Mac OSX Forensics Part 2


Different Examination Tools

We have been doing extensive background research in advance of the actual data-generation and forensic aspect of our project. Currently, we have been researching the different examination tools and methods there are for Mac OSX. We have researched open-source tools as well as commercial tools and have chosen the ones we believe to be the best.

Research Questions

  1. What tools (open-source or paid) can be used to examine/image a Mac?
  2. What are the best open-source tools for examining a Mac?
  3. What are the best commercial tools for examining a Mac?

What Have We Found So Far?

What we have found is that there are a great number of different examination tools to choose from. We’ve narrowed it down to our favorites and split those up between “Open-Source” and “Commercial.”

Open-Source Tools

The Sleuth KitA simple forensic software kit that is Mac OS compatible
AuditOrganizes and reads Mac OSX logs
ChainBreakerExtracts user’s confidential information such as passwords
Disk ArbitratorBlocks mounting of file systems (compliments write blocker)
Epoch ConverterConverts epoch times to local time and UTC
IORegInfoLists partition information and items connected to the computer
VolafoxForensic toolkit for memory in Mac OSX
PMAP InfoDisplays physical partitioning of specified device

Commercial Tools

EnCaseVery well-known commercial forensics toolkit. Has a lot of support for Mac OSX
AccessData FTKAnother widely known toolkit. Less support for Mac OSX, however.


We have decided to use EnCase for most of this project, as it showed a lot of new features for Mac OSX in its latest release that we would like to try and it is a trusted forensic toolkit that we are very familiar with. We will also try a few of the open-source software options to see how they compare.