MacForensicsLab 3.0 Manual

MacForensicsLab 3.
0 Manual
Modern Forensics on a Mac

Table of Contents
Overview ..................................................................................7
Overview of MacForensicsLab .........................................................7
About MacForensicsLab ...................................................................7
MacForensicsLab Overview ...............................................................8
MacForensicsLab Design Features .....................................................8
The Acquire Feature ......................................................................10
The Search Feature .......................................................................10
The Analyze Feature ......................................................................10
The Salvage Feature .....................................................................10
The Browse Feature ......................................................................11
The Audit Feature .........................................................................11
The Hash Feature .........................................................................11
System Requirements .............................................................11
System Requirements ...................................................................11
Mac OS X Base Requirements .........................................................12
Windows Base Requirements (for use up to and including
MacForensicsLab 3.0) ....................................................................12
Linux Base Requirements (for use up to and including MacForensicsLab
3.0) ............................................................................................12
Recommended Desktop Forensic Workstation ...................................12
Recommended Forensic Laptop .......................................................13
Additional Considerations ...............................................................13
The MacForensicsLab Dongle ..........................................................14
Installing MacForensicsLab .....................................................14
Installing MacForensicsLab ...........................................................14
Obtaining the latest version of MacForensicsLab ................................15
Locate the version of MacForensicsLab .............................................16
Download ....................................................................................17
Downloaded Archive ......................................................................17
Locate the MacForensicsLab Folder ..................................................17
Installing MacForensicsLab .............................................................18
Running MacForensicsLab for the First Time ...........................18
Running MacForensicsLab for the First Time .................................18
Opening MacForensicsLab ..............................................................19
Launch MacForensicsLab ................................................................19
Allow MacForensicsLab to Run ........................................................19
Configure MacForensicsLab Preferences ...........................................20
Configure a Local Database File ......................................................21
Save the Local Database ................................................................21
Configure the Examiners Tab ..........................................................23
Configure Examiner Window ...........................................................23
Confirm Examiner Information ........................................................25
Configure the Cases Tab ................................................................26
The Case Details Window ...............................................................26
Complete Case Details ...................................................................26
© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 2

Selecting the Case ........................................................................28
The E-Mail Pane ............................................................................29
Complete the E-Mail Pane ..............................................................30
Authenticate MacForensicsLab ........................................................31
Complete Authentication ................................................................31
Disk Arbitration ............................................................................32
Case Preparation ....................................................................32
Case Preparation ..........................................................................32
Overview .....................................................................................32
Disabling Disk Arbitration ...............................................................33
Enabling Disk Arbitration ................................................................34
Hardware Write Blockers ................................................................34
Clearing the Work Drive .................................................................35
Terminal Access ............................................................................36
Core Functions ........................................................................36
Core Functions ..............................................................................36
The Core Functional Areas of MacForensicsLab ..................................36
The Preferences Window ........................................................37
The Preferences Window...............................................................37
Overview .....................................................................................37
Finding the Preferences Window ......................................................37
The Preference Window Layout .......................................................38
The Database Preference Pane .......................................................39
Configuring a Local Database File ....................................................40
Selecting a Location for the Local Database File ................................41
Checking the Local File Database Path .............................................42
REAL SQL Setup ...........................................................................43
MySQL Setup ...............................................................................44
The Examiners Tab .......................................................................45
Configuring Examiner Specific Data .................................................46
Save the Form ..............................................................................47
Confirm the Correct User ...............................................................48
The Cases Tab ..............................................................................49
Fill Out Case Details ......................................................................50
Complete Case Details Pop-up ........................................................51
Verify Case Information .................................................................52
eMail Tab Setup ............................................................................53
The Main Window ...................................................................53
The Main Window..........................................................................53
Overview .....................................................................................53
The Main Window Layout ...............................................................54
The Access Panel - Devices Tab ......................................................55
The Access Panel - Files Tab ...........................................................56
The Buttons Panel .........................................................................57
The Acquire Function ..............................................................57
The Acquire Function ....................................................................57

Overview .....................................................................................58
Creating a Disk Image ...................................................................59
Attaching Disk Images ...................................................................61
The Search Function ...............................................................62
The Search Function .....................................................................62
Overview .....................................................................................62
The Search Window Layout ............................................................63
The Analyze Function ..............................................................67
The Analyze Function ....................................................................67
Overview .....................................................................................67
The Analyze Window Layout ...........................................................68
Search File Data ...........................................................................70
Carving Data ................................................................................73
The Salvage Function ..............................................................73
The Salvage Function ....................................................................73
Overview .....................................................................................74
The Salvage Window .....................................................................74
Save the Scan ..............................................................................75
Choose Destination .......................................................................76
Examine Files by Type ...................................................................76
File Previewer ...............................................................................77
Select Files for Salvage ..................................................................77
Save Salvaged Files ......................................................................78
Filename Rebuilder .......................................................................78
Reviewing Salvaged Files ...............................................................79
The Browse Function ..............................................................79
The Browse Function ....................................................................79
Overview .....................................................................................79
The Browse Window ......................................................................80
Reviewing the Results ...................................................................81
Bookmarking the Findings ..............................................................82
Viewing Bookmark ........................................................................82
The Audit Function ..................................................................83
The Audit Function ........................................................................83
Overview .....................................................................................83
Getting Started .............................................................................83
Invoking the Audit ........................................................................84
Locate Audit Results ......................................................................84
Review Audit Findings ...................................................................85
Generate a Report ........................................................................86
Save Report .................................................................................86
View the Report ............................................................................86
Reviewing the Hyperlinks ...............................................................87
The Hash Function ..................................................................87
The Hash Function ........................................................................87
Using the Hash Function ................................................................88

Reviewing the Hash .......................................................................89
Saving the Results ........................................................................89
Bookmarks..............................................................................90
Bookmarks ....................................................................................90
Overview .....................................................................................90
Locating the Bookmarks ................................................................90
The Bookmark Window Layout ........................................................91
Managing Bookmark Folders ...........................................................92
Clearing Actions ............................................................................94
Examiner Notes.......................................................................95
Notes in MacForensicsLab .............................................................95
Overview .....................................................................................95
Opening Notes .............................................................................95
Notes Window Layout ....................................................................96
Adding and Removing Case Notes ...................................................97
The MacForensicsLab Database...............................................98
The MacForensicsLab Database .....................................................98
Overview .....................................................................................98
Opening the Database ...................................................................99
The Database Window Layout .........................................................99
Viewing the Database Sections .....................................................100
Reporting ..............................................................................102
Generating a Report ....................................................................102
Opening Report Window ...............................................................102
Select Report Contents ................................................................103
Report Location ..........................................................................103
Viewing the Report ......................................................................104
Keyboard Shortcuts ..............................................................104
Keyboard Shortcuts ....................................................................104
Shortcuts ...................................................................................105
Getting Help and Technical Support ......................................105
Getting Help and Technical Support ............................................105
Finding Help within MacForensicsLab ..............................................106
On the Web ................................................................................106
Technical Support .......................................................................106
Comments and Questions .............................................................106
Company Address .......................................................................106
Uninstalling MacForensicsLab ...............................................107
Uninstalling MacForensicsLab .....................................................107
Using the Main Window ................................................................107
Glossary ................................................................................107
Glossary ......................................................................................107
Glossary ....................................................................................107
End User's License Agreement (EULA) ..................................109

End Users License Agreement .....................................................109
EULA .........................................................................................109
Copyright Notice ...................................................................113
Copyright Notice .........................................................................113
MacForensicsLab Copyright Notice .................................................113
Trademarks ...........................................................................113
Trademarks .................................................................................113
Trademarks ................................................................................113

Overview
Overview of MacForensicsLab
This section provides an overview of MacForensicsLab, its features,

functionality and design.
About MacForensicsLab
Welcome to MacForensicsLab. If this is your first time using
MacForensicsLab software be assured you made the right decision.
MacForensicsLab Incorporated is the world-wide leader in Macintosh-
based forensics, with many federal, state and local law enforcement
organizations around the globe using our software. In addition,
MacForensicsLab is used by the military, intelligence community, and
many privately owned and operated organizations seeking a powerful
and innovative forensic solution.
As a company, MacForensicsLab Incorporated is dedicated to providing

forensic solutions that not only meet and exceed your expectations but
that change the way modern computer forensics are performed.
Traditional computer forensic software development has mirrored the
needs of traditional law enforcement by developing a solution only as a
problem presented itself. In doing so, law enforcement is left without a
timely answer to their technological dilemma. When the momentum of
an investigation suffers due to a purely reactive development cycle,
criminals go unpunished and victims are left needing resolution or
worse, new victims are created. MacForensicsLab Inc. seeks to change
that paradigm by offering expandable and scalable solutions that can
adapt to an organization's needs and anticipate problems through use
of intelligent proactive development.
MacForensicsLab Inc. understands how difficult it has become to keep

pace with technology. All too often, forensic examiners are
understaffed and overworked, making the environment ripe for case
backlogs and an increasing potential for errors. In an effort to
minimize these conditions, MacForensicsLab Inc. leverages technology
and its advancements to allow for fewer mistakes. By doing so,
MacForensicsLab aides in maximizing the efficiency and effectiveness
of its users, thereby getting more done with less mistakes.
MacForensicsLab Inc. is dedicated to our mission of providing powerful,

easy-to-use, cost-effective forensic solutions that help you achieve

your organization's forensic goals. To this end, we offer products that
account for the entire spectrum of computer forensics, not just the
static lab-based solution. Modern technologies demand integration
throughout the forensic process, MacForensicsLab Inc. accounts for
this evolution with solutions for incident response, triage, static
examinations and reporting. Additionally, MacForensicsLab utilizes
open ISO standards to ensure compatibility with other tools so the
examiner is not limited to one tool or one answer to a problem. In
summary, MacForensicsLab Inc. views mission accomplishment as a
corporate social responsibility, one we take very seriously and as such
we strive to become not only a software development company but a
partner to all our customers.
MacForensicsLab Overview
MacForensicsLab is the first comprehensive computer forensic solution
that runs natively on a Macintosh. As such, MacForensicsLab combines
the power of modern computing with elegant design and a feature rich
environment. Capable of performing all aspects of the forensic process
on any filesystem the system bus can recognize, these filesystems
include: NTFS, UFS, HFS, HFSPlus, ext2, ext2, ReiserFS and many
more.
In addition to being the premiere Macintosh-based forensic application,

previous versions of MacForensicsLab (up to 3.0) are cross platform,
allowing users to run MacForensicsLab natively on Windows XP,
Windows Vista, Windows 7, and Linux (RedHat, Ubuntu and SuSe).
MacForensicsLab Design Features

