The Browse Function

The Browse Function
This lesson will describe the core functionality of the Browse function of MacForensicsLab.
Overview
The ‘Browse’ window provides the examiner with an exceedingly quick and easy way to search for files
(primarily images and multimedia) in directories, view the results found based on the preset search
criteria, bookmark, make notes and even perform closer analysis.
The Browse Window
The Browse window allows the examiner a range of variable options to include in his/her search. These
options include:
File Checks (1):

-File size (min-max range in kilobytes)

Image Checks:
-Image-only results (yes or no) (2)
-Horizontal & vertical dimensions (min-max range in pixels) (3) & (4)
-Skintone (min-max range in percent - 15% is the default) (5)
To invoke the Browse, select the "Browse" (6) button at the bottom of the window.
After clicking Browse, as MacForensicsLab scans the selected location for matching files, a progress
dialog will be displayed providing the examiner with a status report. If the examiner needs to end the
scan prematurely, clicking the Cancel button under the progress bar will end the scan and return to the
‘Main’ window. When the scan is complete a finish prompt will appear and chime can be heard, upon
clicking OK the prompt will close and the ‘Browse’ window will come to the fore.
Reviewing the Results
Upon completion, the Browse window will display a thumbnail view of all files meeting the
aforementioned criteria set forth by the examiner. When an image is selected, it is highlighted in red (as
seen above) and the metadata for that file appears on the right (1).

Bookmarking the Findings
Once the appropriate images are highlighted, the examiner can bookmark the results by choosing
"Bookmarks" from the Main window or using the keyboard shortcut of command + d. In the above
example, a bookmark labeled "images" (1) was created, with a note "suspicious imges" (2) to save the
previously selected file.
Viewing Bookmark
The examiner can review the bookmark by navigating to the Bookmark window by selecting "Bookmark
-> Show All Bookmarks" from the Main window.

The Audit Function

The Audit Function
This lesson describes the Audit function of MacForensicsLab.
Overview
The Audit function enables the examiner to quickly and easily locate relevant OS artifacts as they
pertain to the system, the network and the user.
Getting Started
To invoke the Audit function, the examiner must select the "Files" (1), the volume/partition (2) with a
valid user folder contained within it from the ‘Device’ pane of the ‘Main’ window. Furthermore, the
examiner must select the "Users" folder (3) for the ‘Audit’ button to become enabled.

Invoking the Audit
Once the Audit button is enabled, the examiner can select a specific user (1), or if the system has
multiple users, he/she can check "Audit all users" (2), then select the "Audit" button (3).
Locate Audit Results
The results of the Audit are stored in the MacForensicsLab database. To access the database from the
MacForensicsLab Main window select "Window -> Database" or use the keyboard shortcut of
"shift+command+d."

Review Audit Findings
To review the findings of the Audit, select a user, then scroll up or down to view the results. The
examiner can highlight findings of interest and export them out to a file by selecting the "Export" button.

Generate a Report
Once the "Export" button is invoked, a dialogue box appears allowing the examiner to choose between
an HTML or Plain Text report. Once decided, select "OK."
Save Report
Select a location to save the Audit report.
View the Report
Since an HTML report was selected in the example, a browser launches showing the report. All items
highlighted and exported are hyperlinked under the "Table of Contents" located to the right.

Reviewing the Hyperlinks
The examiner can select any hyperlink and be taken directly to that portion of the report.

The Hash Function

The Hash Function
This lesson will describe the hash function contained within MacForensicsLab.
Using the Hash Function
The Hash functionality is a new feature added in MacForensicsLab 2.9. This button allows the examiner
to quickly and easily create a hash of any device of file by highlighting it (1) and invoking the "Hash"
button (2).

Reviewing the Hash
Once completed, the Hash window appears, displaying the path of the file, md5, SHA1 and SHA256
hashes respectively.
Saving the Results
The results of the hash can be either saved out as a text file or added directly to the hash database. To
export, simply select "Save" and navigate to where the file is to be saved.

