MacForensicsLab 3.0 Manual

MacForensicsLab 3.0 Manual

Modern Forensics on a Mac

Table of Contents

..................................................................................Overview 7.........................................................Overview of MacForensicsLab 7

...................................................................About MacForensicsLab 7...............................................................MacForensicsLab Overview 8

.....................................................MacForensicsLab Design Features 8......................................................................The Acquire Feature 10

.......................................................................The Search Feature 10......................................................................The Analyze Feature 10.....................................................................The Salvage Feature 10

......................................................................The Browse Feature 11.........................................................................The Audit Feature 11.........................................................................The Hash Feature 11

.............................................................System Requirements 11

...................................................................System Requirements 11.........................................................Mac OS X Base Requirements 12

Windows Base Requirements (for use up to and including ....................................................................MacForensicsLab 3.0) 12

Linux Base Requirements (for use up to and including MacForensicsLab ............................................................................................3.0) 12

...................................Recommended Desktop Forensic Workstation 12.......................................................Recommended Forensic Laptop 13

...............................................................Additional Considerations 13..........................................................The MacForensicsLab Dongle 14

.....................................................Installing MacForensicsLab 14...........................................................Installing MacForensicsLab 14

................................Obtaining the latest version of MacForensicsLab 15.............................................Locate the version of MacForensicsLab 16

....................................................................................Download 17......................................................................Downloaded Archive 17

..................................................Locate the MacForensicsLab Folder 17.............................................................Installing MacForensicsLab 18

...........................Running MacForensicsLab for the First Time 18.................................Running MacForensicsLab for the First Time 18

..............................................................Opening MacForensicsLab 19................................................................Launch MacForensicsLab 19

........................................................Allow MacForensicsLab to Run 19...........................................Configure MacForensicsLab Preferences 20

......................................................Configure a Local Database File 21................................................................Save the Local Database 21

..........................................................Configure the Examiners Tab 23...........................................................Configure Examiner Window 23

........................................................Confirm Examiner Information 25................................................................Configure the Cases Tab 26...............................................................The Case Details Window 26

...................................................................Complete Case Details 26

© 2010 MacForensicsLab Inc.orporated, All Rights Reserved 2

........................................................................Selecting the Case 28............................................................................The E-Mail Pane 29

..............................................................Complete the E-Mail Pane 30........................................................Authenticate MacForensicsLab 31

................................................................Complete Authentication 31............................................................................Disk Arbitration 32

....................................................................Case Preparation 32..........................................................................Case Preparation 32

.....................................................................................Overview 32...............................................................Disabling Disk Arbitration 33

................................................................Enabling Disk Arbitration 34

................................................................Hardware Write Blockers 34.................................................................Clearing the Work Drive 35

............................................................................Terminal Access 36

........................................................................Core Functions 36..............................................................................Core Functions 36

..................................The Core Functional Areas of MacForensicsLab 36

........................................................The Preferences Window 37...............................................................The Preferences Window 37

.....................................................................................Overview 37......................................................Finding the Preferences Window 37

.......................................................The Preference Window Layout 38

.......................................................The Database Preference Pane 39....................................................Configuring a Local Database File 40

................................Selecting a Location for the Local Database File 41.............................................Checking the Local File Database Path 42

...........................................................................REAL SQL Setup 43...............................................................................MySQL Setup 44

.......................................................................The Examiners Tab 45.................................................Configuring Examiner Specific Data 46

..............................................................................Save the Form 47...............................................................Confirm the Correct User 48

..............................................................................The Cases Tab 49......................................................................Fill Out Case Details 50

........................................................Complete Case Details Pop-up 51.................................................................Verify Case Information 52

............................................................................eMail Tab Setup 53

...................................................................The Main Window 53..........................................................................The Main Window 53

.....................................................................................Overview 53...............................................................The Main Window Layout 54

......................................................The Access Panel - Devices Tab 55...........................................................The Access Panel - Files Tab 56

.........................................................................The Buttons Panel 57

..............................................................The Acquire Function 57

....................................................................The Acquire Function 57


.....................................................................................Overview 58...................................................................Creating a Disk Image 59...................................................................Attaching Disk Images 61

...............................................................The Search Function 62

.....................................................................The Search Function 62.....................................................................................Overview 62

............................................................The Search Window Layout 63

..............................................................The Analyze Function 67

....................................................................The Analyze Function 67.....................................................................................Overview 67

...........................................................The Analyze Window Layout 68...........................................................................Search File Data 70

................................................................................Carving Data 73

..............................................................The Salvage Function 73

....................................................................The Salvage Function 73.....................................................................................Overview 74

.....................................................................The Salvage Window 74..............................................................................Save the Scan 75

.......................................................................Choose Destination 76...................................................................Examine Files by Type 76

...............................................................................File Previewer 77..................................................................Select Files for Salvage 77

......................................................................Save Salvaged Files 78.......................................................................Filename Rebuilder 78

...............................................................Reviewing Salvaged Files 79

..............................................................The Browse Function 79

....................................................................The Browse Function 79.....................................................................................Overview 79

......................................................................The Browse Window 80...................................................................Reviewing the Results 81

..............................................................Bookmarking the Findings 82........................................................................Viewing Bookmark 82

..................................................................The Audit Function 83........................................................................The Audit Function 83

.....................................................................................Overview 83.............................................................................Getting Started 83

........................................................................Invoking the Audit 84......................................................................Locate Audit Results 84

...................................................................Review Audit Findings 85........................................................................Generate a Report 86

.................................................................................Save Report 86............................................................................View the Report 86

...............................................................Reviewing the Hyperlinks 87

..................................................................The Hash Function 87........................................................................The Hash Function 87

................................................................Using the Hash Function 88


.......................................................................Reviewing the Hash 89........................................................................Saving the Results 89

..............................................................................Bookmarks 90....................................................................................Bookmarks 90

.....................................................................................Overview 90................................................................Locating the Bookmarks 90

........................................................The Bookmark Window Layout 91...........................................................Managing Bookmark Folders 92

............................................................................Clearing Actions 94

.......................................................................Examiner Notes 95.............................................................Notes in MacForensicsLab 95

.....................................................................................Overview 95.............................................................................Opening Notes 95

....................................................................Notes Window Layout 96...................................................Adding and Removing Case Notes 97

...............................................The MacForensicsLab Database 98.....................................................The MacForensicsLab Database 98

.....................................................................................Overview 98...................................................................Opening the Database 99

.........................................................The Database Window Layout 99.....................................................Viewing the Database Sections 100

..............................................................................Reporting 102....................................................................Generating a Report 102

...............................................................Opening Report Window 102................................................................Select Report Contents 103

..........................................................................Report Location 103......................................................................Viewing the Report 104

..............................................................Keyboard Shortcuts 104

....................................................................Keyboard Shortcuts 104...................................................................................Shortcuts 105

......................................Getting Help and Technical Support 105............................................Getting Help and Technical Support 105

..............................................Finding Help within MacForensicsLab 106................................................................................On the Web 106

.......................................................................Technical Support 106.............................................................Comments and Questions 106

.......................................................................Company Address 106

...............................................Uninstalling MacForensicsLab 107.....................................................Uninstalling MacForensicsLab 107

................................................................Using the Main Window 107

................................................................................Glossary 107......................................................................................Glossary 107

....................................................................................Glossary 107

..................................End User's License Agreement (EULA) 109


.....................................................End Users License Agreement 109.........................................................................................EULA 109

...................................................................Copyright Notice 113.........................................................................Copyright Notice 113

.................................................MacForensicsLab Copyright Notice 113

...........................................................................Trademarks 113.................................................................................Trademarks 113................................................................................Trademarks 113


Overview

Overview of MacForensicsLab

This section provides an overview of MacForensicsLab, its features, functionality and design.

About MacForensicsLabWelcome to MacForensicsLab. If this is your first time using MacForensicsLab software be assured you made the right decision. MacForensicsLab Incorporated is the world-wide leader in Macintosh-based forensics, with many federal, state and local law enforcement organizations around the globe using our software. In addition, MacForensicsLab is used by the military, intelligence community, and many privately owned and operated organizations seeking a powerful and innovative forensic solution.

As a company, MacForensicsLab Incorporated is dedicated to providing forensic solutions that not only meet and exceed your expectations but that change the way modern computer forensics are performed. Traditional computer forensic software development has mirrored the needs of traditional law enforcement by developing a solution only as a problem presented itself. In doing so, law enforcement is left without a timely answer to their technological dilemma. When the momentum of an investigation suffers due to a purely reactive development cycle, criminals go unpunished and victims are left needing resolution or worse, new victims are created. MacForensicsLab Inc. seeks to change that paradigm by offering expandable and scalable solutions that can adapt to an organization's needs and anticipate problems through use of intelligent proactive development.

MacForensicsLab Inc. understands how difficult it has become to keep pace with technology. All too often, forensic examiners are understaffed and overworked, making the environment ripe for case backlogs and an increasing potential for errors. In an effort to minimize these conditions, MacForensicsLab Inc. leverages technology and its advancements to allow for fewer mistakes. By doing so, MacForensicsLab aides in maximizing the efficiency and effectiveness of its users, thereby getting more done with less mistakes.

MacForensicsLab Inc. is dedicated to our mission of providing powerful, easy-to-use, cost-effective forensic solutions that help you achieve


your organization's forensic goals. To this end, we offer products that account for the entire spectrum of computer forensics, not just the static lab-based solution. Modern technologies demand integration throughout the forensic process, MacForensicsLab Inc. accounts for this evolution with solutions for incident response, triage, static examinations and reporting. Additionally, MacForensicsLab utilizes open ISO standards to ensure compatibility with other tools so the examiner is not limited to one tool or one answer to a problem. In summary, MacForensicsLab Inc. views mission accomplishment as a corporate social responsibility, one we take very seriously and as such we strive to become not only a software development company but a partner to all our customers.