MacForensicsLab has been designed, from the ground up, to be a
powerful easy-to-use forensic solution. A vital component in achieving
this is the software's GUI (Graphical User Interface). By contrast many
modern forensic solutions interface contains 15 or more buttons,
making them difficult to use and due to the crowded space, somewhat
overwhelming for the user. By contrast, MacForensicsLab has just 7
buttons representing the core functionality of the software. In addition,
these buttons are laid out in an order that if followed from one to the
next will guide the examiner through an entire forensic examination.
The second aspect concerning the design of MacForensicsLab is

automation. The automation of tasks has changed the world. First, the

Industrial Revolution was marked by automation of the blue-collar
workforce, changing the way manufacturing was done. In the
Information Age, this automation is seen through computers
performing complex repetitive tasks. In computer forensics, this
automation refers to leveraging the computer to collect and collate
data so the examiner can analyze the data. MacForensicsLab, is unique
in that it excels at this, allowing the examiner to perform the vital task
of analysis, thus providing context to the computer findings. This
concept is readily apparent in the Browse and Audit functions,
described below.
Another aspect of MacForensicsLab design is fault tolerance. Unique

within the industry, MacForensicsLab provides fault tolerance during
both the acquisition and data recovery operations. In addition, it uses
instant writes to the system, as it is a database-driven application,
thus no need for time interval savings, which inevitably result is data
loss.
Interoperability is another design feature that MacForensicsLab takes

seriously. The task of modern computer forensics is one of increasing
complexity. As such, no one solution provides all the answers to the
examiner. Therefore, MacForensicsLab strives to enable the examiner
to use its results with other tools. The use of OpenISO imaging and
HTML reporting are just two examples of this.
Speed and accuracy are the other tenets of MacForensicsLab design

features. The rapid increase in data volume equates to a longer
forensic process. MacForensicsLab uses asynchronous operations to
increase speed making it much faster than other tools such as dd.
Accuracy is a foundational element of computer forensics.

Unfortunately many software vendors sacrifice speed for accuracy. An
example of this would be performing data recovery operations based
on the directory structure. The sole use of the directory structure
provides fast results, however it does not account for a corrupted
structure. When the directory structure is corrupted and that is the
only means of data recovery, then all is lost without attempting to fix
the directory structure. MacForensicsLab takes a different approach,
instead of the faster method, it takes the best method for recovering
all files. In doing so, MacForensicsLab demonstrates its understanding
that without all the data, there is no case and in this instance, it is
better to sacrifice speed for accuracy.

Now that we understand the basic design features of MacForensicsLab,
let's take a minute to familiarize ourselves with its core functionalities.
The Acquire Feature

The ‘Acquire’ feature uses an intelligent algorithm to recover
mechanically sound and faulty drives. Even if the drive has been
partially compromised, mechanically or otherwise, MacForensicsLab
has the best chance at recovering evidence to a forensically sound
disk . The output of this process is an open format, industry standard
locked disk image.
The Search Feature

The ‘Search’ feature examines logical directory structures and files to
identify items of interest, helping to zero in on any suspect material.
Comparisons can be made against a database of hash values for
known good, or known suspect content. MacForensicsLab creates a list
of catalog information, MD5, SHA1, and SHA256 checksums, as well as
other basic file information, using pre-specified search terms and
filters.
The Analyze Feature

The ‘Analyze’ feature enables an examiner to analyze the contents of
files in ASCII and/or Hex mode. ‘Analyze’ allows the examiner to
search the entire disk for specific terms and items including keywords,
hex strings, credit card numbers and social security numbers.
The Salvage Feature

MacForensicsLab’s ‘Salvage’ feature is fault tolerant and thorough by
design, making it the most powerful data recovery engine on the
market. The 'Salvage' function recognizes over 100 file types and can
readily recover deleted files from hard drives, CD-ROMs, external
storage devices, digital camera memory cards, iPods, and much more.
In addition, ‘Salvage’ possesses the ability to learn on-the-fly enabling
the examiner to add unknown file types into the 'Salvage' database for
recovery. These features, combined with filters allowing targeted data
recovery makes this a foundational feature for all subsequent forensic
processes.

The Browse Feature
The ‘Browse’ feature allows the examiner to quickly and easily
thumbnail and preview graphic images and their metadata.
MacForensicLab was the first forensic software application to contain a
built-in Skin Tone Analyzer, radically reducing the time spent manually
culling through tens of thousands of image files to locate files of
investigative interest, which are easily bookmarked and/or exported
for further action.
The Audit Feature

The ‘Audit’ feature quickly and efficiently collects and collates
operating system artifacts and user preferences, to include cached
internet history and bookmarks, Instant Messaging buddy lists, WiFi
Access Points, Address Book information, iPhone information and much
more. In doing so, the 'Audit' feature enables the examiner to keep
the investigative momentum while allowing for further in-depth
analysis.
The Hash Feature

The 'Hash' function allows the examiner to perform an md5, SHA1
and SHA256 hash on any given file located on the volume while
exporting the results with the full path to a text file for easy reference.
Additionally, this feature allows for a complete file listing of a Volume
with associated permissions, path and hashes.
System Requirements
System Requirements
This section covers the basic and recommended system requirements

for successfully running MacForensicsLab. Modern forensic processes
require not only powerful systems to process the massive amount of
data, but a scalable solution designed to harness the system resources
for greater speed and increased functionality. A database solution
provides such potential. Since MacForensicsLab is database driven, the
performance of the software is greatly influenced by the performance
of the computer that is being used to perform the investigations.
Nevertheless, MacForensicsLab has been specifically optimized for
efficiency and speed through the use of appropriate memory allocation
and a multi-threaded design.

Mac OS X Base Requirements
-Apple Macintosh G4 800MHZ or faster
-Mac OS X (version 10.4 or newer)
-512 MB of RAM
-DVD-Rom drive for Boot CD/DVD and Installation from DVD
-1 x USB 1.0 Port + USB license dongle (supplied with
MacForensicsLab)
Windows Base Requirements (for use up to and including

MacForensicsLab 3.0)
-Processor 800MHZ or faster
-Windows 2000/XP/Vista
-512 MB of RAM
MacForensicsLab)
Linux Base Requirements (for use up to and including

MacForensicsLab 3.0)
-Processor 800MHZ or faster
-x86-based Linux distribution with GTK+ 2.0 (or higher), glibc-2.3 (or
higher) and CUPS (Common UNIX Printing System)
We officially support the following:

-SUSE Linux Enterprise Desktop
-Red Hat Enterprise Linux Desktop
-512 MB of RAM
MacForensicsLab)
Recommended Desktop Forensic Workstation

-Apple MacPro (2.66 GHz Quad Core Intel Xeon "Nehalem" processor
or better)
-8GB of RAM
-1TB or more of available hard drive space
-DVD-ROM drive for Boot CD/DVD and Installation from DVD
-Firewire 800 <-> ATA/SATA hardware write blocker

MacForensicsLab)
Recommended Forensic Laptop

-Apple MacBook Pro Intel Core 2 Duo 2.4GHZ or faster
-4GB of RAM
-Firmtek SeriTek Serial ATA ExpressCard Adapter
-1TB or more of available hard drive space
-DVD-ROM drive for Boot CD/DVD and Installation from DVD,
MacForensicsLab)
Additional Considerations
Providing the system with more resources and faster equipment such
as faster Processor, more RAM and and faster, larger hard disk drive
will improve the performance of MacForensicsLab where data reading,
calculation and verification functions are occurring.
The database/logging functionality is best performed with the fastest

possible network interface when working with a centralized network
database server.

The MacForensicsLab Dongle
MacForensicsLab requires a dongle to function. To this end, previous

versions of MacForensicsLab required a HASP dongle (pictured above),
however, starting with MacForensicsLab 3.0, this dongle will be
replaced with a USB key customized for MacForensicsLab. This
customized dongle will allow users who have purchased both
MacForensicLab and MacLockPick to use the same dongle for both
applications, providing a seamless integration throughout the forensic
process.
Installing MacForensicsLab
This section demonstrates how to install MacForensicsLab for the

upgrade from 2.5.5 to 3.0.

Obtaining the latest version of MacForensicsLab
To install the latest version of MacForensicsLab, open a web browser

and navigate to the MacForensicsLab web site: http://
www.MacForensicsLab.com. Once on the main webpage, select the
"Upgrades" link.

Locate the version of MacForensicsLab
The Upgrades page allows a user to select the version of

MacForensicsLab they wish to download. Once the correct version is
located, select the link (highlighted in blue).

Download
The download page will present the above image. To begin the
download, click on the image.
Downloaded Archive
The file that downloads is a .zip file that will be uncompressed

automatically by the operating system and will appear in the
Downloads folder as a folder titled: MacForensicsLab.
Locate the MacForensicsLab Folder

Open the folder where MacForensicsLab was downloaded (by default
this is the Downloads folder).
To install MacForensicsLab on your Mac's hard drive, copy both the

'Applications - OS X folder' and the 'Shared Resources' folder from the
MacForensicsLab USB device to your computers 'Applications' folder.
Note that the folder structure with the 'Shared Resources' folder being
located one directory down from the MacForensicsLab application must
be maintained although the name of the folder containing the
application can be changed. Some users may choose to create a
MacForensicsLab folder and then store the folder containing the
application and the 'Shared Resources' folder within that.
Running MacForensicsLab for the First Time

Running MacForensicsLab for the First Time
This section demonstrates how to run MacForensicsLab for the first

time.

Opening MacForensicsLab
Navigate to the Applications folder and open the MacForensicsLab

folder by double clicking on it.
Launch MacForensicsLab
To launch the MacForensicsLab application, double click on the

MacForensicsLab.app icon.
Allow MacForensicsLab to Run
The first time MacForensicsLab is launched, a warning banner will

appear informing the user that the application was downloaded from
the Internet. Select "Open."

Configure MacForensicsLab Preferences
Once the MacForensicsLab application is launched, the Preferences

Pane will open. In order to successfully run MacForensicsLab, the
Preferences Pane must be filled out.