Bookmarks

Bookmarks
This lesson will cover Bookmarks within MacForensicsLab.
Overview
MacForensicsLab uses bookmarks to assist the examiner in collecting files of investigative interest. It is
possible to bookmark files and directories for reference and examination at a later time in the case.
Likewise, the examiner can bookmark any file or folder, or groups of files. You cannot bookmark
devices or specific blocks within a device.
Locating the Bookmarks
The bookmarks can be viewed and managed from the ‘Bookmarks’ window and are accessible at any
time by selecting “Show All Bookmarks …” from the Bookmarks menu, or by using the keyboard
shortcut "command + option + b.
The Bookmark Window Layout
The ‘Bookmarks’ window is divided into 4 clear portions:
-The folders/groups pane (1)

-The folder note pane (2)
-The bookmark detail pane (3)
-The bookmark note pane (4)
The Folders Pane & Folder Note Pane

Bookmarks can be grouped together using folders. These are listed in the Folders Pane (1). When
individually selected, the notes for the respective folder, in editable form, can be seen in the ‘Folder
Notes’ pane, directly below (2), while the grouped bookmarks can be seen in the ‘Bookmarks’ pane to
the right (3).
The Bookmarks Pane & Bookmark Note Pane

Having selected an individual bookmark folder, the contents of the folder will be displayed in the
‘Bookmarks’ pane (3). Each bookmark is listed with: bookmark name, file path, file size and creation
date. Columns can of course be resized and sorted by the examiner simply by clicking on the
respective header or by dragging the column separators to the desired size. Having selected a
bookmark, the notes for the bookmark item will be displayed, in editable form, in the ‘Bookmark Note’
pane (4).
Resizing Panes
In order to maximize viewing space the examiner can resize the partitions between all four panes of the
‘Bookmarks’ window. To do so, the examiner should click & drag the resize handle of the respective
separator, thus being able to minimize and maximize the required viewing space for each pane.

Managing Bookmark Folders
Adding Bookmark Folders

Bookmark folders can be added in one of two ways. The first is to use the ‘Add Bookmark Folder…’
window and the second is to do so from the ‘Bookmarks’ window itself.
Via the ‘Add Boomark Folder…’ Window

When working with the other functions in MacForensicsLab, it is quickest and easiest to invoke the ‘Add
Bookmark Folder…’ window from Bookmarks menu or use the keyboard shortcut: "command + shift +
n."
If adding a new folder while creating a new bookmark, then simply click the (+) button below the folder
title option list in the ‘Add Bookmark’ window.
Once the ‘Add Bookmark Folder…’ window comes to the fore, the investigator need only enter the
name of the new folder (1) into the “Name” text input field, and click Save (3). If the investigator so
wishes, he or she can enter a note/summary into the “Summary” text field (2) for reference then and
there, or do so at a later date in time from the ‘Bookmarks’ window.

Via the ‘Bookmarks’ Window
The second way to add bookmark folders is to bring the ‘Bookmarks’ window to the fore, after which the
investigator must click the (+) button under the ‘Bookmark Folders’ pane. This will generate a new
folder with an empty title in the pane above ready with the text cursor in the entry field. Once the name
is complete, the investigator can either press Enter/Return or simply click out of the name entry field.
To add a summary, having created a new folder in this way, the investigator need only select the new
folder in the ‘Bookmark Folders’ pane and then enter his or her summary for the selected folder into the
‘Folder Note’ pane below.
Amending Bookmark Folder Names

Should the investigator wish to amend the name of the bookmark folder, he or she can do so from the
‘Bookmarks’ window by simply double-clicking on the respective bookmark folder’s name in the
‘Bookmark Folders’ pane and make the edits accordingly, before clicking out of the text entry field.
Removing Bookmark Folders

Removing bookmark folders, either collectively or individually, can be done from the ‘Bookmarks’
window.
Clearing ALL Folders

To clear ALL folders, and lose the bookmarks contained within them, the investigator must click the
(clear) button under the ‘Bookmark Folders’ pane, at which point MacForensicsLab will prompt him or
her to confirm the deletion - as it cannot be undone. Having clicked OK, the investigator will be returned
to the ‘Bookmarks’ window with a cleared ‘Bookmark Folders’ pane.
Clearing Individual Folders

To remove folders individually, the investigator must select each item in turn and click the (-) button
beneath the ‘Bookmark Folders’ pane. As before, there will be a prompt confirming the deletion and the
investigator need only click OK to follow through with the the action.