MacForensicsLab OverviewMacForensicsLab is the first comprehensive computer forensic solution that runs natively on a Macintosh. As such, MacForensicsLab combines the power of modern computing with elegant design and a feature rich environment. Capable of performing all aspects of the forensic process on any filesystem the system bus can recognize, these filesystems include: NTFS, UFS, HFS, HFSPlus, ext2, ext2, ReiserFS and many more.

In addition to being the premiere Macintosh-based forensic application, previous versions of MacForensicsLab (up to 3.0) are cross platform, allowing users to run MacForensicsLab natively on Windows XP, Windows Vista, Windows 7, and Linux (RedHat, Ubuntu and SuSe).

MacForensicsLab Design FeaturesMacForensicsLab has been designed, from the ground up, to be a powerful easy-to-use forensic solution. A vital component in achieving this is the software's GUI (Graphical User Interface). By contrast many modern forensic solutions interface contains 15 or more buttons, making them difficult to use and due to the crowded space, somewhat overwhelming for the user. By contrast, MacForensicsLab has just 7 buttons representing the core functionality of the software. In addition, these buttons are laid out in an order that if followed from one to the next will guide the examiner through an entire forensic examination.

The second aspect concerning the design of MacForensicsLab is automation. The automation of tasks has changed the world. First, the


Industrial Revolution was marked by automation of the blue-collar workforce, changing the way manufacturing was done. In the Information Age, this automation is seen through computers performing complex repetitive tasks. In computer forensics, this automation refers to leveraging the computer to collect and collate data so the examiner can analyze the data. MacForensicsLab, is unique in that it excels at this, allowing the examiner to perform the vital task of analysis, thus providing context to the computer findings. This concept is readily apparent in the Browse and Audit functions, described below.

Another aspect of MacForensicsLab design is fault tolerance. Unique within the industry, MacForensicsLab provides fault tolerance during both the acquisition and data recovery operations. In addition, it uses instant writes to the system, as it is a database-driven application, thus no need for time interval savings, which inevitably result is data loss.

Interoperability is another design feature that MacForensicsLab takes seriously. The task of modern computer forensics is one of increasing complexity. As such, no one solution provides all the answers to the examiner. Therefore, MacForensicsLab strives to enable the examiner to use its results with other tools. The use of OpenISO imaging and HTML reporting are just two examples of this.

Speed and accuracy are the other tenets of MacForensicsLab design features. The rapid increase in data volume equates to a longer forensic process. MacForensicsLab uses asynchronous operations to increase speed making it much faster than other tools such as dd.

Accuracy is a foundational element of computer forensics. Unfortunately many software vendors sacrifice speed for accuracy. An example of this would be performing data recovery operations based on the directory structure. The sole use of the directory structure provides fast results, however it does not account for a corrupted structure. When the directory structure is corrupted and that is the only means of data recovery, then all is lost without attempting to fix the directory structure. MacForensicsLab takes a different approach, instead of the faster method, it takes the best method for recovering all files. In doing so, MacForensicsLab demonstrates its understanding that without all the data, there is no case and in this instance, it is better to sacrifice speed for accuracy.


Now that we understand the basic design features of MacForensicsLab, let's take a minute to familiarize ourselves with its core functionalities.

The Acquire FeatureThe ‘Acquire’ feature uses an intelligent algorithm to recover mechanically sound and faulty drives. Even if the drive has been partially compromised, mechanically or otherwise, MacForensicsLab has the best chance at recovering evidence to a forensically sound disk . The output of this process is an open format, industry standard locked disk image.

The Search FeatureThe ‘Search’ feature examines logical directory structures and files to identify items of interest, helping to zero in on any suspect material. Comparisons can be made against a database of hash values for known good, or known suspect content. MacForensicsLab creates a list of catalog information, MD5, SHA1, and SHA256 checksums, as well as other basic file information, using pre-specified search terms and filters.

The Analyze FeatureThe ‘Analyze’ feature enables an examiner to analyze the contents of files in ASCII and/or Hex mode. ‘Analyze’ allows the examiner to search the entire disk for specific terms and items including keywords, hex strings, credit card numbers and social security numbers.

The Salvage FeatureMacForensicsLab’s ‘Salvage’ feature is fault tolerant and thorough by design, making it the most powerful data recovery engine on the market. The 'Salvage' function recognizes over 100 file types and can readily recover deleted files from hard drives, CD-ROMs, external storage devices, digital camera memory cards, iPods, and much more. In addition, ‘Salvage’ possesses the ability to learn on-the-fly enabling the examiner to add unknown file types into the 'Salvage' database for recovery. These features, combined with filters allowing targeted data recovery makes this a foundational feature for all subsequent forensic processes.


The Browse FeatureThe ‘Browse’ feature allows the examiner to quickly and easily thumbnail and preview graphic images and their metadata. MacForensicLab was the first forensic software application to contain a built-in Skin Tone Analyzer, radically reducing the time spent manually culling through tens of thousands of image files to locate files of investigative interest, which are easily bookmarked and/or exported for further action.

The Audit FeatureThe ‘Audit’ feature quickly and efficiently collects and collates operating system artifacts and user preferences, to include cached internet history and bookmarks, Instant Messaging buddy lists, WiFi Access Points, Address Book information, iPhone information and much more. In doing so, the 'Audit' feature enables the examiner to keep the investigative momentum while allowing for further in-depth analysis.

The Hash FeatureThe 'Hash' function allows the examiner to perform an md5, SHA1 and SHA256 hash on any given file located on the volume while exporting the results with the full path to a text file for easy reference. Additionally, this feature allows for a complete file listing of a Volume with associated permissions, path and hashes.

System Requirements

System Requirements

This section covers the basic and recommended system requirements for successfully running MacForensicsLab. Modern forensic processes require not only powerful systems to process the massive amount of data, but a scalable solution designed to harness the system resources for greater speed and increased functionality. A database solution provides such potential. Since MacForensicsLab is database driven, the performance of the software is greatly influenced by the performance of the computer that is being used to perform the investigations. Nevertheless, MacForensicsLab has been specifically optimized for efficiency and speed through the use of appropriate memory allocation and a multi-threaded design.


Mac OS X Base Requirements-Apple Macintosh G4 800MHZ or faster-Mac OS X (version 10.4 or newer)-512 MB of RAM-DVD-Rom drive for Boot CD/DVD and Installation from DVD-1 x USB 1.0 Port + USB license dongle (supplied with MacForensicsLab)

Windows Base Requirements (for use up to and including MacForensicsLab 3.0)-Processor 800MHZ or faster-Windows 2000/XP/Vista-512 MB of RAM-DVD-Rom drive for Boot CD/DVD and Installation from DVD-1 x USB 1.0 Port + USB license dongle (supplied with MacForensicsLab)

Linux Base Requirements (for use up to and including MacForensicsLab 3.0)-Processor 800MHZ or faster-x86-based Linux distribution with GTK+ 2.0 (or higher), glibc-2.3 (or higher) and CUPS (Common UNIX Printing System)

We officially support the following:-SUSE Linux Enterprise Desktop-Red Hat Enterprise Linux Desktop-512 MB of RAM-DVD-Rom drive for Boot CD/DVD and Installation from DVD-1 x USB 2.0 Port + USB license dongle (supplied with MacForensicsLab)

Recommended Desktop Forensic Workstation-Apple MacPro (2.66 GHz Quad Core Intel Xeon "Nehalem" processor or better)-Mac OS X (version 10.5 or newer)-8GB of RAM-1TB or more of available hard drive space-DVD-ROM drive for Boot CD/DVD and Installation from DVD-Firewire 800 <-> ATA/SATA hardware write blocker


-1 x USB 2.0 Port + USB license dongle (supplied with MacForensicsLab)

Recommended Forensic Laptop-Apple MacBook Pro Intel Core 2 Duo 2.4GHZ or faster-Mac OS X (version 10.5 or newer)-4GB of RAM-Firmtek SeriTek Serial ATA ExpressCard Adapter-1TB or more of available hard drive space-DVD-ROM drive for Boot CD/DVD and Installation from DVD,-1 x USB 1.0 Port + USB license dongle (supplied with MacForensicsLab)

Additional ConsiderationsProviding the system with more resources and faster equipment such as faster Processor, more RAM and and faster, larger hard disk drive will improve the performance of MacForensicsLab where data reading, calculation and verification functions are occurring.

The database/logging functionality is best performed with the fastest possible network interface when working with a centralized network database server.


The MacForensicsLab Dongle

MacForensicsLab requires a dongle to function. To this end, previous versions of MacForensicsLab required a HASP dongle (pictured above), however, starting with MacForensicsLab 3.0, this dongle will be replaced with a USB key customized for MacForensicsLab. This customized dongle will allow users who have purchased both MacForensicLab and MacLockPick to use the same dongle for both applications, providing a seamless integration throughout the forensic process.

Installing MacForensicsLab


This section demonstrates how to install MacForensicsLab for the upgrade from 2.5.5 to 3.0.


Obtaining the latest version of MacForensicsLab

To install the latest version of MacForensicsLab, open a web browser and navigate to the MacForensicsLab web site: http://www.MacForensicsLab.com. Once on the main webpage, select the "Upgrades" link.


Locate the version of MacForensicsLab

The Upgrades page allows a user to select the version of MacForensicsLab they wish to download. Once the correct version is located, select the link (highlighted in blue).


Download

The download page will present the above image. To begin the download, click on the image.

Downloaded Archive

The file that downloads is a .zip file that will be uncompressed automatically by the operating system and will appear in the Downloads folder as a folder titled: MacForensicsLab.

Locate the MacForensicsLab Folder


Open the folder where MacForensicsLab was downloaded (by default this is the Downloads folder).