Configure a Local Database File
In this example we will configure a Local File database (this means the
database file will be resident on the local machine and not connected
remotely to a database). The "Database" tab in the upper left of the
window is selected (1), then select the "Local File" (2), next select
"Create" (3).
Save the Local Database
Once the "Create" button is selected in the previous step, a navigation

window appears. The navigation window allows the user to select the
location of the database file. By default the file is named
"MacForensicsLab Database.rsd" (1) and is located in Documents
folder (2), then select "Save."

Configure the Examiners Tab
The next tab to configure in the Preferences Pane is the "Examiners"

tab. Select the "Examiners" tab (1). To add an examiner, select the
"+" radio button on the left (2). Once the radio button is selected an
Examiner window will open.
Configure Examiner Window

Fill out the fields to complete the Examiner window, then select
"Save."

Confirm Examiner Information
The Preference Pane appears and the new examiner information can
be noted.

Configure the Cases Tab
To add a new case to the database, select the "Cases" tab (1) along
the top of the window. Add a case by selecting the "+" radio button in
the lower left (2). Once the radio button is selected a case Details pop-
up window will appear.
The Case Details Window
The Case Details window allows the user to enter case details.
Complete Case Details

In the Case Details window enter the case number or Case ID and a
description of the case. Once completed, select "Save".

Selecting the Case
Once the "Save" button is selected in the previous step, the user is
returned to the Preferences Pane. Be sure to highlight the new case,
as seen above.

The E-Mail Pane
The purpose of the E-Mail pane is to enable the user to be notified

upon completion of tasks being conducted by MacForensicsLab.

Complete the E-Mail Pane
Complete all requisite information and select "Test:" (1) to ensure the
connection is properly configured, once the test is successful, select
the "Continue" button (2).

Authenticate MacForensicsLab
MacForensicsLab requires the user to authenticate by entering the

admin password.
Complete Authentication
Enter the admin password (1) and then select "OK" (2).

Disk Arbitration
To complete the configuration of MacForensicsLab in preparation of

running it for the first time, the user needs to decide whether to ignore
disk arbitration (leaving it enabled) or to disable it. The user should
only disable disk arbitration if he/she intends to create a forensic
image from the suspect's media. Once either the "Ignore" or the
"Disable" buttons are selected, the main window of MacForensicsLab
opens.
Case Preparation
Case Preparation
This section will discuss how to prepare for a case using

MacForensicsLab.
Overview
During the course of using MacForensicsLab the examiner will come
across a range of different suspect devices, media and disk images.
These will all work with a variety of ‘Read’ and ‘Write’ access settings.
It is therefore important to ensure that the examiner understands how
each of these varies and how the computer interacts with them.
Before connecting any device to the workstation it makes sense to

assume that the device, image or media may be written to and
therefore should be handled with the utmost caution.

In Mac OS X there are a couple of ways in which to handle the issues
of possibly tainting and overwriting data on the suspect drive or
device. The first is ‘Disk Arbitration’ and the second is ‘Write Blocking’.
It is also a MUST for the examiner to have a secondary “Work Drive”
onto which case data can be saved, and which will have been wiped.
This avoids the chance of overwriting possible evidence and thus losing
and/or tainting it.
Disabling Disk Arbitration
Whether at start-up or when connecting a suspect device via any data

bus (FireWire, USB, ATA) on your Macintosh Workstation, OS X is
notified and will immediately look for mountable partitions on the
device.
If detected, it initiates the mount and the disk’s internal arbitration

tables are updated with the necessary information to work with the
system. Having mounted, the Finder is updated with the information
and the volume(s) appear on the desktop. Any other applications that
may have subscribed to disk arbitration notifications are also updated
in a cascade effect.
In the process of finding and updating the arbitration tables on devices

found and mounted, there runs the risk of writing to the devices and
therefore tainting the evidence. MacForensicsLab however has a built-
in option, accessible via the Window drop menu, or keyboard shortcut
[Command] + [B], that allows the examiner to turn off the process.

In addition, to help avoid these issues, as MacForensicsLab reaches
the ‘Main’ window it always automatically prompts the examiner to
ensure that Disk Arbitration is enabled or disabled, per his or her
desired behavior.
Enabling Disk Arbitration
As the examiner quits MacForensicsLab he or she will be asked a

similar message whether they wish to enable disk arbitration again.
TIPS -- If you have Disk Arbitration turned off and you have quit
MacForensicsLab, you will need to relaunch MacForensicsLab, and
enable Disk Arbitration or your machine will not boot correctly.
Hardware Write Blockers

MacForensicsLab works effectively with all available write blocking
hardware on the market, and we recommend that examiners use these
devices, as their organization may dictate, when performing forensics
on suspect drives. MacForensicsLab Inc. also carries an optional
hardware blocker that works hand-in-hand with MacForensicsLab.
Please visit our web site http://www.MacForensicsLab.com for more
information, or contact us via email: sales@macforensicslab.com; or
telephone: +1 (510) 870 7883.

Clearing the Work Drive
It is essential that before the examiner uses any drive for storing the
results of an investigation, that the drive has been cleared properly.
This should mean that the work drive has been formatted at least with
a single pass with zeroing data.
To clear the work drive, select a partition of the designated drive in the
'Devices’ pane of the 'Main’ window'. Having done this, select “Clear
work drive” from the File menu. A confirmation window will come to
the fore, which the examiner should accept, after which the ‘shred’
window will come forward.
The window contains a slider with which the examiner can set the
numbers of passes required to clear the drive. Also, in order to speed
up the process the examiner also has the option to shred only “Free
Space”, so that only the available space on the partition will be
cleared. Having set this, simply click Start and the clearing procedure
will begin. If the examiner picks the wrong partition, and/or decides
to stop, by simply clicking Close, the ‘Shred’ window will disappear and
he or she will be returned to the ‘Main’ window.

Terminal Access
MacForensicsLab provides the examiner with quick access via the

Window drop menu, or keyboard shortcut [Command] + [T], to a
terminal window, so that he or she does not have to leave
MacForensicsLab in order to run commands through another Terminal
application.
Core Functions
Core Functions
This section will outline the core functions of MacForensicsLab for

further, detailed discussion.
The Core Functional Areas of MacForensicsLab

-Preferences Window
-Main Window
-Acquire Window
-Search Window
-Analyze Window
-Salvage Window
-Browse Window
-Audit Window
-Hash Window
-Bookmarks & Notes
-Database Window

The Preferences Window
The Preferences Window
This section will cover the Preferences Window settings and

configuration.
Overview
The ‘Preferences’ window allows the examiner to setup and manage
both individual cases and examiners within MacForensicsLab. In
addition, it enables the examiner to configure MacForensicsLab
database settings and even configure an e-mail based notification
feature.
Finding the Preferences Window
The ‘Preferences’ window will, by default, appear at start-up once the

MacForensicsLab splash screen has disappeared. To return to the
‘Preferences’ window after progressing to the ‘Main’ window, the
examiner must select “Preferences” from the MacForensicsLab
application drop menu, or use the keyboard shortcut [Command] + ,
[Comma]. In order to disable the ‘Preferences’ window from
appearing at start-up the examiner should deselect the “Show this
window at start-up” check box in the bottom left hand corner of the
window.

The Preference Window Layout
The Preference Window has four sections, each containing their own
preference information. The four sections are: Database (1),
Examiners (2), Cases (3) and eMail (4).

The Database Preference Pane
By default the Database will be disabled (1).

Configuring a Local Database File
MacForensicsLab allows the examiner to harness the power of a

database solution without having to associate with a remote database.
The creation of a local database file enables examiners to take
advantage of a database while not requiring the infrastructure incurred
with larger solutions.
To create a local database file, select Local File (1), and then
"Create." (2)

Selecting a Location for the Local Database File
Once you select "Create" in the previous step, a navigation box will
appear allowing the examiner to select the location of the local
database file (by default it will place the file in the Documents folder
and will be named MacForensicsLab Database.rsd.

Checking the Local File Database Path
Once the examiner has chosen a location for the Local Database file to
be stored, they are returned to the Database Window, where the path
chosen is displayed (1).

REAL SQL Setup
If the examiner access to a REAL SQL database, then MacForensicsLab

allows for seamless integration. Select the REAL SQL tab (1). Then by
filling out the form fields (2), and selecting the "Connect" button (3),
the examiner will then be able to take advantage of power of the REAL
SQL database.

MySQL Setup
If the examiner access to a MySQL database, then MacForensicsLab

allows for seamless integration. Select the MySQL tab (1). Then, by
filling out the form fields (2), and selecting the "Connect" button (3),
the examiner will then be able to take advantage of power of the
MySQL database.

The Examiners Tab
Select the Examiners Tab (1). The Examiners Tab is where an

examiner enters their identifiable information. By default, there is a
"Default" examiner (2). To add an examiner, select the "+" radio
button (3) and a pop-up window will appear.

Configuring Examiner Specific Data
The pop-up window allows the examiner to enter specific information

by filling out the form fields (1). It should be noted, that these fields
can be changed at any time by selecting the "Edit" button from within
the Examiner's tab. Likewise it is important to note that none of these
fields are not required.

Save the Form
Once the examiner specific form fields are filled out, select the "Save"
button, thus returning the examiner to the Preferences Window.

Confirm the Correct User
The user information entered will be reflected under the Examiners

Tab (1), which is where you will be automatically returned to upon
selecting "Save" in the previous step.

The Cases Tab
To add a case, select the "Cases" Tab (1) from the Preferences window
and select the "+" button (2). Once selected, a pop-up window will
appear.

Fill Out Case Details
The Case Details window has two sections, the Case ID (1) and the
Description (2). The Case ID represents a field where the examiner
would enter the case number. The Case Description field is a simple
text field enabling the examiner to input additional case information.

Complete Case Details Pop-up
Complete the Case Details pop-up window and select "Save."

Verify Case Information
Upon completing the previous step, the examiner is returned to the

Preferences Pane, wherein he/she can verify the correct case is
selected (1).

eMail Tab Setup
By selecting the eMail tab (1) and filling out the form fields (2) and
testing the connection (3), The examiner is now able to receive
password notification when MacForensicsLab has completed it current
process. Once configured, press "Continue" (4).
The Main Window

The Main Window
This section will describe the layout and functionality of

MacForensicsLab's Main Window.
Overview
The ‘Main’ window is the starting point after accessing a case and
provides the examiner with a detailed view of the system, any devices
or disk images attached to it and their directory and file structure. It is
from the ‘Main’ window that the examiner will gain full access to the
wide array of functions and features that MacForensicsLab provides,
each of which will be covered in subsequent chapters of this manual.