Clearing Actions
Removing Bookmarks
Removing bookmarks, either collectively or individually, can be done from the ‘Bookmarks’ window.
Clearing ALL Bookmarks

To clear ALL bookmarks from within a bookmark folder, the investigator should select the desired
bookmark folder in the ‘Bookmark Folders’ pane and then click the (clear) button under the ‘Bookmarks’
pane (1), at which point MacForensicsLab will prompt him or her to confirm the request to delete ALL
bookmarks. Having clicked OK, the investigator will be returned to the ‘Bookmarks’ window with a
cleared ‘Bookmarks’ pane.
Clearing Individual Bookmarks

To remove bookmarks individually, the investigator must first select the requisite bookmark folder and
then, once the bookmarks load, select each item in turn and click the (-) button underneath the
‘Bookmark’ pane (2). As before, there will be a prompt confirming the action and the investigator need
only click OK to follow through with the action

Examiner Notes

Notes in MacForensicsLab
This lesson will describe the Note functionality contained within MacForensicsLab.
Overview
Case Notes are an extremely useful function of MacForensicsLab that allow the examiner to add
comments and observations to their case file at any point during the examination process. Whether
browsing the ‘Main’ window or in the middle of a lengthy acquisition, the investigator can open the
‘Notes’ tab of the ‘Database’ window, using either the keyboard shortcut ("Command + n") or ‘’Window’
drop menu, and make the desired entry, before returning to the prior screen when finished.
Opening Notes
To acces the Notes window at anytime during the investigation, select "Window -> Make Note" from the
Main window.

Notes Window Layout
The Notes Window is divided into three sections:
-The Database Tab (1)

-The Note Data Pane (2)
-The Note Information Section (3)

Adding and Removing Case Notes
To add a new note, the examiner need only click the (+) button at the bottom right hand side of the
upper ‘Notes Data’ pane (1) . This will generate a blank new entry, which the examiner needs to then
select and enter his or her notes into, using the lower ‘Note Entry’ pane (2). Having completed the
note, the examiner can then just close the ‘Database’ window and return to the previous screen.
Editing Case Notes

When necessary to edit a case note, select the individual note in the ‘Notes’ pane at the top of the
window. Once the note itself has loaded in the window below, the investigator is free to edit it at will.
Having finished any amendments, click out of the editor pane and the new version of the note will be
saved and changes logged.

Removing Case Notes
The examiner can remove individual notes, or clear the entire ‘Notes’ pane in one go. To remove an
individual note detail the examiner should select the note earmarked for removal and then click the (-)
button on the right-hand side below the ‘Notes’ pane (4). To remove all the details in one go, the
investigator should click the (Clear) button (3) on the right-hand side below the ‘Notes’ pane. In both
instances, the deletion will generate a warning prompt dialog, to which the investigator must confirm his
or her actions.
Refreshing the Notes Pane

When working in a centralized database environment, it is possible that the ‘Notes’ pane may become
out of sync with the listing in the database. To bring it up-to-date the investigator needs to click the
Refresh button (5) on the left-hand side below the ‘Notes’ pane.

The MacForensicsLab Database

The MacForensicsLab Database
This lesson will cover the organization and layout of the MacForensicsLab database.
Overview
When whichever database (local file, RealSQL server, MySQL server) is enabled via the ‘Preferences’
window, detailed logs are kept of every action and all points of interest to support the examiner in the
understanding and final presentation of their evidence. In the ‘Database’ window, the examiner has full
access to comprehensive details of what has been logged in the forensic examination to date.
Opening the Database
The MacForensicsLab database can be located, from the Main window by selecting "Window ->
Database" or using the keyboard shortcut of "shift+command+d."

The Database Window Layout
The ‘Database’ window can essentially be split into 2 parts:
The tab bar - consisting of the various database sections:

-Acquisition
-Analyze
-Audit
-Chronology
-Hash
-Notes
-Salvage
The viewing pane(s) - consisting of:

-Device information
-Date/time/description
-Data

Navigating through each individual database tab produces its own unique layout. Each screen’s layout
within the ‘Database’ window varies between a single pane with a columnar list and a triple paned
layout with bookmarks and note/native viewer.
Viewing the Database Sections
The Views
As each tab is clicked in turn the database will be read, either locally or centrally, and the contents
loaded into the new window layout; needless to say, the larger the dataset the longer the process of
fetching and loading the data will take to complete.
Accessible through the individual buttons of the tab bar in the ‘Database’ window are:
The Acquisition Log - lists the date and time of an acquisition process, a description of it and the
exact block details (offset, length, hash sum etc).
The Analyze Log - keeps track of the details of searches performed, as well as the results associated
with them. Details logged include: date and time, file location, results and the associated match and
offset.
The Audit Log - lists the date and time of an acquisition process, a description of it and the specific OS
artifact information generated, to include folder creation date/times, network preferences, system
settings, user preferences, bookmarks, web caches, and much more.
The Chronology Log - lists all the events from the moment the case reference is set up to the latest
action performed in MacForensicsLab. It lists the date and time of the actions, the name of the
examiner, the action performed (opening windows, pressing buttons etc) and the data returned by the
actions.
The Hash Database – provides a means by which the examiner can import, manage and store hash
values for use within the various functions provided by MacForensicsLab.
The Notes Log - contains all the notes regarding the investigation as inputted by various examiners.
Notes are listed with examiner name, date and initial number of characters, with the ability to view an
entire note, as well as manage and edit notes.
The Salvage Log - keeps track of the date and time of the salvage process, the name of the examiner,