To install MacForensicsLab on your Mac's hard drive, copy both the 'Applications - OS X folder' and the 'Shared Resources' folder from the MacForensicsLab USB device to your computers 'Applications' folder. Note that the folder structure with the 'Shared Resources' folder being located one directory down from the MacForensicsLab application must be maintained although the name of the folder containing the application can be changed. Some users may choose to create a MacForensicsLab folder and then store the folder containing the application and the 'Shared Resources' folder within that.

Running MacForensicsLab for the First Time

Running MacForensicsLab for the First Time

This section demonstrates how to run MacForensicsLab for the first time.


Opening MacForensicsLab

Navigate to the Applications folder and open the MacForensicsLab folder by double clicking on it.

Launch MacForensicsLab

To launch the MacForensicsLab application, double click on the MacForensicsLab.app icon.

Allow MacForensicsLab to Run

The first time MacForensicsLab is launched, a warning banner will appear informing the user that the application was downloaded from the Internet. Select "Open."


Configure MacForensicsLab Preferences

Once the MacForensicsLab application is launched, the Preferences Pane will open. In order to successfully run MacForensicsLab, the Preferences Pane must be filled out.


Configure a Local Database File

In this example we will configure a Local File database (this means the database file will be resident on the local machine and not connected remotely to a database). The "Database" tab in the upper left of the window is selected (1), then select the "Local File" (2), next select "Create" (3).

Save the Local Database

Once the "Create" button is selected in the previous step, a navigation window appears. The navigation window allows the user to select the location of the database file. By default the file is named "MacForensicsLab Database.rsd" (1) and is located in Documents folder (2), then select "Save."


Configure the Examiners Tab

The next tab to configure in the Preferences Pane is the "Examiners" tab. Select the "Examiners" tab (1). To add an examiner, select the "+" radio button on the left (2). Once the radio button is selected an Examiner window will open.

Configure Examiner Window


Fill out the fields to complete the Examiner window, then select "Save."


Confirm Examiner Information

The Preference Pane appears and the new examiner information can be noted.


Configure the Cases Tab

To add a new case to the database, select the "Cases" tab (1) along the top of the window. Add a case by selecting the "+" radio button in the lower left (2). Once the radio button is selected a case Details pop-up window will appear.

The Case Details Window

The Case Details window allows the user to enter case details.

Complete Case Details


In the Case Details window enter the case number or Case ID and a description of the case. Once completed, select "Save".


Selecting the Case

Once the "Save" button is selected in the previous step, the user is returned to the Preferences Pane. Be sure to highlight the new case, as seen above.


The E-Mail Pane

The purpose of the E-Mail pane is to enable the user to be notified upon completion of tasks being conducted by MacForensicsLab.


Complete the E-Mail Pane

Complete all requisite information and select "Test:" (1) to ensure the connection is properly configured, once the test is successful, select the "Continue" button (2).


Authenticate MacForensicsLab

MacForensicsLab requires the user to authenticate by entering the admin password.

Complete Authentication

Enter the admin password (1) and then select "OK" (2).


Disk Arbitration

To complete the configuration of MacForensicsLab in preparation of running it for the first time, the user needs to decide whether to ignore disk arbitration (leaving it enabled) or to disable it. The user should only disable disk arbitration if he/she intends to create a forensic image from the suspect's media. Once either the "Ignore" or the "Disable" buttons are selected, the main window of MacForensicsLab opens.

Case Preparation

Case Preparation

This section will discuss how to prepare for a case using MacForensicsLab.

OverviewDuring the course of using MacForensicsLab the examiner will come across a range of different suspect devices, media and disk images. These will all work with a variety of ‘Read’ and ‘Write’ access settings. It is therefore important to ensure that the examiner understands how each of these varies and how the computer interacts with them.

Before connecting any device to the workstation it makes sense to assume that the device, image or media may be written to and therefore should be handled with the utmost caution.


In Mac OS X there are a couple of ways in which to handle the issues of possibly tainting and overwriting data on the suspect drive or device. The first is ‘Disk Arbitration’ and the second is ‘Write Blocking’. It is also a MUST for the examiner to have a secondary “Work Drive” onto which case data can be saved, and which will have been wiped. This avoids the chance of overwriting possible evidence and thus losing and/or tainting it.

Disabling Disk Arbitration

Whether at start-up or when connecting a suspect device via any data bus (FireWire, USB, ATA) on your Macintosh Workstation, OS X is notified and will immediately look for mountable partitions on the device.

If detected, it initiates the mount and the disk’s internal arbitration tables are updated with the necessary information to work with the system. Having mounted, the Finder is updated with the information and the volume(s) appear on the desktop. Any other applications that may have subscribed to disk arbitration notifications are also updated in a cascade effect.

In the process of finding and updating the arbitration tables on devices found and mounted, there runs the risk of writing to the devices and therefore tainting the evidence. MacForensicsLab however has a built-in option, accessible via the Window drop menu, or keyboard shortcut [Command] + [B], that allows the examiner to turn off the process.


In addition, to help avoid these issues, as MacForensicsLab reaches the ‘Main’ window it always automatically prompts the examiner to ensure that Disk Arbitration is enabled or disabled, per his or her desired behavior.

Enabling Disk Arbitration

As the examiner quits MacForensicsLab he or she will be asked a similar message whether they wish to enable disk arbitration again.

TIPS -- If you have Disk Arbitration turned off and you have quit MacForensicsLab, you will need to relaunch MacForensicsLab, and enable Disk Arbitration or your machine will not boot correctly.

Hardware Write BlockersMacForensicsLab works effectively with all available write blocking hardware on the market, and we recommend that examiners use these devices, as their organization may dictate, when performing forensics on suspect drives. MacForensicsLab Inc. also carries an optional hardware blocker that works hand-in-hand with MacForensicsLab. Please visit our web site http://www.MacForensicsLab.com for more information, or contact us via email: [email protected]; or telephone: +1 (510) 870 7883.


http://www.MacForensicsLab.com


Clearing the Work Drive

It is essential that before the examiner uses any drive for storing the results of an investigation, that the drive has been cleared properly. This should mean that the work drive has been formatted at least with a single pass with zeroing data.

To clear the work drive, select a partition of the designated drive in the 'Devices’ pane of the 'Main’ window'. Having done this, select “Clear work drive” from the File menu. A confirmation window will come to the fore, which the examiner should accept, after which the ‘shred’ window will come forward.

The window contains a slider with which the examiner can set the numbers of passes required to clear the drive. Also, in order to speed up the process the examiner also has the option to shred only “Free Space”, so that only the available space on the partition will be cleared. Having set this, simply click Start and the clearing procedure will begin. If the examiner picks the wrong partition, and/or decides to stop, by simply clicking Close, the ‘Shred’ window will disappear and he or she will be returned to the ‘Main’ window.


Terminal Access

MacForensicsLab provides the examiner with quick access via the Window drop menu, or keyboard shortcut [Command] + [T], to a terminal window, so that he or she does not have to leave MacForensicsLab in order to run commands through another Terminal application.

Core Functions

Core Functions

This section will outline the core functions of MacForensicsLab for further, detailed discussion.

The Core Functional Areas of MacForensicsLab-Preferences Window-Main Window-Acquire Window-Search Window-Analyze Window-Salvage Window-Browse Window-Audit Window-Hash Window-Bookmarks & Notes-Database Window


The Preferences Window

The Preferences Window

This section will cover the Preferences Window settings and configuration.

OverviewThe ‘Preferences’ window allows the examiner to setup and manage both individual cases and examiners within MacForensicsLab. In addition, it enables the examiner to configure MacForensicsLab database settings and even configure an e-mail based notification feature.

Finding the Preferences Window

The ‘Preferences’ window will, by default, appear at start-up once the MacForensicsLab splash screen has disappeared. To return to the ‘Preferences’ window after progressing to the ‘Main’ window, the examiner must select “Preferences” from the MacForensicsLab application drop menu, or use the keyboard shortcut [Command] + , [Comma]. In order to disable the ‘Preferences’ window from appearing at start-up the examiner should deselect the “Show this window at start-up” check box in the bottom left hand corner of the window.


The Preference Window Layout

The Preference Window has four sections, each containing their own preference information. The four sections are: Database (1), Examiners (2), Cases (3) and eMail (4).


The Database Preference Pane

By default the Database will be disabled (1).


Configuring a Local Database File

MacForensicsLab allows the examiner to harness the power of a database solution without having to associate with a remote database. The creation of a local database file enables examiners to take advantage of a database while not requiring the infrastructure incurred with larger solutions.

To create a local database file, select Local File (1), and then "Create." (2)


Selecting a Location for the Local Database File

Once you select "Create" in the previous step, a navigation box will appear allowing the examiner to select the location of the local database file (by default it will place the file in the Documents folder and will be named MacForensicsLab Database.rsd.


Checking the Local File Database Path

Once the examiner has chosen a location for the Local Database file to be stored, they are returned to the Database Window, where the path chosen is displayed (1).


REAL SQL Setup

If the examiner access to a REAL SQL database, then MacForensicsLab allows for seamless integration. Select the REAL SQL tab (1). Then by filling out the form fields (2), and selecting the "Connect" button (3), the examiner will then be able to take advantage of power of the REAL SQL database.


MySQL Setup

If the examiner access to a MySQL database, then MacForensicsLab allows for seamless integration. Select the MySQL tab (1). Then, by filling out the form fields (2), and selecting the "Connect" button (3), the examiner will then be able to take advantage of power of the MySQL database.


The Examiners Tab

Select the Examiners Tab (1). The Examiners Tab is where an examiner enters their identifiable information. By default, there is a "Default" examiner (2). To add an examiner, select the "+" radio button (3) and a pop-up window will appear.


Configuring Examiner Specific Data

The pop-up window allows the examiner to enter specific information by filling out the form fields (1). It should be noted, that these fields can be changed at any time by selecting the "Edit" button from within the Examiner's tab. Likewise it is important to note that none of these fields are not required.