When working with the ‘Main’ window, the examiner should maximize
the view of the window either by clicking the green maximize button at
the top left of the window, or by using the resize handle at the bottom
right. Maximizing the window will lessen the need to scroll up and
down the various panels.
The Main Window Layout
There are 3 key sections to the layout of the ‘Main’ window:
-The ‘Access’ panels (Devices and Files),

-The ‘Explorer’ panel,
-The ‘Buttons’ panel.

The Access Panel - Devices Tab
In the Main Window, there are two buttons: "Devices" (1) and
"Files" (2). As depicted above, the Device button lists all devices (with
their respective partitions and volumes) attached to the machine in the
leftmost pane (3). When a device is selected the corresponding device
details appear in the Explorer portion of the window (4).
The following information is specified:
Display Name – The volume title

Mounted – Status (true or false)
Leaf
Writable – Write Status (yes or no)
Partition ID
Preferred Block Size
BSD Major & Minor
BSD Name – Mount point
Size – in bytes
Content & Content Hint – Format type and hint
Removable & Ejectable – Status (yes or no)
BSD Unit
Whole
Drive Title – manufacturer’s model number
Serial – manufacturer’s serial number’s serial number

Used - The amount of drive space used
Available - The amount of drive space currently available
Percentage - The percentage of drive space used
The Access Panel - Files Tab
When the Files Tab (1) is selected, the leftmost portion of the window
lists shortcuts (2) to volumes and user folders, with the Explorer
portion of the window (3) allowing for viewing of the directory
structure and individual files, along with their corresponding
information (such as date/times, permissions, etc.).
The following information is specified:
File Name - full filename with extension.

File Size - in bytes, whilst folders display the total items inside them
within brackets - hidden files are included.
Mac Creator Code - the OS creator application code
Mac Type - the OS file type.
Header - the first 32 characters of the file.
CRC - the Cyclic Redundancy Check checksum value of the ‘Header’.
File Reference - starting block number for the file.
User ID - OS user id for file owner permission.
Group ID - OS group id for file access permission.

Finder Flags - OS finder settings.
Permissions - OS permissions for read, write and execution of file.
Creation Date - Date when file/folder was created.
Modification Date- Date when file/folder was modified.
Each column can be sorted in both directions by clicking the column

header.
The Buttons Panel
The ‘Buttons’ panel provides the examiner with access to selected core
functions of MacForensicsLab.
Each button in turn will be highlighted and accessible, or grayed out
and disabled, dependent on the item selected by the examiner in
either of the ‘Access’ panels. The current system information is
displayed along the bottom of the Buttons panel.
The Acquire Function

The Acquire Function
This section will discuss the acquisition capabilities of MacForensicsLab.

Overview
MacForensicsLab can work with original devices and media, as well as

disk image copies of these same data sources. Using the ‘Acquire’
function ensures that the evidential integrity of the suspect drive is
protected, by allowing the examiner to create a disk image for analysis
and investigation, rather than having to work with the suspect drive.

In performing the acquisition scan ‘Acquire’ benefits from a number of
features. These include checksum hashing for validation, the ability to
create a separate golden master, the ability to create a smeared image
in an environment when a volume cannot be unmounted,
segmentation for ease of backup to alternative media, and, proprietary
fault tolerant bad block recovery to work around faults, thus allowing
the examiner to create disk images from damaged media or resume a
previous acquire attempt that failed due to faulty media and/or
electrical shortages.
Creating a Disk Image

When creating a disk image, the examiner can do so directly from
either a partition or device, although it is recommended that copies be
made of an entire device rather than of individual partitions.
Having selected the respective device or partition from the ‘Device’

panel, the examiner must press the Acquire button, bringing the
function window to the fore.
In performing an acquisition the examiner can set a number of

options:
Segment Size - This refers to the amount of data on each acquired

image, thus allowing the examiner to separate his or her acquisition
into multiple images. Each segment can then be limited to a specific
data size, thus allowing for easier backup, for example, if the examiner
plans to burn the image to a set of DVDs. To do so the examiner need
only select the “4.36 GB (DVD-R/DVD+R)” option from the popup list.
Packet Size – Refers to data intervals at which MacForensicsLab will

perform a checksum validation on the data being written to the
acquisition image. A lower setting means many more checksum
verifications are performed, thus improving overall data integrity but
reducing the overall speed of the acquisition.
Smeared Image – Allows the examiner to generate an image from a

drive that cannot, or perhaps that he or she may not wish to be
unmounted. This would apply for example, when the examiner wishes
to acquire the main volume on an operational file server that cannot
be taken offline to avoid alerting users to the actions of the examiner.

Golden Master - In addition to the working copy, this option allows
the examiner to save an extra disk image copy for other purposes.
When the Golden Master option is selected, the user will be prompted
to choose a save location twice before the acquisition is made. Once
to select a location for the disk image, and the second time to choose
the location for the golden master. This allows the user to save the
golden master to a different location then that of the working image.
Resume – Provides the examiner with the option to continue on from

a previous acquisition, if, for whatever reason, the prior acquisition
process was interrupted. This means that the ‘Open’ dialog window
rather than the ‘Save’ dialog window will appear when the acquisition
is initiated.
Having made the desired changes to the presets, click the Start button
to begin the acquisition process. This will bring up a ‘Save file’ dialog
box, if creating the image rather than resuming, and the examiner will
be prompted to enter a filename for the disk image. By default the file
name appears as “Disk Image”, select and edit this to a preferred
name and then chose a location into which to save the disk image.
The click Save and the process will begin.
Note: Always be sure to save the disk image to a location other than
that which one is creating an image of. Also, make sure that the
device one is saving the new disk image to has enough storage space.
The acquisition of a 60GB hard drive will require the destination disk to
have a minimum of 60GB of free capacity.
Unless the “Create a Smeared Image” option has been selected,

MacForensicsLab will first attempt to unmount the selected volume or
volumes of the selected device. A status bar then marks the progress
of the acquisition, along with a variety of other information. This
information includes: checksum mismatch total; total bad blocks; total
data remaining to be copied; total data copied; total capacity;
approximate current data transfer rate; and total time remaining till
acquisition completed.
During the process of acquisition a DAT file is created in the same

location as the image file, and contains checksum data for the disk
image. It is a small file and takes up less than 25 KB of space and is
deleted after the acquisition process is complete.

Once completed, a dialog window will notify the examiner of such and
will provide them with an error count. The examiner should simply
take note of this and then close the said dialog box by clicking Close,
returning to the ‘Main’ window. The disk image can then be found in
the previously specified location. By default the disk image file/
segments will be locked, thus avoiding the opportunity to further
modify or to delete it/them.
Attaching Disk Images

Once an image file or segment has been created, the examiner will
want to prepare it for analysis. In order to do this the examiner must
attach the disk image and mount it in the Finder.
To access the disk image, while in the ‘Main’ window, select “Attach
Disk Image” from the File menu, or use the keyboard shortcut
[Command] + [T]; the Attach Disk Image dialog box will appear. Click
the Select button to choose the disk image to mount. There are two
options listed for attaching the image.
Use Shadow File – This option will mount the disk image using a
shadow file which emulates the disk being writable without actually
writing to the disk image itself.
Ignore Permissions – This option turns on the feature in the Finder

that maintains all disk permissions but ignores them, giving you access
to any user files on all parts of the image.
Once you have selected the desired disk image and options, click the
Attach button.
Using this method avoids the need to unlock and lock the image file
from the Finder. After mounting disk images, the examiner may need
to force MacForensicsLab to rescan for new devices or images; this can
be done either by selecting “Rescan Bus” from the file menu, or with
the keyboard shortcut [Command] + [R].
It should be noted that if the examiner is using Anti-Virus software, it

may be configured to scan all newly attached disks, this includes disk
images as they are brought into MacForensicsLab. This process will
slow the mounting of the image.

To detach a disk image after analysis, select the item from the ‘Device’
panel in the ‘Main’ window, followed by “Detach” from the File menu.
Alternatively, select the disk image in the main window and use the
keyboard shortcut [Command] + [D]
The Search Function

The Search Function
This section will discuss the search functionality of MacForensicsLab.
Overview
The ‘Search’ function of MacForensicsLab provides the examiner with
an automatic means by which to scan a directory, gather evidence and
bookmark that same data for later reference. This helps the examiner
to quickly and easily zero in on suspect material. In performing the
function, MacForensicsLab creates bookmarks of the selected directory
structure, collecting all of the file information and hash values as it
scans.

The Search Window Layout
The ‘Search’ window can be split into 5 core portions:
(1) -Search Filter

(2) -Search Terms
(3) -Browse Results
(4) -Bookmarks
(5) -Hash Keys
Search Filter Panel
The ‘Search Filter’ panel is the part of the ‘Search’ window within
which the examiner may establish criteria by which to filter the results
of the search scan. Filters are based on standard file information, such
as, but not limited to: filename; size; date of creation.
Search Terms Panel

The ‘Search Terms’ panel is the portion of the ‘Search’ window within
which the examiner can manage specific lookup terms. These can be
either HEX or ASCII terms for pattern matching within the files being
scanned. The examiner may also quickly and easily select either of
two check boxes to search for standard credit card and social security
number formats respectively as well as being able to import large
databases of terms.
Browse Results
It is now possible to open the results of a searching procedure directly

into a browse window making it easier to manually review the results
and to perform some manual bookmarking procedures to better
identify potential evidence for future reference. Additionally, the
results of the Search can be further analyzed by applying
MacForensicsLab’s built-in Skin Tone analyzer directly to them.
Bookmarks Panel
When performing a search scan the examiner can use the options
contained within the ‘Bookmarks’ panel to auto-generate bookmarks of
matched items, and make them available for easy reference at a later
date. The text area below the folder drop down is designed for
comments or a description pertaining to your customized bookmarks
folder.
Hash Panel
The ‘Hash’ panel allows the examiner to define the auto-hashing

options for a search scan. Options include adding the hashed file
values to the internal database (MacForensicsLab uses the industry
standard NSRL format), as well as the ability to export these to an
external log file.
Using Custom Search Terms and Filters
In order to zero in on areas of particular interest Positive and Negative

filters can be applied using custom checksum databases or those
provided by the National Software Reference Library.
Available ‘Search Filters’ include all those in the Log File

Format Fields:

-Name
-Creation Date
-Modification Date
-Header
-CRC
-MD5
-SHA1
-SHA256
-Data Size
-Resource Size
-Owner
-Mac Creator
-Mac Type
-Absolute Path
-UID
-GUID
-Permissions
Each of these filter types can be applied against the following

operators:
-Is Equal To
-Is Not Equal To
-Contains
-Does Not Contain
-Is Less Than
-Is Greater Than
-Is in database
-Is not in database
Quick Tip: Foreign Languages
MacForensicsLab has the ability to handle filtering based on foreign

multi-byte character set such as Russian, Arabic and Chinese, not just
English.
Adding & Removing Search Filters & Items
Clicking the (+) button underneath the desired pane will create a new
filter/item at the bottom of the current list, after which the examiner
can manually edit the filter/item details. To remove an individual filter,
select the respective item and then press the (-) button. Clearing an

entire list is equally simple; just click the (clear) button under the
desired panel. This will, without warning, remove all the items from
the list.
Importing A Custom ‘Search Item’ Database
To import a custom checksum database, simply click the Import button

at the bottom of the ‘Search Items’ panel. This will bring up an open
file dialog box from which the examiner can locate and select the
required file. Upon import the information in the database file will
populate the ‘Items’ pane.
Searching for Credit Card and Social Security Numbers

In order to ensure that all files containing either credit card or social
security numbers are searched and possibly bookmarked the examiner
must select either or both of the respective checkboxes in the ‘Search
Items’ panel.
Auto-Bookmarking Files
When scanning directories, the search function can be used to auto-

generate bookmarks for reference at a later time in the investigation.
To add the items as bookmarks to a respective group, the examiner

must select the “Bookmark” checkbox in the ‘Bookmarks’ panel and
then select a bookmark group from the drop down menu. If a new one
is required, the examiner should do so through the Bookmarks menu
(Please refer to the chapter on Bookmarks for more detail).
Performing The Search Operation
Having selected the partition or directory structure for searching,

clicked the Search button in the ‘Main’ window, bringing the ‘Search’
window to the fore, and having set up the window with the desired
‘Search Items’, ‘Search Filters’, bookmarking and hashing options, the
examiner should be ready to perform the search operation. To initiate
the process, he or she should click the highlighted Search button on
the bottom right of the ‘Search’ window. If the hash export checkbox
has been selected, the examiner will be prompted to define a file name
and save location for the exported hash text file before the scan
proceeds.

Once the process of scanning and searching the items found has
completed. The examiner will be prompted with a screen, advising
them as such, which once closed will take him or her back to the ‘Main’
window.
The Analyze Function

The Analyze Function
This section will discuss the Analyze Function within MacForensicsLab.
Overview
There will come a point in the case when an examiner may wish to
analyze the file data block-by-block; the ‘Analyze’ function enables
that to be done. Once analysis has been performed and evidence
located, the examiner can then export and/or hash the requisite
section of the drive to file for safekeeping and later use or further
analysis.

The Analyze Window Layout
The analysis window can be split into 4 core sections:
(1) - ‘Hex Content’ pane

(2) - ‘Search Items’ pane
(3) - ‘Found’ pane
(4) - ‘Carve’ pane
The Hex Content Pane
The ‘Hex Content’ pane is the right-hand side of the ‘Analyze’ window
and is where the examiner can read block data piece by piece in ‘Hex’

mode. In MacForensicsLab 3.0, this area has been expanded to display
a block at a time with the default view being ASCII.
Search Items Pane
The ‘Search Items’ pane contains a number of elements that are of use
to the examiner:
Search Fields Pane – This is the first element in the Search Items
Pane, which contains the working list of search terms (or filters) with
which to analyze the data blocks. This is split into 2 columns: type
and value. Type refers to whether the string that should be pattern
match against the HEX content or the text (ASCII) content of the
blocks. Value refers to the content of the string that is going to be
pattern matched against the said format blocks, usually a word.
As previously mentioned, MacForensicsLab has the ability to handle

foreign language multi-byte character sets such as those used in
Russian, Arabic and Oriental languages when searching. The number
of characters in a search can be up to 128. The number of search
keywords is 128 as well.
Search Fields Management Buttons – Below the ‘Search Fields’ pane

are buttons to manage the search fields in that pane.
-Clear: to clear all of the search fields in the window above

-Import: to bring up a dialog box and import a search terms database
file
-Plus (+): to manually add individual search fields
-Minus (-): to individually delete each selected search field
Quick Tip: Saving Search Fields

The ‘Search Fields’ in the ‘Analyze’ window are retained from one
investigative session to the next.
Found Pane
The ‘Found’ pane permits the examiner to access very quickly and
easily any of the hits that are generated as a result of the terms used
in the search. To view a specific block entry in the ‘Hex Content’ pane,
click on the individual result item and the block data will load into the
Hex viewer in the main panel.

Search File Data
When investigating files with the ‘Analyze’ window it is possible for the
examiner to search for strings within the blocks of data that make up
the file.
Individual Search Terms
To do so, the examiner must click the (+) button below the ‘Search
Items’ pane; this will add a new field. After this, the examiner should
define the search term type (text or hex) by clicking the up/down
arrows in the centre of the search term row, followed by typing in a
unique search term string in the text entry field to the right hand side
of the arrows.
This can be repeated multiple times, building up as complex a filter

mechanism as possible. If items are added in error, an item can easily
remove them by selecting each one in turn and then clicking the (-)
button located under the ‘Search Items’ pane. When ready, the
examiner can proceed by clicking Search. While processing the data,
the examiner will see a progress bar, and upon completion of the
search the results will appear in the ‘Found’ pane.
Importing Custom Search Lists
Though an examiner might find it useful to create search terms in an

ad hoc manner, as discoveries in the investigation necessitate, at
some point he or she will want a more in-depth search, based on
hundreds, if not thousands of search terms. The best way to achieve
this is to importing custom search lists.
Custom search lists are essentially ‘CSV Text’ files with each individual
search term on a new line. Custom search lists are also a great way to
keep a database of useful terms and means that running a productive
analysis or cataloguing on a suspect device is a process that is no
more than just a few clicks away from getting started.
To import a list, click on the Import button to the middle of the ‘Search
Items’ drawer. This will bring up a ‘Find File’ dialog box. Once the
examiner has found the file, click ‘Open’.
Each individual line item will then appear as an individual term in the
‘Search Items’ pane. The examiner then has to define whether each

term is in Text or HEX format, though they are all imported as and
predefined as ASCII Text format content by default.
Credit Card and Social Security Number Search
By selecting the respective checkboxes below the ‘Search Items’ pane

it is possible for the examiner to get MacForensicsLab to look for and
find credit card and social security numbers during the search process.
Performing the Search
Once the search items have been defined in the ‘Search Items’ pane,
either individually or by import, and when the other settings have
been defined, the examiner need only click the now enabled Search
button to perform the search. Once the scan is complete the results
will appear in the ‘Found’ pane. Clicking on any hit displayed in the
‘Found’ pane will display the location of that hit in the ‘Hex Content’
pane and highlight it. The block number it is found in will be displayed
in at the bottom of the ‘Hex Content’ pane in the Block Number field.
The start and length of the hit will also be populated in the Carve
section.

Examining Results of a Search
Once the search has completed (1), the resulting hits are displayed in
the ‘Found’ section of the Analyze window. The user may examine
these hits by clicking on them (2) and the hit location will be displayed
in the ‘Hex Content’ section of the window (3). When clicked, the
search hit will turn red and a check mark will appear next to it. This
allows the examiner to see which results they have reviewed and
which ones they have yet to review, saving them time by making sure
they don’t re-examine search hits.

Carving Data
When the examiner is ready to export the block-set being analyzed, he

or she can do so very easily by clicking the "Carve" button. Doing so
will then invoke the ‘Save’ window, bringing it to the fore.
The examiner may us the Start and Length fields to define the starting
byte and the number of bytes after it to be carved out. These values
can be changed by either entering the desired number in the Start and
Length fields or by pressing the up and down arrows to the right of
those fields. Clicking the Locked boxes to the right of these fields will
lock the field to prevent it from being changed.
It is advisable to rename the default export filename and to apply a

suffix to the name so that Mac OS or any other operating system can
more easily recognize the expected file type and open it with the
appropriate application.
Upon completion a message will pop to the fore and the user can
simply close this and continue on with the investigation.
The Salvage Function

The Salvage Function
This section discusses the Salvage function contained within

MacForensicsLab.

Overview
MacForensicsLab’s ‘Salvage’ function will search a device, volume, or
folder and list all the recoverable files held within it, whether erased or
not, and then recover the pre-selected files to a selected destination
folder. When salvaging a device, MacForensicsLab scans through the
entire media to find as many recoverable files as possible, as well as
scanning through a single directory structure.
The Salvage Window
The Salvage window is divided into upper and lower sections. The
upper section is responsible for the settings Salvage will invoke upon
starting. These settings include "Supported File Formats, "Import a
Prior Scan," and "Start a New Scan". The Supported File Formats
section allows the examiner to select specific file types or groups of file
types (i.e., all music files, images files and so on), as well as selecting
all file formats (the default). In addition, these settings can be further
defined to search Free Space Only (Deleted Files) or the Entire Device
(All Files). Options for speed can also be selected by choosing either
Fast Scan (Block by Block) or Slow Scan (Byte by Byte).

The lower section will display a list of files, by type, that Salvage can
recover. Once a file is selected, a File Previewer application will open
and attempt to show the file in its native format. Once the files to be
Salvaged are determined, the "Salvage selected files" is invoked.
Save the Scan
Once you have scanned for files that Salvage can recover, a window
appears asking if you'd like to save the results of the scan. If you are
not going to Salvage all files possible, it is a good idea to save the
results of the scan. This process will save time later if the examiner
needs to go back and Salvage additional files from the case.

Choose Destination
Once the examiner has opted to save the scan results, a pop-up
window appears asking for a destination for the scan results to be
saved, once input, select "Save."
Examine Files by Type
As illustrated above, all possible files are divided by type and number.

File Previewer
Once a particular file is selected for review, the File Previewer

application is launched allowing the examiner to preview the file in
question.
Select Files for Salvage
Highlight the files to be Salvaged (holding down the Command key to

click and select multiple files at a time) and select the "Salvage
selected files" button.