the actions performed, and the location and specific details of the files salvaged.
Sorting The Data

The examiner can sort by the available columns by clicking on the respective column headers, once
highlighted and sorted ascending, clicking the title bar again will sort the column in reverse order.
Managing Records
Certain panes containing log data benefit from the availability of management buttons. That is to say
that an assortment of buttons exist to:
-Refresh
-Clear
-Delete
-Add
-Edit
Where available the examiner should use these buttons as in others functions windows to reload data
into the respective pane, to remove or clear records, both of which will generate a warning prompt
requesting confirmation to delete records, as well as to add items or make amendments.

Reporting

Generating a Report
This lesson covers how to write a report using MacForensicsLab.
Opening Report Window
To open the Report window, from the MacForensicsLab Main window, select "File -> Write Report," or
use the keyboard shortcut "command+p."
Select Report Contents
The Report window consists of a series of checkboxes that are to be toggled on or off depending on the
information the examiner wants to include in the report. Once the appreopriate checkboxes are
selected, select "Start."

Report Location
Once the report settings have been determined, a navigation box opens. This box enables the
examiner to dictate where the report will be generated and saved.
Viewing the Report
Once the report is saved, a browser will open automatically showing the report. The report is divided
into two sections, the navigation section on the left and the reported information on the right.

Keyboard Shortcuts

Keyboard Shortcuts
This lesson will list the keyboard shortcuts supported by MacForensicsLab.
Shortcuts
The following shortcuts are specific to the MacForensicsLab Application.
Command + Comma (,) - Open ‘Preference’ Window
Command + p - Write HTML report
Command + t - Attach Disk Image
Command + d - Detach Disk Image
Command + m - Mount Device
Command + r - Rescan available hardware buses
Command + u - Unmount Device
Option + Command + b - Show all bookmarks
Command + d - Add bookmark
Shift + Command + n - Make note
Shift + Command + d - Open ‘Database’ window
Command + b - Open ‘Disk Arbitration’ window
Command + t - Open terminal
Command + s - Saves/Exports a file

Getting Help and Technical
Support

Getting Help and Technical Support
This lesson covers the various ways to obtain help and technical support when using MacForensicsLab.
Finding Help within MacForensicsLab
Help can be found both via the small, context sensitive information clips that appear when the
investigator rolls the mouse over a window element, as well as the standard help menu at the top of the
screen. Contextual tool tips include buttons and parts of MacForensicsLab that require some form of
user interaction.
On the Web
We provide over 100 links to forensic resources, manuals, a complete knowledge base and a plethora
of additional information on our website. For updates, resources and additional information please visit:
http://www.MacForensicsLab.com.
Technical Support
We provide free technical support both via email or phone during the hours 10am to 6pm Pacific
Standard Time (GMT -8) Monday to Friday. By email, we can be reached at the following address:
support@subrosasoft.com. By phone, we can be reached at: +1 (510) 870 7883, or by fax on +1 (510)
868 3407.
In addition to any support question(s), the investigator must include ALL of the following pieces of
information:
-Valid registration number or purchase information.

-System configuration(s) – hard drive make, model etc.
-System OS version.
-System related information can be found by using the “System Profiler” application in the
-/Applications/Utilities folder.
Comments and Questions
If you have comments, problems, or questions about this product, or if you are interested in a site
license, please contact us via email: info@subrosasoft.com.
Company Address
SubRosaSoft.com Incorporated
37600 Central Ct, Suite 212
Newark, California 94560

http://www.SubRosaSoft.com
http://www.MacForensicsLab.com

Uninstalling MacForensicsLab

Uninstalling MacForensicsLab
This lesson covers how a user can uninstall MacForensicsLab.
Using the Main Window
MacForensicsLab is a completely self-contained application and requires no special functionality to

uninstall it. The procedure to uninstall MacForensicsLab is to navigate to the directory in which
MacForensicsLab is currently installed, highlight the MacForensicsLab folder and either drag and drop
it into the Trash or delete it using the delete key.