Save the Form

Once the examiner specific form fields are filled out, select the "Save" button, thus returning the examiner to the Preferences Window.


Confirm the Correct User

The user information entered will be reflected under the Examiners Tab (1), which is where you will be automatically returned to upon selecting "Save" in the previous step.


The Cases Tab

To add a case, select the "Cases" Tab (1) from the Preferences window and select the "+" button (2). Once selected, a pop-up window will appear.


Fill Out Case Details

The Case Details window has two sections, the Case ID (1) and the Description (2). The Case ID represents a field where the examiner would enter the case number. The Case Description field is a simple text field enabling the examiner to input additional case information.


Complete Case Details Pop-up

Complete the Case Details pop-up window and select "Save."


Verify Case Information

Upon completing the previous step, the examiner is returned to the Preferences Pane, wherein he/she can verify the correct case is selected (1).


eMail Tab Setup

By selecting the eMail tab (1) and filling out the form fields (2) and testing the connection (3), The examiner is now able to receive password notification when MacForensicsLab has completed it current process. Once configured, press "Continue" (4).

The Main Window

The Main Window

This section will describe the layout and functionality of MacForensicsLab's Main Window.

OverviewThe ‘Main’ window is the starting point after accessing a case and provides the examiner with a detailed view of the system, any devices or disk images attached to it and their directory and file structure. It is from the ‘Main’ window that the examiner will gain full access to the wide array of functions and features that MacForensicsLab provides, each of which will be covered in subsequent chapters of this manual.


When working with the ‘Main’ window, the examiner should maximize the view of the window either by clicking the green maximize button at the top left of the window, or by using the resize handle at the bottom right. Maximizing the window will lessen the need to scroll up and down the various panels.

The Main Window Layout

There are 3 key sections to the layout of the ‘Main’ window:

-The ‘Access’ panels (Devices and Files),-The ‘Explorer’ panel,-The ‘Buttons’ panel.


The Access Panel - Devices Tab

In the Main Window, there are two buttons: "Devices" (1) and "Files" (2). As depicted above, the Device button lists all devices (with their respective partitions and volumes) attached to the machine in the leftmost pane (3). When a device is selected the corresponding device details appear in the Explorer portion of the window (4).

The following information is specified:

Display Name – The volume titleMounted – Status (true or false)LeafWritable – Write Status (yes or no)Partition IDPreferred Block SizeBSD Major & MinorBSD Name – Mount pointSize – in bytesContent & Content Hint – Format type and hintRemovable & Ejectable – Status (yes or no)BSD UnitWholeDrive Title – manufacturer’s model numberSerial – manufacturer’s serial number’s serial number


Used - The amount of drive space usedAvailable - The amount of drive space currently availablePercentage - The percentage of drive space used

The Access Panel - Files Tab

When the Files Tab (1) is selected, the leftmost portion of the window lists shortcuts (2) to volumes and user folders, with the Explorer portion of the window (3) allowing for viewing of the directory structure and individual files, along with their corresponding information (such as date/times, permissions, etc.).

The following information is specified:

File Name - full filename with extension.File Size - in bytes, whilst folders display the total items inside them within brackets - hidden files are included.Mac Creator Code - the OS creator application codeMac Type - the OS file type.Header - the first 32 characters of the file.CRC - the Cyclic Redundancy Check checksum value of the ‘Header’.File Reference - starting block number for the file.User ID - OS user id for file owner permission.Group ID - OS group id for file access permission.


Finder Flags - OS finder settings.Permissions - OS permissions for read, write and execution of file.Creation Date - Date when file/folder was created.Modification Date- Date when file/folder was modified.

Each column can be sorted in both directions by clicking the column header.

The Buttons Panel

The ‘Buttons’ panel provides the examiner with access to selected core functions of MacForensicsLab. Each button in turn will be highlighted and accessible, or grayed out and disabled, dependent on the item selected by the examiner in either of the ‘Access’ panels. The current system information is displayed along the bottom of the Buttons panel.

The Acquire Function

The Acquire Function

This section will discuss the acquisition capabilities of MacForensicsLab.


Overview

MacForensicsLab can work with original devices and media, as well as disk image copies of these same data sources. Using the ‘Acquire’ function ensures that the evidential integrity of the suspect drive is protected, by allowing the examiner to create a disk image for analysis and investigation, rather than having to work with the suspect drive.


In performing the acquisition scan ‘Acquire’ benefits from a number of features. These include checksum hashing for validation, the ability to create a separate golden master, the ability to create a smeared image in an environment when a volume cannot be unmounted, segmentation for ease of backup to alternative media, and, proprietary fault tolerant bad block recovery to work around faults, thus allowing the examiner to create disk images from damaged media or resume a previous acquire attempt that failed due to faulty media and/or electrical shortages.

Creating a Disk ImageWhen creating a disk image, the examiner can do so directly from either a partition or device, although it is recommended that copies be made of an entire device rather than of individual partitions.

Having selected the respective device or partition from the ‘Device’ panel, the examiner must press the Acquire button, bringing the function window to the fore.

In performing an acquisition the examiner can set a number of options:

Segment Size - This refers to the amount of data on each acquired image, thus allowing the examiner to separate his or her acquisition into multiple images. Each segment can then be limited to a specific data size, thus allowing for easier backup, for example, if the examiner plans to burn the image to a set of DVDs. To do so the examiner need only select the “4.36 GB (DVD-R/DVD+R)” option from the popup list.

Packet Size – Refers to data intervals at which MacForensicsLab will perform a checksum validation on the data being written to the acquisition image. A lower setting means many more checksum verifications are performed, thus improving overall data integrity but reducing the overall speed of the acquisition.

Smeared Image – Allows the examiner to generate an image from a drive that cannot, or perhaps that he or she may not wish to be unmounted. This would apply for example, when the examiner wishes to acquire the main volume on an operational file server that cannot be taken offline to avoid alerting users to the actions of the examiner.


Golden Master - In addition to the working copy, this option allows the examiner to save an extra disk image copy for other purposes. When the Golden Master option is selected, the user will be prompted to choose a save location twice before the acquisition is made. Once to select a location for the disk image, and the second time to choose the location for the golden master. This allows the user to save the golden master to a different location then that of the working image.

Resume – Provides the examiner with the option to continue on from a previous acquisition, if, for whatever reason, the prior acquisition process was interrupted. This means that the ‘Open’ dialog window rather than the ‘Save’ dialog window will appear when the acquisition is initiated.

Having made the desired changes to the presets, click the Start button to begin the acquisition process. This will bring up a ‘Save file’ dialog box, if creating the image rather than resuming, and the examiner will be prompted to enter a filename for the disk image. By default the file name appears as “Disk Image”, select and edit this to a preferred name and then chose a location into which to save the disk image. The click Save and the process will begin.

Note: Always be sure to save the disk image to a location other than that which one is creating an image of. Also, make sure that the device one is saving the new disk image to has enough storage space. The acquisition of a 60GB hard drive will require the destination disk to have a minimum of 60GB of free capacity.

Unless the “Create a Smeared Image” option has been selected, MacForensicsLab will first attempt to unmount the selected volume or volumes of the selected device. A status bar then marks the progress of the acquisition, along with a variety of other information. This information includes: checksum mismatch total; total bad blocks; total data remaining to be copied; total data copied; total capacity; approximate current data transfer rate; and total time remaining till acquisition completed.

During the process of acquisition a DAT file is created in the same location as the image file, and contains checksum data for the disk image. It is a small file and takes up less than 25 KB of space and is deleted after the acquisition process is complete.


Once completed, a dialog window will notify the examiner of such and will provide them with an error count. The examiner should simply take note of this and then close the said dialog box by clicking Close, returning to the ‘Main’ window. The disk image can then be found in the previously specified location. By default the disk image file/segments will be locked, thus avoiding the opportunity to further modify or to delete it/them.

Attaching Disk ImagesOnce an image file or segment has been created, the examiner will want to prepare it for analysis. In order to do this the examiner must attach the disk image and mount it in the Finder.

To access the disk image, while in the ‘Main’ window, select “Attach Disk Image” from the File menu, or use the keyboard shortcut [Command] + [T]; the Attach Disk Image dialog box will appear. Click the Select button to choose the disk image to mount. There are two options listed for attaching the image.

Use Shadow File – This option will mount the disk image using a shadow file which emulates the disk being writable without actually writing to the disk image itself.

Ignore Permissions – This option turns on the feature in the Finder that maintains all disk permissions but ignores them, giving you access to any user files on all parts of the image.

Once you have selected the desired disk image and options, click the Attach button.

Using this method avoids the need to unlock and lock the image file from the Finder. After mounting disk images, the examiner may need to force MacForensicsLab to rescan for new devices or images; this can be done either by selecting “Rescan Bus” from the file menu, or with the keyboard shortcut [Command] + [R].

It should be noted that if the examiner is using Anti-Virus software, it may be configured to scan all newly attached disks, this includes disk images as they are brought into MacForensicsLab. This process will slow the mounting of the image.


To detach a disk image after analysis, select the item from the ‘Device’ panel in the ‘Main’ window, followed by “Detach” from the File menu. Alternatively, select the disk image in the main window and use the keyboard shortcut [Command] + [D]

The Search Function

The Search Function

This section will discuss the search functionality of MacForensicsLab.

OverviewThe ‘Search’ function of MacForensicsLab provides the examiner with an automatic means by which to scan a directory, gather evidence and bookmark that same data for later reference. This helps the examiner to quickly and easily zero in on suspect material. In performing the function, MacForensicsLab creates bookmarks of the selected directory structure, collecting all of the file information and hash values as it scans.


The Search Window Layout

The ‘Search’ window can be split into 5 core portions:

(1) -Search Filter (2) -Search Terms(3) -Browse Results(4) -Bookmarks(5) -Hash Keys

Search Filter Panel

The ‘Search Filter’ panel is the part of the ‘Search’ window within which the examiner may establish criteria by which to filter the results of the search scan. Filters are based on standard file information, such as, but not limited to: filename; size; date of creation.