Save Salvaged Files
Once the files for Salvage have been selected, a navigation box
appears allowing the examiner to select the location to which the
Salvaged files will be exported.
Filename Rebuilder
Once the files have been Salvaged, MacForensicsLab provides an

optional process to attempt to rename the files based on the metadata

contained within the files. If the examiner does not wish to do this
simply select "Cancel" (1) conversely, by selecting "OK" (2)
MacForensicsLab will attempt to rebuild all files names.
Only some formats (such as JPEG, MP3, Words, etc...) will get
renamed. Rest will be in number sequence.
Reviewing Salvaged Files
The Salvaged files are exported, by default, into a folder titled

"Salvage (day of the week) and (month/day/year). Contained within
that folder are subfolders broken down by file type for easy review and
categorization.
The Browse Function

The Browse Function
This section will describe the core functionality of the Browse function
of MacForensicsLab.
Overview
The ‘Browse’ window provides the examiner with an exceedingly quick
and easy way to search for files (primarily images and multimedia) in
directories, view the results found based on the preset search criteria,
bookmark, make notes and even perform closer analysis.

The Browse Window
The Browse window allows the examiner a range of variable options to

include in his/her search. These options include:
File Checks (1):

-File size (min-max range in kilobytes)
Image Checks:
-Image-only results (yes or no) (2)
-Horizontal & vertical dimensions (min-max range in pixels) (3) & (4)
To invoke the Browse, select the "Browse" (5) button at the bottom
of the window.
After clicking Browse, as MacForensicsLab scans the selected location

for matching files, a progress dialog will be displayed providing the
examiner with a status report. If the examiner needs to end the scan

prematurely, clicking the Cancel button under the progress bar will end
the scan and return to the ‘Main’ window. When the scan is complete
a finish prompt will appear and chime can be heard, upon clicking OK
the prompt will close and the ‘Browse’ window will come to the fore.
Reviewing the Results
Upon completion, the Browse window will display a thumbnail view of

all files meeting the aforementioned criteria set forth by the examiner.
When an image is selected, it is highlighted in red (as seen above) and
the metadata for that file appears on the right (1).

Bookmarking the Findings
Once the appropriate images are highlighted, the examiner can

bookmark the results by choosing "Bookmarks" from the Main window
or using the keyboard shortcut of Command + D. In the above
example, a bookmark labeled "images" (1) was created, with a note
"suspicious images" (2) to save the previously selected file.
Viewing Bookmark
The examiner can review the bookmark by navigating to the Bookmark

window by selecting "Bookmark -> Show All Bookmarks" from the
Main window.

The Audit Function
The Audit Function
This section describes the Audit function of MacForensicsLab.
Overview
The Audit function enables the examiner to quickly and easily locate
relevant OS artifacts as they pertain to the system, the network and
the user.
Getting Started
To invoke the Audit function, the examiner must select the "Files" (1),
the volume/partition (2) with a valid user folder contained within it
from the ‘Device’ pane of the ‘Main’ window. Furthermore, the
examiner must select the "Users" folder (3) for the ‘Audit’ button to
become enabled.

Invoking the Audit
Once the Audit button is enabled, the examiner can select a specific
user (1), or if the system has multiple users, he/she can check "Audit
all users" (2), then select the "Audit" button (3).
Locate Audit Results
The results of the Audit are stored in the MacForensicsLab database.

To access the database from the MacForensicsLab Main window, select

"Window -> Database" or use the keyboard shortcut of "Shift +
Command + D".
Review Audit Findings
To review the findings of the Audit, select a user, then scroll up or

down to view the results. The examiner can highlight findings of
interest and export them out to a file by selecting the "Export" button.

Generate a Report
Once the "Export" button is invoked, a dialogue box appears allowing

the examiner to choose between an HTML or Plain Text report. Once
decided, select "OK."
Save Report
Select a location to save the Audit report.
View the Report
The report should have a MFL logo. The one listed below may be from
a previous beta.

Since an HTML report was selected in the example, a browser launches
showing the report. All items highlighted and exported are hyperlinked
under the "Table of Contents" located to the right.
Reviewing the Hyperlinks
The examiner can select any hyperlink and be taken directly to that
portion of the report.
The Hash Function

The Hash Function
This section will describe the hash function contained within

MacForensicsLab.

Using the Hash Function
The Hash functionality is a new feature added in MacForensicsLab 3.0.

This button allows the examiner to quickly and easily create a hash of
any device or file by highlighting it (1) and invoking the "Hash" button
(2).

Reviewing the Hash
Once completed, the Hash window appears. The hash values are
displayed in two separate fields. The first shows the hash data
presented in a form for better human readability. The second field
shows the raw hash data. Both contain the same information, just
formatted differently for interoperability and readability.
Saving the Results
The results of the hash can be either saved out as a text file by
clicking the Export button or added directly to the hash database. To
export, simply select the formatting of the has you could like the
export using the radio button, click "Export" and navigate to where the
file is to be saved. To add the hash data to the database, select the
database section from the drop down menu and click the “Add” button.

Bookmarks
Bookmarks
This section will cover Bookmarks within MacForensicsLab.
Overview
MacForensicsLab uses bookmarks to assist the examiner in collecting
files of investigative interest. It is possible to bookmark files and
directories for reference and examination at a later time in the case.
Likewise, the examiner can bookmark any file or folder, or groups of
files. You cannot bookmark devices or specific blocks within a device.
Locating the Bookmarks
The bookmarks can be viewed and managed from the ‘Bookmarks’

window and are accessible at any time by selecting “Show All
Bookmarks …” from the Bookmarks menu, or by using the keyboard
shortcut "Command + Option + B”.

The Bookmark Window Layout
The ‘Bookmarks’ window is divided into 4 clear portions:
-The folders/groups pane (1)

-The folder note pane (2)
-The bookmark detail pane (3)
-The bookmark note pane (4)
The Folders Pane & Folder Note Pane

Bookmarks can be grouped together using folders. These are listed in
the Folders Pane (1). When individually selected, the notes for the
respective folder, in editable form, can be seen in the ‘Folder Notes’
pane, directly below (2), while the grouped bookmarks can be seen in
the ‘Bookmarks’ pane to the right (3).
The Bookmarks Pane & Bookmark Note Pane

Having selected an individual bookmark folder, the contents of the
folder will be displayed in the ‘Bookmarks’ pane (3). Each bookmark is
listed with: bookmark name, file path, file size and creation date.
Columns can of course be resized and sorted by the examiner simply
by clicking on the respective header or by dragging the column
separators to the desired size. Having selected a bookmark, the notes
for the bookmark item will be displayed, in editable form, in the
‘Bookmark Note’ pane (4).
Resizing Panes

In order to maximize viewing space the examiner can resize the
partitions between all four panes of the ‘Bookmarks’ window. To do
so, the examiner should click & drag the resize handle of the
respective separator, thus being able to minimize and maximize the
required viewing space for each pane.
Managing Bookmark Folders
Adding Bookmark Folders

Bookmark folders can be added in one of two ways. The first is to use
the ‘Add Bookmark Folder…’ window and the second is to do so from
the ‘Bookmarks’ window itself.
Via the ‘Add Bookmark Folder…’ Window

When working with the other functions in MacForensicsLab, it is
quickest and easiest to invoke the ‘Add Bookmark Folder…’ window

from Bookmarks menu or use the keyboard shortcut: "Command +
Shift + N".
If adding a new folder while creating a new bookmark, then simply

click the (+) button below the folder title option list in the ‘Add
Bookmark’ window.
Once the ‘Add Bookmark Folder…’ window comes to the fore, the
examiner need only enter the name of the new folder (1) into the
“Name” text input field, and click Save (3). If the examiner so wishes,
he or she can enter a note/summary into the “Summary” text field (2)
for reference then and there, or do so at a later date in time from the
‘Bookmarks’ window.
Via the ‘Bookmarks’ Window

The second way to add bookmark folders is to bring the ‘Bookmarks’
window to the fore, after which the examiner must click the (+) button
under the ‘Bookmark Folders’ pane. This will generate a new folder
with an empty title in the pane above ready with the text cursor in the
entry field. Once the name is complete, the examiner can either press
Enter/Return or simply click out of the name entry field. To add a
summary, having created a new folder in this way, the examiner need
only select the new folder in the ‘Bookmark Folders’ pane and then
enter his or her summary for the selected folder into the ‘Folder Note’
pane below.
Amending Bookmark Folder Names

Should the examiner wish to amend the name of the bookmark folder,
he or she can do so from the ‘Bookmarks’ window by simply double-
clicking on the respective bookmark folder’s name in the ‘Bookmark
Folders’ pane and make the edits accordingly, before clicking out of
the text entry field.
Removing Bookmark Folders

Removing bookmark folders, either collectively or individually, can be
done from the ‘Bookmarks’ window.
Clearing ALL Folders

To clear ALL folders, and lose the bookmarks contained within them,
the examiner must click the (clear) button under the ‘Bookmark
Folders’ pane, at which point MacForensicsLab will prompt him or her
to confirm the deletion - as it cannot be undone. Having clicked OK,

the examiner will be returned to the ‘Bookmarks’ window with a
cleared ‘Bookmark Folders’ pane.
Clearing Individual Folders

To remove folders individually, the examiner must select each item in
turn and click the (-) button beneath the ‘Bookmark Folders’ pane. As
before, there will be a prompt confirming the deletion and the
examiner need only click OK to follow through with the the action.
Clearing Actions
Removing Bookmarks
Removing bookmarks, either collectively or individually, can be done
from the ‘Bookmarks’ window.
Clearing ALL Bookmarks

To clear ALL bookmarks from within a bookmark folder, the examiner
should select the desired bookmark folder in the ‘Bookmark Folders’
pane and then click the (clear) button under the ‘Bookmarks’ pane (1),
at which point MacForensicsLab will prompt him or her to confirm the
request to delete ALL bookmarks. Having clicked OK, the examiner will
be returned to the ‘Bookmarks’ window with a cleared ‘Bookmarks’
pane.
Clearing Individual Bookmarks

To remove bookmarks individually, the examiner must first select the
requisite bookmark folder and then, once the bookmarks load, select
each item in turn and click the (-) button underneath the ‘Bookmark’
pane (2). As before, there will be a prompt confirming the action and
the examiner need only click OK to follow through with the action
Examiner Notes
Notes in MacForensicsLab
This section will describe the Note functionality contained within

MacForensicsLab.
Overview
Case Notes are an extremely useful function of MacForensicsLab that
allow the examiner to add comments and observations to their case
file at any point during the examination process. Whether browsing the
‘Main’ window or in the middle of a lengthy acquisition, the examiner
can open the ‘Notes’ tab of the ‘Database’ window, using either the
keyboard shortcut ("Command + N") or ‘’Window’ drop menu, and
make the desired entry, before returning to the prior screen when
finished.
Opening Notes
To access the Notes window at anytime during the investigation, select

"Window -> Make Note" from the Main window.