Gloassary

Glossary
This lesson is a Glossary of terms relevant to MacForensicsLab.
Glossary
Acquisition
The process through which an investigator can make duplicate working copies of a suspect drive,
media or other data storage hardware.
Checksum & Checksum Verification

A checksum is a count of the number of bits in a transmission unit that is included with the unit so that
the receiver can check to see whether the same number of bits arrived. If the counts match, then one
can assume that the complete transmission was received.
Device
Could refer to any form of data storage technology, or equipment required to read data stored on media
such as CD’s or DVD’s
Disclosure triangle
The small rightward pointing arrow next to folders in the explorer window that when clicked turn
downwards and allow the investigator to view the contents of the said folder.
Disk Image
A disk image is a computer file containing the complete contents and structure of a data storage device.
The term has been generalized to cover any such file, whether taken from an actual physical storage
device or not.
Disk Arbitration
The process by which a workstation will discover and attempt to mount a device connected to it. OS X
is notified of the event by the kernel and will immediately look for mountable partitions on the drive. If
found, the OS initiates the mount, then the internal disk arbitration tables are updated with the proper
information, which eventually updates any programs that subscribed to notifications. During the
process, the suspect’s drive will also be updated.
Evidence Item
Refers to an individual file that may be of use to an investigation or case.
Finder
Also referred to as the Desktop by workstation users. This is the Graphical User Interface portion; or
rather Front-End that allows the human User to visually interact with the computer.

Hash or Hashing
Producing hash values for accessing data or for security and verification. A hash value (or simply
hash), also called a message digest, is a number generated from a string of text. The hash is
substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely
unlikely that some other text will produce the same hash value. Formulas used to create hash values,
in order of strength ascending, include: MD5. SHA1 and SHA2 otherwise known as SHA256.
Pane
The part of an application window where data may be previewed in columnar or free form style.
Headers may be used to sort columns, whilst free form text can be edited.
Partition (also known as a Volume, when used to store data)

A partition is an individual section of a hard disc or media. Drives must contain at least one partial or
complete partition in order to be of use, but can contain multiple partitions to separate the data
contained within them. Partitions may be setup write protected and even design not to auto-mount.
Suspect Drive
The drive that is the focus of the investigation and which the investigator should avoid tainting if
evidence collected is required for later use in a legal environment.
Unallocated Space (also known as a Free Space)

Refers to sectors on the hard drive that are not referenced in the hard drive catalog and therefore may
be written to by the computer as they are not reserved.
Work Drive
Refers to the drive on which an investigator will store files relating to a case. Salvaged files and other
data will be written to the work drive rather than to contaminate or lose data by writing them to the
“Suspect Drive”.
Volume (Please refer to “Partition”)

A volume is a partition that can be used to store data.

End User's License Agreement
(EULA)

End Users License Agreement
MacForensicsLab Incorporated's End Users License Agreement
EULA
DO NOT USE THIS SOFTWARE UNTIL YOU HAVE CAREFULLY READ THIS AGREEMENT AND
AGREE TO THE TERMS OF THIS LICENSE. BY USING THE ENCLOSED SOFTWARE, YOU ARE
AGREEING TO THE TERMS OF THIS LICENSE.
The software license agreement for this program is included in this manual so you can read it before
installing the program. INSTALLING THE PROGRAM OR USE OF THE MATERIALS ENCLOSED
WILL CONSTITUTE YOUR ACCEPTANCE OF THE TERMS AND CONDITIONS OF THIS
SOFTWARE LICENSE AGREEMENT. If you do not agree to the terms of this software license
agreement, do not install the software and promptly return the package to the place of purchase for a
full refund of all money that you paid for the product.
In return for purchasing a license to use the computer program known as "MacForensicsLab™" and for
purchasing documentation included in this package, you agree to the following terms and conditions:
1. License. The Software enclosed is licensed, not sold, to you by MacForensicsLab Inc for use under
the terms of this software license. This non-exclusive license allows you to:
i. Use MacForensicsLab™ software only on a SINGLE computer at any one time. You may only use the
MacForensicsLab ™ software and only on drives physically connected to that single CPU.
ii. Only use the Software to monitor systems on a SINGLE computer that is used by you.
iii. Make one copy of Software in machine-readable form, provided that such copy is used only for
backup purposes and the copyright notice is reproduced on the backup copy.
iv. Transfer Software and all rights under this license to another party together with a copy of this
license and all documentation accompanying the Software, provided the other party agrees to accept
the terms and conditions of this license.
As a licensee, you own the media on which the Software is originally recorded. The Software is
copyrighted by MacForensicsLab Inc and proprietary to MacForensicsLab Inc, and MacForensicsLab
Inc retains title and ownership of the Software and all copies of the Software. This license is not a sale
of Software or any copy. You agree to hold Software in confidence and to take all reasonable steps to
prevent disclosure.