Search Terms Panel


The ‘Search Terms’ panel is the portion of the ‘Search’ window within which the examiner can manage specific lookup terms. These can be either HEX or ASCII terms for pattern matching within the files being scanned. The examiner may also quickly and easily select either of two check boxes to search for standard credit card and social security number formats respectively as well as being able to import large databases of terms.

Browse Results

It is now possible to open the results of a searching procedure directly into a browse window making it easier to manually review the results and to perform some manual bookmarking procedures to better identify potential evidence for future reference. Additionally, the results of the Search can be further analyzed by applying MacForensicsLab’s built-in Skin Tone analyzer directly to them.

Bookmarks Panel

When performing a search scan the examiner can use the options contained within the ‘Bookmarks’ panel to auto-generate bookmarks of matched items, and make them available for easy reference at a later date. The text area below the folder drop down is designed for comments or a description pertaining to your customized bookmarks folder.

Hash Panel

The ‘Hash’ panel allows the examiner to define the auto-hashing options for a search scan. Options include adding the hashed file values to the internal database (MacForensicsLab uses the industry standard NSRL format), as well as the ability to export these to an external log file.

Using Custom Search Terms and Filters

In order to zero in on areas of particular interest Positive and Negative filters can be applied using custom checksum databases or those provided by the National Software Reference Library.

Available ‘Search Filters’ include all those in the Log File Format Fields:


-Name-Creation Date-Modification Date-Header-CRC-MD5-SHA1-SHA256-Data Size-Resource Size-Owner-Mac Creator-Mac Type-Absolute Path-UID-GUID-Permissions

Each of these filter types can be applied against the following operators:

-Is Equal To-Is Not Equal To-Contains-Does Not Contain-Is Less Than-Is Greater Than-Is in database-Is not in database Quick Tip: Foreign Languages

MacForensicsLab has the ability to handle filtering based on foreign multi-byte character set such as Russian, Arabic and Chinese, not just English.

Adding & Removing Search Filters & Items

Clicking the (+) button underneath the desired pane will create a new filter/item at the bottom of the current list, after which the examiner can manually edit the filter/item details. To remove an individual filter, select the respective item and then press the (-) button. Clearing an


entire list is equally simple; just click the (clear) button under the desired panel. This will, without warning, remove all the items from the list.

Importing A Custom ‘Search Item’ Database

To import a custom checksum database, simply click the Import button at the bottom of the ‘Search Items’ panel. This will bring up an open file dialog box from which the examiner can locate and select the required file. Upon import the information in the database file will populate the ‘Items’ pane.

Searching for Credit Card and Social Security Numbers In order to ensure that all files containing either credit card or social security numbers are searched and possibly bookmarked the examiner must select either or both of the respective checkboxes in the ‘Search Items’ panel.

Auto-Bookmarking Files

When scanning directories, the search function can be used to auto-generate bookmarks for reference at a later time in the investigation.

To add the items as bookmarks to a respective group, the examiner must select the “Bookmark” checkbox in the ‘Bookmarks’ panel and then select a bookmark group from the drop down menu. If a new one is required, the examiner should do so through the Bookmarks menu (Please refer to the chapter on Bookmarks for more detail).

Performing The Search Operation

Having selected the partition or directory structure for searching, clicked the Search button in the ‘Main’ window, bringing the ‘Search’ window to the fore, and having set up the window with the desired ‘Search Items’, ‘Search Filters’, bookmarking and hashing options, the examiner should be ready to perform the search operation. To initiate the process, he or she should click the highlighted Search button on the bottom right of the ‘Search’ window. If the hash export checkbox has been selected, the examiner will be prompted to define a file name and save location for the exported hash text file before the scan proceeds.


Once the process of scanning and searching the items found has completed. The examiner will be prompted with a screen, advising them as such, which once closed will take him or her back to the ‘Main’ window.

The Analyze Function

The Analyze Function

This section will discuss the Analyze Function within MacForensicsLab.

OverviewThere will come a point in the case when an examiner may wish to analyze the file data block-by-block; the ‘Analyze’ function enables that to be done. Once analysis has been performed and evidence located, the examiner can then export and/or hash the requisite section of the drive to file for safekeeping and later use or further analysis.


The Analyze Window Layout

The analysis window can be split into 4 core sections:

(1) - ‘Hex Content’ pane(2) - ‘Search Items’ pane(3) - ‘Found’ pane(4) - ‘Carve’ pane

The Hex Content Pane

The ‘Hex Content’ pane is the right-hand side of the ‘Analyze’ window and is where the examiner can read block data piece by piece in ‘Hex’


mode. In MacForensicsLab 3.0, this area has been expanded to display a block at a time with the default view being ASCII.

Search Items Pane

The ‘Search Items’ pane contains a number of elements that are of use to the examiner:

Search Fields Pane – This is the first element in the Search Items Pane, which contains the working list of search terms (or filters) with which to analyze the data blocks. This is split into 2 columns: type and value. Type refers to whether the string that should be pattern match against the HEX content or the text (ASCII) content of the blocks. Value refers to the content of the string that is going to be pattern matched against the said format blocks, usually a word.

As previously mentioned, MacForensicsLab has the ability to handle foreign language multi-byte character sets such as those used in Russian, Arabic and Oriental languages when searching. The number of characters in a search can be up to 128. The number of search keywords is 128 as well.

Search Fields Management Buttons – Below the ‘Search Fields’ pane are buttons to manage the search fields in that pane.

-Clear: to clear all of the search fields in the window above-Import: to bring up a dialog box and import a search terms database file-Plus (+): to manually add individual search fields-Minus (-): to individually delete each selected search field Quick Tip: Saving Search FieldsThe ‘Search Fields’ in the ‘Analyze’ window are retained from one investigative session to the next.

Found Pane

The ‘Found’ pane permits the examiner to access very quickly and easily any of the hits that are generated as a result of the terms used in the search. To view a specific block entry in the ‘Hex Content’ pane, click on the individual result item and the block data will load into the Hex viewer in the main panel.


Search File DataWhen investigating files with the ‘Analyze’ window it is possible for the examiner to search for strings within the blocks of data that make up the file.

Individual Search Terms

To do so, the examiner must click the (+) button below the ‘Search Items’ pane; this will add a new field. After this, the examiner should define the search term type (text or hex) by clicking the up/down arrows in the centre of the search term row, followed by typing in a unique search term string in the text entry field to the right hand side of the arrows.

This can be repeated multiple times, building up as complex a filter mechanism as possible. If items are added in error, an item can easily remove them by selecting each one in turn and then clicking the (-) button located under the ‘Search Items’ pane. When ready, the examiner can proceed by clicking Search. While processing the data, the examiner will see a progress bar, and upon completion of the search the results will appear in the ‘Found’ pane.

Importing Custom Search Lists

Though an examiner might find it useful to create search terms in an ad hoc manner, as discoveries in the investigation necessitate, at some point he or she will want a more in-depth search, based on hundreds, if not thousands of search terms. The best way to achieve this is to importing custom search lists.

Custom search lists are essentially ‘CSV Text’ files with each individual search term on a new line. Custom search lists are also a great way to keep a database of useful terms and means that running a productive analysis or cataloguing on a suspect device is a process that is no more than just a few clicks away from getting started.

To import a list, click on the Import button to the middle of the ‘Search Items’ drawer. This will bring up a ‘Find File’ dialog box. Once the examiner has found the file, click ‘Open’.

Each individual line item will then appear as an individual term in the ‘Search Items’ pane. The examiner then has to define whether each


term is in Text or HEX format, though they are all imported as and predefined as ASCII Text format content by default.

Credit Card and Social Security Number Search

By selecting the respective checkboxes below the ‘Search Items’ pane it is possible for the examiner to get MacForensicsLab to look for and find credit card and social security numbers during the search process.

Performing the Search

Once the search items have been defined in the ‘Search Items’ pane, either individually or by import, and when the other settings have been defined, the examiner need only click the now enabled Search button to perform the search. Once the scan is complete the results will appear in the ‘Found’ pane. Clicking on any hit displayed in the ‘Found’ pane will display the location of that hit in the ‘Hex Content’ pane and highlight it. The block number it is found in will be displayed in at the bottom of the ‘Hex Content’ pane in the Block Number field. The start and length of the hit will also be populated in the Carve section.


Examining Results of a Search

Once the search has completed (1), the resulting hits are displayed in the ‘Found’ section of the Analyze window. The user may examine these hits by clicking on them (2) and the hit location will be displayed in the ‘Hex Content’ section of the window (3). When clicked, the search hit will turn red and a check mark will appear next to it. This allows the examiner to see which results they have reviewed and which ones they have yet to review, saving them time by making sure they don’t re-examine search hits.


Carving Data

When the examiner is ready to export the block-set being analyzed, he or she can do so very easily by clicking the "Carve" button. Doing so will then invoke the ‘Save’ window, bringing it to the fore.

The examiner may us the Start and Length fields to define the starting byte and the number of bytes after it to be carved out. These values can be changed by either entering the desired number in the Start and Length fields or by pressing the up and down arrows to the right of those fields. Clicking the Locked boxes to the right of these fields will lock the field to prevent it from being changed.

It is advisable to rename the default export filename and to apply a suffix to the name so that Mac OS or any other operating system can more easily recognize the expected file type and open it with the appropriate application.

Upon completion a message will pop to the fore and the user can simply close this and continue on with the investigation.

The Salvage Function

The Salvage Function

This section discusses the Salvage function contained within MacForensicsLab.


OverviewMacForensicsLab’s ‘Salvage’ function will search a device, volume, or folder and list all the recoverable files held within it, whether erased or not, and then recover the pre-selected files to a selected destination folder. When salvaging a device, MacForensicsLab scans through the entire media to find as many recoverable files as possible, as well as scanning through a single directory structure.

