Different Examination Tools
We have been doing extensive background research in advance of the actual data-generation and forensic aspect of our project. Currently, we have been researching the different examination tools and methods there are for Mac OSX. We have researched open-source tools as well as commercial tools and have chosen the ones we believe to be the best.
Research Questions
- What tools (open-source or paid) can be used to examine/image a Mac?
- What are the best open-source tools for examining a Mac?
- What are the best commercial tools for examining a Mac?
What Have We Found So Far?
What we have found is that there are a great number of different examination tools to choose from. We’ve narrowed it down to our favorites and split those up between “Open-Source” and “Commercial.”
Open-Source Tools
| The Sleuth Kit | A simple forensic software kit that is Mac OS compatible |
| Audit | Organizes and reads Mac OSX logs |
| ChainBreaker | Extracts user’s confidential information such as passwords |
| Disk Arbitrator | Blocks mounting of file systems (compliments write blocker) |
| Epoch Converter | Converts epoch times to local time and UTC |
| IORegInfo | Lists partition information and items connected to the computer |
| Volafox | Forensic toolkit for memory in Mac OSX |
| PMAP Info | Displays physical partitioning of specified device |
Commercial Tools
| EnCase | Very well-known commercial forensics toolkit. Has a lot of support for Mac OSX |
| AccessData FTK | Another widely known toolkit. Less support for Mac OSX, however. |
Conclusion
We have decided to use EnCase for most of this project, as it showed a lot of new features for Mac OSX in its latest release that we would like to try and it is a trusted forensic toolkit that we are very familiar with. We will also try a few of the open-source software options to see how they compare.