2. Restrictions. You may NOT distribute copies of this Software to others or electronically transfer
Software from one computer to another over a network or via modem. The Software contains trade
secrets that are wholly owned by SubRosaSoft.com Inc. You may NOT decompile, reverse engineer,
translate, disassemble or otherwise reduce the Software to a human understandable format. YOU MAY
NOT MODIFY, ADAPT, TRANSLATE, RENT, LEASE, RESELL FOR PROFIT, DISTRIBUTE,
NETWORK, OR CREATE DERIVATIVE WORKS BASED UPON THIS SOFTWARE OR ANY PART
THEREOF.
3. Termination. This license is effective until terminated. This license will terminate immediately without
any notice from MacForensicsLab Inc if you fail to comply with any of its provisions. Upon termination
you must destroy the Software and all copies thereof. You may terminate this license at any time by
destroying the Software and all copies thereof.
4. Export Law Assurances. You agree and certify that neither the Software nor the documentation will
be transferred or re-exported, directly or indirectly, into any country where such transfer or export is
prohibited by the relevant governmental parties and regulations there under or will be used for any
purpose prohibited by relevant government parties.
5. Warranty Disclaimer, Limitation of Damages and Remedies.

MacForensicsLab Inc makes no warranty or representation, either expressed or implied, regarding the
merchantability, quality, functionality, performance, or fitness of the compact disc, diskettes, manual or
the information provided.
This Software and manual are licensed “AS IS.” It is solely the responsibility of the consumer to
determine the Software’s suitability for a particular purpose or use. MacForensicsLab Inc and anyone
else who has been involved in the creation, production, delivery or support of the Software, will in no
event be liable for direct, indirect, special, consequential or incidental damages resulting from any
defect, error or omission in the compact disc, diskettes, manual or Software or from any other events
including, but not limited to, any interruption of service, loss of business, loss of profits or good will,
legal action or any other consequential damages. The user assumes all responsibility arising from the
use of this Software. MacForensicsLab Inc's liability for damages to you or others will in no event
exceed the total amount paid by you for this Software. In particular, MacForensicsLab Inc shall have no
liability for any data or programs stored by or used with MacForensicsLab Inc’s Software, including the
costs of recovering such data or programs. MacForensicsLab Inc will be neither responsible nor liable
for any illegal use of its’ Software. MacForensicsLab Inc reserves the right to make corrections or
improvements to the information provided and to the related Software at any time, without notice.
MacForensicsLab Inc will replace or repair defective distribution media or documentation at no charge,
provided you return the item to be replaced with proof of purchase to MacForensicsLab Inc during the
30-day period after purchase. ALL IMPLIED WARRANTIES ON THE MEDIA AND DOCUMENTATION,
IncLUDING IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