The Salvage Window

The Salvage window is divided into upper and lower sections. The upper section is responsible for the settings Salvage will invoke upon starting. These settings include "Supported File Formats, "Import a Prior Scan," and "Start a New Scan". The Supported File Formats section allows the examiner to select specific file types or groups of file types (i.e., all music files, images files and so on), as well as selecting all file formats (the default). In addition, these settings can be further defined to search Free Space Only (Deleted Files) or the Entire Device (All Files). Options for speed can also be selected by choosing either Fast Scan (Block by Block) or Slow Scan (Byte by Byte).


The lower section will display a list of files, by type, that Salvage can recover. Once a file is selected, a File Previewer application will open and attempt to show the file in its native format. Once the files to be Salvaged are determined, the "Salvage selected files" is invoked.

Save the Scan

Once you have scanned for files that Salvage can recover, a window appears asking if you'd like to save the results of the scan. If you are not going to Salvage all files possible, it is a good idea to save the results of the scan. This process will save time later if the examiner needs to go back and Salvage additional files from the case.


Choose Destination

Once the examiner has opted to save the scan results, a pop-up window appears asking for a destination for the scan results to be saved, once input, select "Save."

Examine Files by Type

As illustrated above, all possible files are divided by type and number.


File Previewer

Once a particular file is selected for review, the File Previewer application is launched allowing the examiner to preview the file in question.

Select Files for Salvage

Highlight the files to be Salvaged (holding down the Command key to click and select multiple files at a time) and select the "Salvage selected files" button.


Save Salvaged Files

Once the files for Salvage have been selected, a navigation box appears allowing the examiner to select the location to which the Salvaged files will be exported.

Filename Rebuilder

Once the files have been Salvaged, MacForensicsLab provides an optional process to attempt to rename the files based on the metadata


contained within the files. If the examiner does not wish to do this simply select "Cancel" (1) conversely, by selecting "OK" (2) MacForensicsLab will attempt to rebuild all files names.

Only some formats (such as JPEG, MP3, Words, etc...) will get renamed. Rest will be in number sequence.

Reviewing Salvaged Files

The Salvaged files are exported, by default, into a folder titled "Salvage (day of the week) and (month/day/year). Contained within that folder are subfolders broken down by file type for easy review and categorization.

The Browse Function

The Browse Function

This section will describe the core functionality of the Browse function of MacForensicsLab.

OverviewThe ‘Browse’ window provides the examiner with an exceedingly quick and easy way to search for files (primarily images and multimedia) in directories, view the results found based on the preset search criteria, bookmark, make notes and even perform closer analysis.


The Browse Window

The Browse window allows the examiner a range of variable options to include in his/her search. These options include:

File Checks (1):-File size (min-max range in kilobytes)

Image Checks:-Image-only results (yes or no) (2)-Horizontal & vertical dimensions (min-max range in pixels) (3) & (4)

To invoke the Browse, select the "Browse" (5) button at the bottom of the window.

After clicking Browse, as MacForensicsLab scans the selected location for matching files, a progress dialog will be displayed providing the examiner with a status report. If the examiner needs to end the scan


prematurely, clicking the Cancel button under the progress bar will end the scan and return to the ‘Main’ window. When the scan is complete a finish prompt will appear and chime can be heard, upon clicking OK the prompt will close and the ‘Browse’ window will come to the fore.

Reviewing the Results

Upon completion, the Browse window will display a thumbnail view of all files meeting the aforementioned criteria set forth by the examiner. When an image is selected, it is highlighted in red (as seen above) and the metadata for that file appears on the right (1).


Bookmarking the Findings

Once the appropriate images are highlighted, the examiner can bookmark the results by choosing "Bookmarks" from the Main window or using the keyboard shortcut of Command + D. In the above example, a bookmark labeled "images" (1) was created, with a note "suspicious images" (2) to save the previously selected file.

Viewing Bookmark

The examiner can review the bookmark by navigating to the Bookmark window by selecting "Bookmark -> Show All Bookmarks" from the Main window.


The Audit Function

The Audit Function

This section describes the Audit function of MacForensicsLab.

OverviewThe Audit function enables the examiner to quickly and easily locate relevant OS artifacts as they pertain to the system, the network and the user.

Getting Started

To invoke the Audit function, the examiner must select the "Files" (1), the volume/partition (2) with a valid user folder contained within it from the ‘Device’ pane of the ‘Main’ window. Furthermore, the examiner must select the "Users" folder (3) for the ‘Audit’ button to become enabled.


Invoking the Audit

Once the Audit button is enabled, the examiner can select a specific user (1), or if the system has multiple users, he/she can check "Audit all users" (2), then select the "Audit" button (3).

Locate Audit Results

The results of the Audit are stored in the MacForensicsLab database. To access the database from the MacForensicsLab Main window, select


"Window -> Database" or use the keyboard shortcut of "Shift + Command + D".

Review Audit Findings

To review the findings of the Audit, select a user, then scroll up or down to view the results. The examiner can highlight findings of interest and export them out to a file by selecting the "Export" button.


Generate a Report

Once the "Export" button is invoked, a dialogue box appears allowing the examiner to choose between an HTML or Plain Text report. Once decided, select "OK."

Save Report

Select a location to save the Audit report.

View the Report

The report should have a MFL logo. The one listed below may be from a previous beta.


Since an HTML report was selected in the example, a browser launches showing the report. All items highlighted and exported are hyperlinked under the "Table of Contents" located to the right.

Reviewing the Hyperlinks

The examiner can select any hyperlink and be taken directly to that portion of the report.

The Hash Function

The Hash Function

This section will describe the hash function contained within MacForensicsLab.


Using the Hash Function

The Hash functionality is a new feature added in MacForensicsLab 3.0. This button allows the examiner to quickly and easily create a hash of any device or file by highlighting it (1) and invoking the "Hash" button (2).


Reviewing the Hash

Once completed, the Hash window appears. The hash values are displayed in two separate fields. The first shows the hash data presented in a form for better human readability. The second field shows the raw hash data. Both contain the same information, just formatted differently for interoperability and readability.

Saving the Results

The results of the hash can be either saved out as a text file by clicking the Export button or added directly to the hash database. To export, simply select the formatting of the has you could like the export using the radio button, click "Export" and navigate to where the file is to be saved. To add the hash data to the database, select the database section from the drop down menu and click the “Add” button.


Bookmarks

Bookmarks

This section will cover Bookmarks within MacForensicsLab.

OverviewMacForensicsLab uses bookmarks to assist the examiner in collecting files of investigative interest. It is possible to bookmark files and directories for reference and examination at a later time in the case. Likewise, the examiner can bookmark any file or folder, or groups of files. You cannot bookmark devices or specific blocks within a device.

Locating the Bookmarks

The bookmarks can be viewed and managed from the ‘Bookmarks’ window and are accessible at any time by selecting “Show All Bookmarks …” from the Bookmarks menu, or by using the keyboard shortcut "Command + Option + B”.


The Bookmark Window Layout

The ‘Bookmarks’ window is divided into 4 clear portions:

-The folders/groups pane (1)-The folder note pane (2)-The bookmark detail pane (3)-The bookmark note pane (4)

The Folders Pane & Folder Note Pane Bookmarks can be grouped together using folders. These are listed in the Folders Pane (1). When individually selected, the notes for the respective folder, in editable form, can be seen in the ‘Folder Notes’ pane, directly below (2), while the grouped bookmarks can be seen in the ‘Bookmarks’ pane to the right (3).

The Bookmarks Pane & Bookmark Note Pane Having selected an individual bookmark folder, the contents of the folder will be displayed in the ‘Bookmarks’ pane (3). Each bookmark is listed with: bookmark name, file path, file size and creation date. Columns can of course be resized and sorted by the examiner simply by clicking on the respective header or by dragging the column separators to the desired size. Having selected a bookmark, the notes for the bookmark item will be displayed, in editable form, in the ‘Bookmark Note’ pane (4).

Resizing Panes


In order to maximize viewing space the examiner can resize the partitions between all four panes of the ‘Bookmarks’ window. To do so, the examiner should click & drag the resize handle of the respective separator, thus being able to minimize and maximize the required viewing space for each pane.

Managing Bookmark Folders

Adding Bookmark Folders Bookmark folders can be added in one of two ways. The first is to use the ‘Add Bookmark Folder…’ window and the second is to do so from the ‘Bookmarks’ window itself.

Via the ‘Add Bookmark Folder…’ Window When working with the other functions in MacForensicsLab, it is quickest and easiest to invoke the ‘Add Bookmark Folder…’ window


from Bookmarks menu or use the keyboard shortcut: "Command + Shift + N".

If adding a new folder while creating a new bookmark, then simply click the (+) button below the folder title option list in the ‘Add Bookmark’ window.

Once the ‘Add Bookmark Folder…’ window comes to the fore, the examiner need only enter the name of the new folder (1) into the “Name” text input field, and click Save (3). If the examiner so wishes, he or she can enter a note/summary into the “Summary” text field (2) for reference then and there, or do so at a later date in time from the ‘Bookmarks’ window.

Via the ‘Bookmarks’ Window The second way to add bookmark folders is to bring the ‘Bookmarks’ window to the fore, after which the examiner must click the (+) button under the ‘Bookmark Folders’ pane. This will generate a new folder with an empty title in the pane above ready with the text cursor in the entry field. Once the name is complete, the examiner can either press Enter/Return or simply click out of the name entry field. To add a summary, having created a new folder in this way, the examiner need only select the new folder in the ‘Bookmark Folders’ pane and then enter his or her summary for the selected folder into the ‘Folder Note’ pane below.

