Mac OSX Forensics Part 2


Different Examination Tools

We have been doing extensive background research in advance of the actual data-generation and forensic aspect of our project. Currently, we have been researching the different examination tools and methods there are for Mac OSX. We have researched open-source tools as well as commercial tools and have chosen the ones we believe to be the best.

Research Questions

  1. What tools (open-source or paid) can be used to examine/image a Mac?
  2. What are the best open-source tools for examining a Mac?
  3. What are the best commercial tools for examining a Mac?

What Have We Found So Far?

What we have found is that there are a great number of different examination tools to choose from. We’ve narrowed it down to our favorites and split those up between “Open-Source” and “Commercial.”

Open-Source Tools

The Sleuth Kit A simple forensic software kit that is Mac OS compatible
Audit Organizes and reads Mac OSX logs
ChainBreaker Extracts user’s confidential information such as passwords
Disk Arbitrator Blocks mounting of file systems (compliments write blocker)
Epoch Converter Converts epoch times to local time and UTC
IORegInfo Lists partition information and items connected to the computer
Volafox Forensic toolkit for memory in Mac OSX
PMAP Info Displays physical partitioning of specified device

Commercial Tools

EnCase Very well-known commercial forensics toolkit. Has a lot of support for Mac OSX
AccessData FTK Another widely known toolkit. Less support for Mac OSX, however.


We have decided to use EnCase for most of this project, as it showed a lot of new features for Mac OSX in its latest release that we would like to try and it is a trusted forensic toolkit that we are very familiar with. We will also try a few of the open-source software options to see how they compare.

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team