PURPOSE, ARE LIMITED IN DURATION TO THIRTY (30) DAYS FROM THE DATE OF THE
ORIGINAL RETAIL PURCHASE OF THIS PRODUCT. The warranty and remedies set forth above are
exclusive and in lieu of all others, oral or written, expressed or implied. No MacForensicsLab Inc dealer,
representative, agent, or employee is authorized to make any modification, extension, or addition to this
warranty. Some States do not allow limitations on how long an implied warranty lasts, or the exclusion
or limitation of implied warranties or liability for incidental or consequential damages, so the above
limitation or exclusion may not apply to you. This warranty gives you specific legal rights, and you may
also have other rights that vary from State to State.
6. Government End-Users. If you are a Government end-user, this license of the Software conveys only
“RESTRICTED RIGHTS”. This Software was developed at private expense, and no part of it was
developed with government funds. The Software is a trade secret of SubRosaSoft.com Inc for all
purposes of the Freedom of Information Act, and is “commercial computer software” subject to limited
utilization as provided in the contract between the vendor and the governmental entity, and in all
respects is proprietary data belonging solely to MacForensicsLab Inc. Government personnel using the
Software, are hereby on notice that the use of this Software is subject to restrictions that are the same
as, or similar to, those specified above.
7. General. This license will be construed under the laws of the state of California, except for that body
of law dealing with conflicts of laws, if obtained in the United States, or the laws of jurisdiction where
obtained if obtained outside the United States. If any provision of this license is held by a court of
competent jurisdiction to be contrary to law, that provision will be enforced to the maximum extent
permissible, and the remaining provisions of this license will remain in full force and effect.
Complete Agreement. This license constitutes the entire agreement between the parties with respect to
the use of the Software and related documentation and supersedes all prior or contemporaneous
understandings or agreements, written or oral, regarding such subject matter.

Copyright Notice

Copyright Notice
MacForensicsLab Copyright Notice.
MacForensicsLab Copyright Notice
MacForensicsLab Incorporated copyrights this software, the product design, and design concepts with
all rights reserved. Your rights with regard to the software and manual are subject to the restrictions
and limitations imposed by the copyright laws of the United States of America.
Under the copyright laws, neither the programs nor the manual may be copied, reproduced, translated,
transmitted or reduced to any printed or electronic medium or to any machine-readable form, in whole
or in part, without the written consent of MacForensicsLab Inc.
© Copyright 2009 MacForensicsLab Inc. All Rights Reserved

Trademarks

Trademarks
MacForensicsLab Incorporated's trademarks.
Trademarks
"MacForensicsLab” is a trademark of MacForensicsLab Inc.
All other brand and product names are trademarks or registered trademarks of their respective holders.

MacForensicsLab 2.9 Manual

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

MacForensicsLab 2.9 Manual

Încărcat de

Drepturi de autor:

Formate disponibile

MacForensicsLab 2.

1.1 Overview of MacForeniscsLab 6

2.1 System Requirements 11

3.1 Installing MacForensicsLab 15

4 Running MacForensicsLab for the First Time

4.1 Running MacForensicsLab for the First Time 20

5.1 Case Preparation 34

6.1 Core Functions 39

7 The Preferences Window

7.1 The Preferences Window 41

8 The Main Window

8.1 The Main Window 59

9 The Acquire Function

9.1 The Acquire Function 64

10 The Search Function

10.1 The Search Function 69

11.1 The Analyze Function 74

12 The Salvage Function

12.1 The Salvage Function 80

13 The Browse Function

13.1 The Browse Function 88

14 The Audit Function

14.1 The Audit Function 92

15 The Hash Function

15.1 The Hash Function 98

16.1 Bookmarks 101

17.1 Notes in MacForensicsLab 107

18 The MacForensicsLab Database

18.1 The MacForensicsLab Database 112

19.1 Generating a Report 117

20.1 Keyboard Shortcuts 120

21.1 Getting Help and Technical Support 122

22.1 Uninstalling MacForensicsLab 125

23.1 Glossary 127

24 End User's License Agreement (EULA)

24.1 End Users License Agreement 130

25.1 Copyright Notice 134

26.1 Trademarks 136

MacForensicsLab 2.9 Manual - 5

About MacForeniscsLab Incorporated

MacForensicsLab Inc. is dedicated to our mission of providing powerful, easy-to-use, cost-effective

MacForensicsLab 2.9 Manual - 6

In addition to being the premire Macintosh-based forensic application, previous versions of

MacForensicsLab Design Features

MacForensicsLab 2.9 Manual - 7

Accuracy is a foundational element of computer forensics. Unfortunately many software vendors

The Acquire Feature

The Search Feature

The Analyze Feature

The Salvage Feature

MacForensicsLab 2.9 Manual - 8

The Browse Feature

The Audit Feature

The Hash Feature

MacForensicsLab 2.9 Manual - 9

MacForensicsLab 2.9 Manual - 10

Mac OS X Base Requirements

-Apple Macintosh G4 800MHZ or faster

Windows Base Requirements (for use up to and including MacForensicsLab 2.5.5)

-Processor 800MHZ or faster

Linux Base Requirements (for use up to and including MacForensicsLab 2.5.5)

-Processor 800MHZ or faster

We oficially support the following:

MacForensicsLab 2.9 Manual - 11