Amending Bookmark Folder Names Should the examiner wish to amend the name of the bookmark folder, he or she can do so from the ‘Bookmarks’ window by simply double-clicking on the respective bookmark folder’s name in the ‘Bookmark Folders’ pane and make the edits accordingly, before clicking out of the text entry field.

Removing Bookmark Folders Removing bookmark folders, either collectively or individually, can be done from the ‘Bookmarks’ window.

Clearing ALL Folders To clear ALL folders, and lose the bookmarks contained within them, the examiner must click the (clear) button under the ‘Bookmark Folders’ pane, at which point MacForensicsLab will prompt him or her to confirm the deletion - as it cannot be undone. Having clicked OK,


the examiner will be returned to the ‘Bookmarks’ window with a cleared ‘Bookmark Folders’ pane.

Clearing Individual Folders To remove folders individually, the examiner must select each item in turn and click the (-) button beneath the ‘Bookmark Folders’ pane. As before, there will be a prompt confirming the deletion and the examiner need only click OK to follow through with the the action.

Clearing Actions

Removing Bookmarks Removing bookmarks, either collectively or individually, can be done from the ‘Bookmarks’ window.

Clearing ALL Bookmarks To clear ALL bookmarks from within a bookmark folder, the examiner should select the desired bookmark folder in the ‘Bookmark Folders’ pane and then click the (clear) button under the ‘Bookmarks’ pane (1), at which point MacForensicsLab will prompt him or her to confirm the request to delete ALL bookmarks. Having clicked OK, the examiner will be returned to the ‘Bookmarks’ window with a cleared ‘Bookmarks’ pane.

Clearing Individual Bookmarks


To remove bookmarks individually, the examiner must first select the requisite bookmark folder and then, once the bookmarks load, select each item in turn and click the (-) button underneath the ‘Bookmark’ pane (2). As before, there will be a prompt confirming the action and the examiner need only click OK to follow through with the action

Examiner Notes

Notes in MacForensicsLab

This section will describe the Note functionality contained within MacForensicsLab.

OverviewCase Notes are an extremely useful function of MacForensicsLab that allow the examiner to add comments and observations to their case file at any point during the examination process. Whether browsing the ‘Main’ window or in the middle of a lengthy acquisition, the examiner can open the ‘Notes’ tab of the ‘Database’ window, using either the keyboard shortcut ("Command + N") or ‘’Window’ drop menu, and make the desired entry, before returning to the prior screen when finished.

Opening Notes

To access the Notes window at anytime during the investigation, select "Window -> Make Note" from the Main window.


Notes Window Layout

The Notes Window is divided into three sections:

-The Database Tab-The Note Data Pane-The Note Information Section


Adding and Removing Case Notes

To add a new note, the examiner need only click the (+) button at the bottom right hand side of the upper ‘Notes Data’ pane . This will generate a blank new entry, which the examiner needs to then select and enter his or her notes into, using the lower ‘Note Entry’ pane. Having completed the note, the examiner can then click the ‘Save’ button and close the ‘Database’ window and return to the previous screen.

Editing Case Notes When necessary to edit a case note, select the individual note in the ‘Notes’ pane at the top of the window. Once the note itself has loaded


in the window below, the examiner is free to edit it at will. Having finished any amendments, click out of the editor pane and the new version of the note will be saved and changes logged.

Removing Case Notes The examiner can remove individual notes, or clear the entire ‘Notes’ pane in one go. To remove an individual note detail the examiner should select the note earmarked for removal and then click the (-) button on the right-hand side below the ‘Notes’ pane. To remove all the details in one go, the examiner should click the (Clear) button on the right-hand side below the ‘Notes’ pane. In both instances, the deletion will generate a warning prompt dialog, to which the examiner must confirm his or her actions.

Refreshing the Notes Pane When working in a centralized database environment, it is possible that the ‘Notes’ pane may become out of sync with the listing in the database. To bring it up-to-date the examiner needs to click the Refresh button on the left-hand side below the ‘Notes’ pane. The time stamp is in Greenwich time.

The MacForensicsLab Database

The MacForensicsLab Database

This section will cover the organization and layout of the MacForensicsLab database.

OverviewWhen whichever database (local file, RealSQL server, MySQL server) is enabled via the ‘Preferences’ window, detailed logs are kept of every action and all points of interest to support the examiner in the understanding and final presentation of their evidence. In the ‘Database’ window, the examiner has full access to comprehensive details of what has been logged in the forensic examination to date.


Opening the Database

The MacForensicsLab database can be located, from the Main window by selecting "Window -> Database" or using the keyboard shortcut of "Shift + Command + D".

The Database Window Layout

The ‘Database’ window can essentially be split into 2 parts:

The tab bar - consisting of the various database sections:-Acquisition-Analyze


-Audit-Chronology-Hash-Notes-Salvage

The viewing pane(s) - consisting of:-Device information-Date/time/description-Data

Navigating through each individual database tab produces its own unique layout. Each screen’s layout within the ‘Database’ window varies between a single pane with a columnar list and a triple paned layout with bookmarks and note/native viewer.

Viewing the Database Sections

The Views As each tab is clicked in turn the database will be read, either locally or centrally, and the contents loaded into the new window layout; needless to say, the larger the dataset the longer the process of fetching and loading the data will take to complete.

Accessible through the individual buttons of the tab bar in the ‘Database’ window are:

The Acquisition Log - lists the date and time of an acquisition process, a description of it and the exact block details (offset, length, hash sum etc).

The Analyze Log - keeps track of the details of searches performed, as well as the results associated with them. Details logged include: date and time, file location, results and the associated match and offset.

The Audit Log - lists the date and time of an acquisition process, a description of it and the specific OS artifact information generated, to


include folder creation date/times, network preferences, system settings, user preferences, bookmarks, web caches, and much more.

The Chronology Log - lists all the events from the moment the case reference is set up to the latest action performed in MacForensicsLab. It lists the date and time of the actions, the name of the examiner, the action performed (opening windows, pressing buttons etc) and the data returned by the actions.

The Hash Database – provides a means by which the examiner can import, manage and store hash values for use within the various functions provided by MacForensicsLab.

The Notes Log - contains all the notes regarding the investigation as inputted by various examiners. Notes are listed with examiner name, date and initial number of characters, with the ability to view an entire note, as well as manage and edit notes.

The Salvage Log - keeps track of the date and time of the salvage process, the name of the examiner, the actions performed, and the location and specific details of the files salvaged.

Sorting The Data The examiner can sort by the available columns by clicking on the respective column headers, once highlighted and sorted ascending, clicking the title bar again will sort the column in reverse order.

Managing Records Certain panes containing log data benefit from the availability of management buttons. That is to say that an assortment of buttons exist to:

-Refresh-Clear-Delete-Add-Edit

Where available the examiner should use these buttons as in others functions windows to reload data into the respective pane, to remove or clear records, both of which will generate a warning prompt


requesting confirmation to delete records, as well as to add items or make amendments.

Reporting

Generating a Report

This section covers how to write a report using MacForensicsLab.

Opening Report Window

To open the Report window, from the MacForensicsLab Main window, select "File -> Write Report," or use the keyboard shortcut "Command+P."


Select Report Contents

The Report window consists of a series of checkboxes that are to be toggled on or off depending on the information the examiner wants to include in the report. Once the appropriate checkboxes are selected, select "Start."

Report Location

Once the report settings have been determined, a navigation box opens. This box enables the examiner to dictate where the report will be generated and saved.


Viewing the Report

Once the report is saved, a browser will open automatically showing the report. The report is divided into two sections, the navigation section on the left and the reported information on the right.

Keyboard Shortcuts

Keyboard Shortcuts

This section will list the keyboard shortcuts supported by MacForensicsLab.


ShortcutsThe following shortcuts are specific to the MacForensicsLab Application.

Command + Comma (,) - Open ‘Preference’ Window

Command + P - Write HTML report

Command + T - Attach Disk Image

Command + D - Detach Disk Image

Command + M - Mount Device

Command + R - Rescan available hardware buses

Command + U - Unmount Device

Option + Command + B - Show all bookmarks

Command + D - Add bookmark

Shift + Command + N - Make note

Shift + Command + D - Open ‘Database’ window

Command + B - Open ‘Disk Arbitration’ window

Command + T - Open terminal

Command + S - Saves/Exports a file

Getting Help and Technical Support

Getting Help and Technical Support

This section covers the various ways to obtain help and technical support when using MacForensicsLab.


Finding Help within MacForensicsLabHelp can be found both via the small, context sensitive information clips that appear when the examiner rolls the mouse over a window element, as well as the standard help menu at the top of the screen. Contextual tool tips include buttons and parts of MacForensicsLab that require some form of user interaction.

On the WebWe provide over 100 links to forensic resources, manuals, a complete knowledge base and a plethora of additional information on our website. For updates, resources and additional information please visit:http://www.MacForensicsLab.com

Technical SupportWe provide free technical support both via email or phone during the hours 10am to 6pm Pacific Standard Time (GMT -8) Monday to Friday. By email, we can be reached at the following address: [email protected]. By phone, we can be reached at: +1 (510) 870 7883, or by fax on +1 (510) 868 3407.

In addition to any support question(s), the examiner must include ALL of the following pieces of information:

-Valid registration number or purchase information.-System configuration(s) – hard drive make, model etc.-System OS version.-System related information can be found by using the “System Profiler” application in the -/Applications/Utilities folder.

Comments and QuestionsIf you have comments, problems, or questions about this product, or if you are interested in a site license, please contact us via email: [email protected]

Company AddressMacForensicsLab Incorporated37600 Central Ct, Suite 212Newark, California 94560




mailto:[email protected]





Uninstalling MacForensicsLab

Uninstalling MacForensicsLab

This section covers how a user can uninstall MacForensicsLab.