Notes Window Layout
The Notes Window is divided into three sections:
-The Database Tab

-The Note Data Pane
-The Note Information Section

Adding and Removing Case Notes
To add a new note, the examiner need only click the (+) button at the
bottom right hand side of the upper ‘Notes Data’ pane . This will
generate a blank new entry, which the examiner needs to then select
and enter his or her notes into, using the lower ‘Note Entry’ pane.
Having completed the note, the examiner can then click the ‘Save’
button and close the ‘Database’ window and return to the previous
screen.
Editing Case Notes

When necessary to edit a case note, select the individual note in the
‘Notes’ pane at the top of the window. Once the note itself has loaded

in the window below, the examiner is free to edit it at will. Having
finished any amendments, click out of the editor pane and the new
version of the note will be saved and changes logged.
Removing Case Notes

The examiner can remove individual notes, or clear the entire ‘Notes’
pane in one go. To remove an individual note detail the examiner
should select the note earmarked for removal and then click the (-)
button on the right-hand side below the ‘Notes’ pane. To remove all
the details in one go, the examiner should click the (Clear) button on
the right-hand side below the ‘Notes’ pane. In both instances, the
deletion will generate a warning prompt dialog, to which the examiner
must confirm his or her actions.
Refreshing the Notes Pane

When working in a centralized database environment, it is possible
that the ‘Notes’ pane may become out of sync with the listing in the
database. To bring it up-to-date the examiner needs to click the
Refresh button on the left-hand side below the ‘Notes’ pane. The time
stamp is in Greenwich time.
The MacForensicsLab Database

The MacForensicsLab Database
This section will cover the organization and layout of the

MacForensicsLab database.
Overview
When whichever database (local file, RealSQL server, MySQL server) is
enabled via the ‘Preferences’ window, detailed logs are kept of every
action and all points of interest to support the examiner in the
understanding and final presentation of their evidence. In the
‘Database’ window, the examiner has full access to comprehensive
details of what has been logged in the forensic examination to date.

Opening the Database
The MacForensicsLab database can be located, from the Main window

by selecting "Window -> Database" or using the keyboard shortcut of
"Shift + Command + D".
The Database Window Layout
The ‘Database’ window can essentially be split into 2 parts:
The tab bar - consisting of the various database sections:

-Acquisition
-Analyze

-Audit
-Chronology
-Hash
-Notes
-Salvage
The viewing pane(s) - consisting of:

-Device information
-Date/time/description
-Data
Navigating through each individual database tab produces its own

unique layout. Each screen’s layout within the ‘Database’ window
varies between a single pane with a columnar list and a triple paned
layout with bookmarks and note/native viewer.
Viewing the Database Sections
The Views
As each tab is clicked in turn the database will be read, either locally
or centrally, and the contents loaded into the new window layout;
needless to say, the larger the dataset the longer the process of
fetching and loading the data will take to complete.
Accessible through the individual buttons of the tab bar in the

‘Database’ window are:
The Acquisition Log - lists the date and time of an acquisition

process, a description of it and the exact block details (offset, length,
hash sum etc).
The Analyze Log - keeps track of the details of searches performed,

as well as the results associated with them. Details logged include:
date and time, file location, results and the associated match and
offset.
The Audit Log - lists the date and time of an acquisition process, a
description of it and the specific OS artifact information generated, to

include folder creation date/times, network preferences, system
settings, user preferences, bookmarks, web caches, and much more.
The Chronology Log - lists all the events from the moment the case
reference is set up to the latest action performed in MacForensicsLab.
It lists the date and time of the actions, the name of the examiner, the
action performed (opening windows, pressing buttons etc) and the
data returned by the actions.
The Hash Database – provides a means by which the examiner can

import, manage and store hash values for use within the various
functions provided by MacForensicsLab.
The Notes Log - contains all the notes regarding the investigation as
inputted by various examiners. Notes are listed with examiner name,
date and initial number of characters, with the ability to view an entire
note, as well as manage and edit notes.
The Salvage Log - keeps track of the date and time of the salvage
process, the name of the examiner, the actions performed, and the
location and specific details of the files salvaged.
Sorting The Data

The examiner can sort by the available columns by clicking on the
respective column headers, once highlighted and sorted ascending,
clicking the title bar again will sort the column in reverse order.
Managing Records
Certain panes containing log data benefit from the availability of
management buttons. That is to say that an assortment of buttons
exist to:
-Refresh
-Clear
-Delete
-Add
-Edit
Where available the examiner should use these buttons as in others

functions windows to reload data into the respective pane, to remove
or clear records, both of which will generate a warning prompt

requesting confirmation to delete records, as well as to add items or
make amendments.
Reporting
Generating a Report
This section covers how to write a report using MacForensicsLab.
Opening Report Window
To open the Report window, from the MacForensicsLab Main window,

select "File -> Write Report," or use the keyboard shortcut "Command
+P."

Select Report Contents
The Report window consists of a series of checkboxes that are to be

toggled on or off depending on the information the examiner wants to
include in the report. Once the appropriate checkboxes are selected,
select "Start."
Report Location
Once the report settings have been determined, a navigation box

opens. This box enables the examiner to dictate where the report will
be generated and saved.

Viewing the Report
Once the report is saved, a browser will open automatically showing

the report. The report is divided into two sections, the navigation
section on the left and the reported information on the right.
Keyboard Shortcuts
Keyboard Shortcuts
This section will list the keyboard shortcuts supported by

MacForensicsLab.

Shortcuts
The following shortcuts are specific to the MacForensicsLab Application.
Command + Comma (,) - Open ‘Preference’ Window
Command + P - Write HTML report
Command + T - Attach Disk Image
Command + D - Detach Disk Image
Command + M - Mount Device
Command + R - Rescan available hardware buses
Command + U - Unmount Device
Option + Command + B - Show all bookmarks
Command + D - Add bookmark
Shift + Command + N - Make note
Shift + Command + D - Open ‘Database’ window
Command + B - Open ‘Disk Arbitration’ window
Command + T - Open terminal
Command + S - Saves/Exports a file
Getting Help and Technical Support

Getting Help and Technical Support
This section covers the various ways to obtain help and technical
support when using MacForensicsLab.

Finding Help within MacForensicsLab
Help can be found both via the small, context sensitive information
clips that appear when the examiner rolls the mouse over a window
element, as well as the standard help menu at the top of the screen.
Contextual tool tips include buttons and parts of MacForensicsLab that
require some form of user interaction.
On the Web
We provide over 100 links to forensic resources, manuals, a complete
knowledge base and a plethora of additional information on our
website. For updates, resources and additional information please
visit:
http://www.MacForensicsLab.com
Technical Support
We provide free technical support both via email or phone during the
hours 10am to 6pm Pacific Standard Time (GMT -8) Monday to
Friday. By email, we can be reached at the following address:
support@macforensicslab.com. By phone, we can be reached at: +1
(510) 870 7883, or by fax on +1 (510) 868 3407.
In addition to any support question(s), the examiner must include ALL

of the following pieces of information:
-Valid registration number or purchase information.

-System configuration(s) – hard drive make, model etc.
-System OS version.
-System related information can be found by using the “System
Profiler” application in the -/Applications/Utilities folder.
Comments and Questions

If you have comments, problems, or questions about this product, or if
you are interested in a site license, please contact us via email:
info@macforensicslab.com
Company Address
MacForensicsLab Incorporated
37600 Central Ct, Suite 212
Newark, California 94560

http://www.MacForensicsLab.com
Uninstalling MacForensicsLab
Uninstalling MacForensicsLab
This section covers how a user can uninstall MacForensicsLab.
Using the Main Window

MacForensicsLab is a completely self-contained application and
requires no special functionality to uninstall it. The procedure to
uninstall MacForensicsLab is to navigate to the directory in which
MacForensicsLab is currently installed, highlight the MacForensicsLab
folder and either drag and drop it into the Trash or delete it using the
delete key.
Glossary
Glossary
This section is a Glossary of terms relevant to MacForensicsLab.
Glossary
Acquisition
The process through which an examiner can make duplicate working
copies of a suspect drive, media or other data storage hardware.
Checksum & Checksum Verification

A checksum is a count of the number of bits in a transmission unit that
is included with the unit so that the receiver can check to see whether
the same number of bits arrived. If the counts match, then one can
assume that the complete transmission was received.
Device
Could refer to any form of data storage technology, or equipment
required to read data stored on media such as CD’s or DVD’s
Disclosure triangle

The small rightward pointing arrow next to folders in the explorer
window that when clicked turn downwards and allow the examiner to
view the contents of the said folder.
Disk Image
A disk image is a computer file containing the complete contents and
structure of a data storage device. The term has been generalized to
cover any such file, whether taken from an actual physical storage
device or not.
Disk Arbitration
The process by which a workstation will discover and attempt to mount
a device connected to it. OS X is notified of the event by the kernel
and will immediately look for mountable partitions on the drive. If
found, the OS initiates the mount, then the internal disk arbitration
tables are updated with the proper information, which eventually
updates any programs that subscribed to notifications. During the
process, the suspect’s drive will also be updated.
Evidence Item
Refers to an individual file that may be of use to an investigation or
case.
Finder
Also referred to as the Desktop by workstation users. This is the
Graphical User Interface portion; or rather Front-End that allows the
human User to visually interact with the computer.
Hash or Hashing
Producing hash values for accessing data or for security and
verification. A hash value (or simply hash), also called a message
digest, is a number generated from a string of text. The hash is
substantially smaller than the text itself, and is generated by a formula
in such a way that it is extremely unlikely that some other text will
produce the same hash value. Formulas used to create hash values, in
order of strength ascending, include: MD5. SHA1 and SHA2 otherwise
known as SHA256.
Pane
The part of an application window where data may be previewed in
columnar or free form style. Headers may be used to sort columns,
whilst free form text can be edited.

