Intro
On September 30th, 2015, Apple released its latest update to Mac OS X: El Capitan. El Capitan brings with it many improvements and features, such as Metal, IOS’s graphics API, improvements to Safari, Mail, IPhoto, and much more.
Since our last blog post a few weeks ago, we have been busy with our research project. We gained a team member since our last post, bringing the total team size up to five from four. Having an additional team member will allow us to conduct more detailed data generation and overall better research.
We began our project by looking back at our old project to see what research has been conducted on OS X Yosemite and which artifacts were not found. Once we finished conducting research, we created a script to follow for our data generation. With the data generation script completed, we installed the operating systems on two different machines and started to create data.
Analysis of mac os x
Last year, the LCDI conducted research on OS X Yosemite artifacts using a VM, and they were able to locate 88% of the artifacts that they set out to find. Some of the artifacts that they were unable to locate that we will be looking in depth for include Desktop Preferences, Sleep Image Files, etc. We are hopeful that using a physical machine rather than a virtual machine will allow us to locate these artifacts through our research on Mac OS X.
Once we finished looking into the old project we created a script to follow while conducting data generation, as noted above. We used the list of desired artifacts to help us sculpt a script to follow throughout. Creating and flowing a script will help alleviate problems with random data generation, such as missing artifacts, wasted time, and creating the same data multiple times when not necessary.
We finished creating a script for the data generation and received two iMacs to install the operating systems. We installed both OS X Yosemite and OS X El Capitan on separate machines and used our script to generate the same data separately on the machines. We hope to find similar artifacts more easily because they were generated in the same way. We plan on thoroughly researching the new features of El Capitan in order to see what artifacts and logs are created.
Conclusion
Stay tuned for more information regarding our data generation. Once this step is complete, we will begin to analyze and compare the images of OS X Yosemite and OS X El Capitan.
We look forward to updating you in our next blog and on our twitter feed (@ChampForensics). If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at lcdi@champlain.edu.