Using the Main WindowMacForensicsLab is a completely self-contained application and requires no special functionality to uninstall it. The procedure to uninstall MacForensicsLab is to navigate to the directory in which MacForensicsLab is currently installed, highlight the MacForensicsLab folder and either drag and drop it into the Trash or delete it using the delete key.

Glossary

Glossary

This section is a Glossary of terms relevant to MacForensicsLab.

GlossaryAcquisition The process through which an examiner can make duplicate working copies of a suspect drive, media or other data storage hardware.

Checksum & Checksum Verification A checksum is a count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, then one can assume that the complete transmission was received.

Device Could refer to any form of data storage technology, or equipment required to read data stored on media such as CD’s or DVD’s

Disclosure triangle


The small rightward pointing arrow next to folders in the explorer window that when clicked turn downwards and allow the examiner to view the contents of the said folder.

Disk Image A disk image is a computer file containing the complete contents and structure of a data storage device. The term has been generalized to cover any such file, whether taken from an actual physical storage device or not.

Disk Arbitration The process by which a workstation will discover and attempt to mount a device connected to it. OS X is notified of the event by the kernel and will immediately look for mountable partitions on the drive. If found, the OS initiates the mount, then the internal disk arbitration tables are updated with the proper information, which eventually updates any programs that subscribed to notifications. During the process, the suspect’s drive will also be updated.

Evidence Item Refers to an individual file that may be of use to an investigation or case.

Finder Also referred to as the Desktop by workstation users. This is the Graphical User Interface portion; or rather Front-End that allows the human User to visually interact with the computer.

Hash or Hashing Producing hash values for accessing data or for security and verification. A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Formulas used to create hash values, in order of strength ascending, include: MD5. SHA1 and SHA2 otherwise known as SHA256.

Pane The part of an application window where data may be previewed in columnar or free form style. Headers may be used to sort columns, whilst free form text can be edited.


Partition (also known as a Volume, when used to store data) A partition is an individual section of a hard disc or media. Drives must contain at least one partial or complete partition in order to be of use, but can contain multiple partitions to separate the data contained within them. Partitions may be setup write protected and even design not to auto-mount.

Suspect Drive The drive that is the focus of the investigation and which the examiner should avoid tainting if evidence collected is required for later use in a legal environment.

Unallocated Space (also known as a Free Space) Refers to sectors on the hard drive that are not referenced in the hard drive catalog and therefore may be written to by the computer as they are not reserved.

Work Drive Refers to the drive on which an examiner will store files relating to a case. Salvaged files and other data will be written to the work drive rather than to contaminate or lose data by writing them to the “Suspect Drive”.

Volume (Please refer to “Partition”) A volume is a partition that can be used to store data.

End User's License Agreement (EULA)

End Users License Agreement

MacForensicsLab Incorporated's End Users License Agreement

EULADO NOT USE THIS SOFTWARE UNTIL YOU HAVE CAREFULLY READ THIS AGREEMENT AND AGREE TO THE TERMS OF THIS LICENSE. BY USING THE ENCLOSED SOFTWARE, YOU ARE AGREEING TO THE TERMS OF THIS LICENSE.

The software license agreement for this program is included in this manual so you can read it before installing the program. INSTALLING


THE PROGRAM OR USE OF THE MATERIALS ENCLOSED WILL CONSTITUTE YOUR ACCEPTANCE OF THE TERMS AND CONDITIONS OF THIS SOFTWARE LICENSE AGREEMENT. If you do not agree to the terms of this software license agreement, do not install the software and promptly return the package to the place of purchase for a full refund of all money that you paid for the product.

In return for purchasing a license to use the computer program known as "MacForensicsLab™" and for purchasing documentation included in this package, you agree to the following terms and conditions:

1. License. The Software enclosed is licensed, not sold, to you by MacForensicsLab Inc. for use under the terms of this software license. This non-exclusive license allows you to:

i. Use MacForensicsLab™ software only on a SINGLE computer at any one time. You may only use the MacForensicsLab ™ software and only on drives physically connected to that single CPU.

ii. Only use the Software to monitor systems on a SINGLE computer that is used by you.

iii. Make one copy of Software in machine-readable form, provided that such copy is used only for backup purposes and the copyright notice is reproduced on the backup copy.

iv. Transfer Software and all rights under this license to another party together with a copy of this license and all documentation accompanying the Software, provided the other party agrees to accept the terms and conditions of this license.

As a licensee, you own the media on which the Software is originally recorded. The Software is copyrighted by MacForensicsLab Inc. and proprietary to MacForensicsLab Inc., and MacForensicsLab Inc. retains title and ownership of the Software and all copies of the Software. This license is not a sale of Software or any copy. You agree to hold Software in confidence and to take all reasonable steps to prevent disclosure.

2. Restrictions. You may NOT distribute copies of this Software to others or electronically transfer Software from one computer to another over a network or via modem. The Software contains trade secrets that are wholly owned by SubRosaSoft.com Inc. You may NOT


decompile, reverse engineer, translate, disassemble or otherwise reduce the Software to a human understandable format. YOU MAY NOT MODIFY, ADAPT, TRANSLATE, RENT, LEASE, RESELL FOR PROFIT, DISTRIBUTE, NETWORK, OR CREATE DERIVATIVE WORKS BASED UPON THIS SOFTWARE OR ANY PART THEREOF.

3. Termination. This license is effective until terminated. This license will terminate immediately without any notice from MacForensicsLab Inc. if you fail to comply with any of its provisions. Upon termination you must destroy the Software and all copies thereof. You may terminate this license at any time by destroying the Software and all copies thereof.

4. Export Law Assurances. You agree and certify that neither the Software nor the documentation will be transferred or re-exported, directly or indirectly, into any country where such transfer or export is prohibited by the relevant governmental parties and regulations there under or will be used for any purpose prohibited by relevant government parties.

5. Warranty Disclaimer, Limitation of Damages and Remedies. MacForensicsLab Inc. makes no warranty or representation, either expressed or implied, regarding the merchantability, quality, functionality, performance, or fitness of the compact disc, diskettes, manual or the information provided.

This Software and manual are licensed “AS IS.” It is solely the responsibility of the consumer to determine the Software’s suitability for a particular purpose or use. MacForensicsLab Inc. and anyone else who has been involved in the creation, production, delivery or support of the Software, will in no event be liable for direct, indirect, special, consequential or incidental damages resulting from any defect, error or omission in the compact disc, diskettes, manual or Software or from any other events including, but not limited to, any interruption of service, loss of business, loss of profits or good will, legal action or any other consequential damages. The user assumes all responsibility arising from the use of this Software. MacForensicsLab Inc.'s liability for damages to you or others will in no event exceed the total amount paid by you for this Software. In particular, MacForensicsLab Inc. shall have no liability for any data or programs stored by or used with MacForensicsLab Inc.’s Software, including the costs of recovering such data or programs. MacForensicsLab Inc. will be neither responsible nor liable for any illegal use of its’ Software.


MacForensicsLab Inc reserves the right to make corrections or improvements to the information provided and to the related Software at any time, without notice.

MacForensicsLab Inc. will replace or repair defective distribution media or documentation at no charge, provided you return the item to be replaced with proof of purchase to MacForensicsLab Inc. during the 30-day period after purchase. ALL IMPLIED WARRANTIES ON THE MEDIA AND DOCUMENTATION, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE LIMITED IN DURATION TO THIRTY (30) DAYS FROM THE DATE OF THE ORIGINAL RETAIL PURCHASE OF THIS PRODUCT. The warranty and remedies set forth above are exclusive and in lieu of all others, oral or written, expressed or implied. No MacForensicsLab Inc. dealer, representative, agent, or employee is authorized to make any modification, extension, or addition to this warranty. Some States do not allow limitations on how long an implied warranty lasts, or the exclusion or limitation of implied warranties or liability for incidental or consequential damages, so the above limitation or exclusion may not apply to you. This warranty gives you specific legal rights, and you may also have other rights that vary from State to State.

6. Government End-Users. If you are a Government end-user, this license of the Software conveys only “RESTRICTED RIGHTS”. This Software was developed at private expense, and no part of it was developed with government funds. The Software is a trade secret of SubRosaSoft.com Inc. for all purposes of the Freedom of Information Act, and is “commercial computer software” subject to limited utilization as provided in the contract between the vendor and the governmental entity, and in all respects is proprietary data belonging solely to MacForensicsLab Inc. Government personnel using the Software, are hereby on notice that the use of this Software is subject to restrictions that are the same as, or similar to, those specified above.

7. General. This license will be construed under the laws of the state of California, except for that body of law dealing with conflicts of laws, if obtained in the United States, or the laws of jurisdiction where obtained if obtained outside the United States. If any provision of this license is held by a court of competent jurisdiction to be contrary to law, that provision will be enforced to the maximum extent permissible, and the remaining provisions of this license will remain in full force and effect.


Complete Agreement. This license constitutes the entire agreement between the parties with respect to the use of the Software and related documentation and supersedes all prior or contemporaneous understandings or agreements, written or oral, regarding such subject matter.

Copyright Notice

Copyright Notice

MacForensicsLab Copyright Notice.

MacForensicsLab Copyright NoticeMacForensicsLab Incorporated copyrights this software, the product design, and design concepts with all rights reserved. Your rights with regard to the software and manual are subject to the restrictions and limitations imposed by the copyright laws of the United States of America.

Under the copyright laws, neither the programs nor the manual may be copied, reproduced, translated, transmitted or reduced to any printed or electronic medium or to any machine-readable form, in whole or in part, without the written consent of MacForensicsLab Inc.

© Copyright 2010 MacForensicsLab Inc. All Rights Reserved

Trademarks

Trademarks

MacForensicsLab Incorporated's trademarks.

Trademarks"MacForensicsLab” is a trademark of MacForensicsLab Inc.

All other brand and product names are trademarks or registered trademarks of their respective holders.


MacForensicsLab 3.0 Manual

Documents

Transcript of MacForensicsLab 3.0 Manual