Partition (also known as a Volume, when used to store data)
A partition is an individual section of a hard disc or media. Drives must
contain at least one partial or complete partition in order to be of use,
but can contain multiple partitions to separate the data contained
within them. Partitions may be setup write protected and even design
not to auto-mount.
Suspect Drive
The drive that is the focus of the investigation and which the examiner
should avoid tainting if evidence collected is required for later use in a
legal environment.
Unallocated Space (also known as a Free Space)

Refers to sectors on the hard drive that are not referenced in the hard
drive catalog and therefore may be written to by the computer as they
are not reserved.
Work Drive
Refers to the drive on which an examiner will store files relating to a
case. Salvaged files and other data will be written to the work drive
rather than to contaminate or lose data by writing them to the
“Suspect Drive”.
Volume (Please refer to “Partition”)

A volume is a partition that can be used to store data.
End User's License Agreement (EULA)

End Users License Agreement
MacForensicsLab Incorporated's End Users License Agreement
EULA
DO NOT USE THIS SOFTWARE UNTIL YOU HAVE CAREFULLY READ
THIS AGREEMENT AND AGREE TO THE TERMS OF THIS LICENSE. BY
USING THE ENCLOSED SOFTWARE, YOU ARE AGREEING TO THE
TERMS OF THIS LICENSE.
The software license agreement for this program is included in this

manual so you can read it before installing the program. INSTALLING

THE PROGRAM OR USE OF THE MATERIALS ENCLOSED WILL
CONSTITUTE YOUR ACCEPTANCE OF THE TERMS AND CONDITIONS OF
THIS SOFTWARE LICENSE AGREEMENT. If you do not agree to the
terms of this software license agreement, do not install the software
and promptly return the package to the place of purchase for a full
refund of all money that you paid for the product.
In return for purchasing a license to use the computer program known

as "MacForensicsLab™" and for purchasing documentation included in
this package, you agree to the following terms and conditions:
1. License. The Software enclosed is licensed, not sold, to you by

MacForensicsLab Inc. for use under the terms of this software license.
This non-exclusive license allows you to:
i. Use MacForensicsLab™ software only on a SINGLE computer at any

one time. You may only use the MacForensicsLab ™ software and only
on drives physically connected to that single CPU.
ii. Only use the Software to monitor systems on a SINGLE computer

that is used by you.
iii. Make one copy of Software in machine-readable form, provided that

such copy is used only for backup purposes and the copyright notice is
reproduced on the backup copy.
iv. Transfer Software and all rights under this license to another party
together with a copy of this license and all documentation
accompanying the Software, provided the other party agrees to accept
the terms and conditions of this license.
As a licensee, you own the media on which the Software is originally

recorded. The Software is copyrighted by MacForensicsLab Inc. and
proprietary to MacForensicsLab Inc., and MacForensicsLab Inc. retains
title and ownership of the Software and all copies of the Software. This
license is not a sale of Software or any copy. You agree to hold
Software in confidence and to take all reasonable steps to prevent
disclosure.
2. Restrictions. You may NOT distribute copies of this Software to

others or electronically transfer Software from one computer to
another over a network or via modem. The Software contains trade
secrets that are wholly owned by SubRosaSoft.com Inc. You may NOT

decompile, reverse engineer, translate, disassemble or otherwise
reduce the Software to a human understandable format. YOU MAY
NOT MODIFY, ADAPT, TRANSLATE, RENT, LEASE, RESELL FOR PROFIT,
DISTRIBUTE, NETWORK, OR CREATE DERIVATIVE WORKS BASED
UPON THIS SOFTWARE OR ANY PART THEREOF.
3. Termination. This license is effective until terminated. This license

will terminate immediately without any notice from MacForensicsLab
Inc. if you fail to comply with any of its provisions. Upon termination
you must destroy the Software and all copies thereof. You may
terminate this license at any time by destroying the Software and all
copies thereof.
4. Export Law Assurances. You agree and certify that neither the
Software nor the documentation will be transferred or re-exported,
directly or indirectly, into any country where such transfer or export is
prohibited by the relevant governmental parties and regulations there
under or will be used for any purpose prohibited by relevant
government parties.
5. Warranty Disclaimer, Limitation of Damages and Remedies.

MacForensicsLab Inc. makes no warranty or representation, either
expressed or implied, regarding the merchantability, quality,
functionality, performance, or fitness of the compact disc, diskettes,
manual or the information provided.
This Software and manual are licensed “AS IS.” It is solely the
responsibility of the consumer to determine the Software’s suitability
for a particular purpose or use. MacForensicsLab Inc. and anyone else
who has been involved in the creation, production, delivery or support
of the Software, will in no event be liable for direct, indirect, special,
consequential or incidental damages resulting from any defect, error or
omission in the compact disc, diskettes, manual or Software or from
any other events including, but not limited to, any interruption of
service, loss of business, loss of profits or good will, legal action or any
other consequential damages. The user assumes all responsibility
arising from the use of this Software. MacForensicsLab Inc.'s liability
for damages to you or others will in no event exceed the total amount
paid by you for this Software. In particular, MacForensicsLab Inc. shall
have no liability for any data or programs stored by or used with
MacForensicsLab Inc.’s Software, including the costs of recovering
such data or programs. MacForensicsLab Inc. will be neither
responsible nor liable for any illegal use of its’ Software.

MacForensicsLab Inc reserves the right to make corrections or
improvements to the information provided and to the related Software
at any time, without notice.
MacForensicsLab Inc. will replace or repair defective distribution media

or documentation at no charge, provided you return the item to be
replaced with proof of purchase to MacForensicsLab Inc. during the 30-
day period after purchase. ALL IMPLIED WARRANTIES ON THE MEDIA
AND DOCUMENTATION, INCLUDING IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE
LIMITED IN DURATION TO THIRTY (30) DAYS FROM THE DATE OF THE
ORIGINAL RETAIL PURCHASE OF THIS PRODUCT. The warranty and
remedies set forth above are exclusive and in lieu of all others, oral or
written, expressed or implied. No MacForensicsLab Inc. dealer,
representative, agent, or employee is authorized to make any
modification, extension, or addition to this warranty. Some States do
not allow limitations on how long an implied warranty lasts, or the
exclusion or limitation of implied warranties or liability for incidental or
consequential damages, so the above limitation or exclusion may not
apply to you. This warranty gives you specific legal rights, and you
may also have other rights that vary from State to State.
6. Government End-Users. If you are a Government end-user, this

license of the Software conveys only “RESTRICTED RIGHTS”. This
Software was developed at private expense, and no part of it was
developed with government funds. The Software is a trade secret of
SubRosaSoft.com Inc. for all purposes of the Freedom of Information
Act, and is “commercial computer software” subject to limited
utilization as provided in the contract between the vendor and the
governmental entity, and in all respects is proprietary data belonging
solely to MacForensicsLab Inc. Government personnel using the
Software, are hereby on notice that the use of this Software is subject
to restrictions that are the same as, or similar to, those specified
above.
7. General. This license will be construed under the laws of the state of
California, except for that body of law dealing with conflicts of laws, if
obtained in the United States, or the laws of jurisdiction where
obtained if obtained outside the United States. If any provision of this
license is held by a court of competent jurisdiction to be contrary to
law, that provision will be enforced to the maximum extent
permissible, and the remaining provisions of this license will remain in
full force and effect.

Complete Agreement. This license constitutes the entire agreement
between the parties with respect to the use of the Software and
related documentation and supersedes all prior or contemporaneous
understandings or agreements, written or oral, regarding such subject
matter.
Copyright Notice
Copyright Notice
MacForensicsLab Copyright Notice.
MacForensicsLab Copyright Notice

MacForensicsLab Incorporated copyrights this software, the product
design, and design concepts with all rights reserved. Your rights with
regard to the software and manual are subject to the restrictions and
limitations imposed by the copyright laws of the United States of
America.
Under the copyright laws, neither the programs nor the manual may
be copied, reproduced, translated, transmitted or reduced to any
printed or electronic medium or to any machine-readable form, in
whole or in part, without the written consent of MacForensicsLab Inc.
© Copyright 2010 MacForensicsLab Inc. All Rights Reserved
Trademarks
Trademarks
MacForensicsLab Incorporated's trademarks.
Trademarks
"MacForensicsLab” is a trademark of MacForensicsLab Inc.
All other brand and product names are trademarks or registered

trademarks of their respective holders.


MacForensicsLab 3.0 Manual

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

MacForensicsLab 3.0 Manual

Caricato da

Copyright:

Formati disponibili

MacForensicsLab 3.

Modern Forensics on a Mac

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 2

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 3

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 4

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 5

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 6

This section provides an overview of MacForensicsLab, its features,

As a company, MacForensicsLab Incorporated is dedicated to providing

MacForensicsLab Inc. understands how difficult it has become to keep

MacForensicsLab Inc. is dedicated to our mission of providing powerful,

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 7

In addition to being the premiere Macintosh-based forensic application,

MacForensicsLab Design Features

The second aspect concerning the design of MacForensicsLab is

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 8

Another aspect of MacForensicsLab design is fault tolerance. Unique

Interoperability is another design feature that MacForensicsLab takes

Speed and accuracy are the other tenets of MacForensicsLab design

Accuracy is a foundational element of computer forensics.

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 9

The Acquire Feature

The Search Feature

The Analyze Feature

The Salvage Feature

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 10

The Audit Feature

The Hash Feature

This section covers the basic and recommended system requirements

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 11

Windows Base Requirements (for use up to and including

Linux Base Requirements (for use up to and including

We officially support the following:

Recommended Desktop Forensic Workstation

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 12

Recommended Forensic Laptop

The database/logging functionality is best performed with the fastest

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 13

MacForensicsLab requires a dongle to function. To this end, previous

This section demonstrates how to install MacForensicsLab for the

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 14

To install the latest version of MacForensicsLab, open a web browser

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 15

The Upgrades page allows a user to select the version of

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 16

The file that downloads is a .zip file that will be uncompressed

Locate the MacForensicsLab Folder

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 17

To install MacForensicsLab on your Mac's hard drive, copy both the

Running MacForensicsLab for the First Time

This section demonstrates how to run MacForensicsLab for the first

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 18

Navigate to the Applications folder and open the MacForensicsLab

To launch the MacForensicsLab application, double click on the

Allow MacForensicsLab to Run

The first time MacForensicsLab is launched, a warning banner will

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 19

Once the MacForensicsLab application is launched, the Preferences

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 20

Save the Local Database

Once the "Create" button is selected in the previous step, a navigation

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 21

The next tab to configure in the Preferences Pane is the "Examiners"

Configure Examiner Window