MacForensicsLab 2.0 Computer Forensics from the Mac
By Robert Pritchett
29411 Kohoutek Way Union City California 94587 1 (510) 675-0681 Fax: 1 (510) 868 3407 $996 USD Released: January 2006. Free Trial: http://www.macforensicslab.com/MacForensicsLab.zip Requirements: Recommended - Mac OS X 10.3 or later; 512 MB RAM; DVD-ROM drive, with the faster systems being better. For law enforcement and computer forensics professionals. Forum: http://www.macforensicslab.com/bulletinboard/ Case Logs & How-To’s: http://www.macforensicslab.com/mfl_reporting.html Sample Report: http://www.macforensicslab.com/samplereport/ Forensics Acquisition: http://www.macforensicslab.com/mfl_acquire.html Data Recovery: http://www.macforensicslab.com/mfl_salvage.html Strengths: Finally, an “All-in-One” Computer Forensics solution that is Mac OS X-based. Weaknesses: None found. Other Reviews: http://www.user-groups.net/news/MacForensicsLab.html http://www.versiontracker.com/php/feedback/article.php?story=20060828014859723 |
|
What they say
SubRosaSoft.com Inc., a software company focusing on system utility and data recovery software, is proud to announce at Macworld 2007, the availability of MacForensicsLab version 2.0. MacForensicsLab is a complete suite of forensics and analysis tools in one cohesive package. Designed as a Universal application supporting both PowerPC- and Intel-based Macintosh computers, MacForensicsLab version 2.0 supports forensic activities on a wide array of computing platforms and storage devices.
MacForensicsLab is the first all-in-one, easy-to-use forensics software suite for Mac OS X. The Mac has always been a powerful tool for creative professionals. Now with MacForensicsLab, the Mac has become a powerful tool for the forensic investigator.
"With unrivaled stability, security and ease of use, Mac OS X is the world's most advanced operating system,” said Ron Okamoto, Apple’s vice president of Worldwide Developer Relations. “We’re thrilled that SubRosaSoft has announced a Universal version of Mac Forensics so forensics scientists can take advantage of Mac OS X and the power of our Intel-based Macs."
Not only will MacForensicsLab gather and report evidence, now it can help the investigators find the specific type of evidence they're looking for. MacForensicsLab 2.0 features a new tool for filtering pictures with skin tones. It can also filter possible Social Security and credit card numbers. This will enable investigators to pinpoint evidence with ease. MacForensicsLab is already the fastest software for acquiring and recovery of data. The new version further cuts down on time by allowing investigators to perform multiple tasks at once. For example, a user can acquire a disk, salvage a disk image for files, and catalog another disk all at once.
With MacForensicsLab, now forensic professionals have the power to explore any device without the risk of being vulnerable to dangers that would affect a PC.
With all these powerful features, MacForensicsLab makes the Mac the perfect platform for any forensic investigation. A native application for for Mac OS X, MacForensicsLab includes features that give a user excellent flexibility and control in data analysis, evidence retrieval, and facts reporting. MacForensicsLab is designed to support forensics activities on Macintosh, Windows, and Linux based computers and storage devices. This new version offers a large array of advanced features no other forensic software does.
Detailed documentation is automatically created while you are performing your forensic examination. Logs are kept of every action performed, every item found, and freeform notes taken during the case, to tie them all together with your thoughts on the process. These can then be exported in a standardized, customizable, easy-to-share, template-driven, HTML report either at the end of, or during the investigation.
Evidentiary integrity is maintained and protected with the utmost care. Duplicates are made at top speed (perfect for time sensitive acquisition tasks) with careful consideration for protecting the original media. Backups are made with integrated segmenting, granular hashing, and intelligent media fault management. Inline processing allows the creation of dual output images and associated hash files.
Keyword analysis and cataloging is performed in multiple languages and includes MD5, SHA1 and SHA256 checksum calculations. This allows the investigator to seek out items of interest across entire devices, within folders of files, directly inside specific files.
Data recovery allows forensics professionals to find and recover deleted files and those also embedded - then preview those files within MacForensicsLab. Even swap space and unallocated space can be explored for evidence.
· Safety first - MacForensicsLab takes the utmost care to ensure the integrity of your evidence. DiskArbitration can be disabled at the click of a button to ensure Mac OS X does not try to mount (and thus alter) the suspects hard drive. Bootable CDs are available for both Intel and PowerPC Macintosh Computers.
· Detailed Logs - Every action taken whilst using the software is recorded in highly detailed logs to provide the investigator with as much information as possible when reporting. Freeform notes can be created at any stage and in any context to tie actions to impressions during the process.
· HTML Case Reports - A combination of data from the case manager and log files (chronology, salvage, analyze, acquisition, catalog, bookmarks, notes) can be exported in standardized, easy-to-share HTML reports for viewing in any web browser.
· Flexible Hashing - Data Acquisition processes include MD5, SHA1 and SHA256 hashes. Hashes can be created for files and folders at the click of a button.
· Recovers evidence after a disk or device has been formatted - Got an initialized disk or other device that had files you want back? MacForensicsLab will recover your files, search for keywords, and allow analysis from the newly initialized drive.
· Recovers evidence from corrupt media - Corruption does not detain MacForensicsLab. It will process any intact data on the disk and recover keywords and whole or partial files wherever they are found.
· Works with media from other operating systems - MacForensicsLab is able to perform data acquisition and analysis on drives from MS Windows, Linux, and other operating systems.
· Provides very quick and easy ways to bookmark evidence - with "Browse", MacForensicsLab allows the digital forensics investigator to sample files in native view whilst traversing an entire directory structure.
- Dual bootable DVD - MacForensicsLab can now be purchased as a dual bootable DVD that is ready for both the older PowerPC and the newer Intel based apple Macs.
What I say
It took a long time to bring together a toolkit for the Mac that is designed to work on drives from all computer systems. Now it’s here. Previously there was a conglomeration of various tools that would work on some systems, but not others or were obviously platform-specific.
The DVD provides 2 disc images when loaded; PPC and Intel. The DVD cones in a box that has the serial number inside a velcroed front cover. The instructions for use is a 124-page MacForensicsLab: The Complete Foresics Suite for Mac, which is essentially a book on Computer Forensics and discusses disc arbitration, write blocking, clearing work drives, handling and managing cases devices and disc images drive partitions and media as well as how to handle faulty devices, cataloging, filtering and importing custom databases and that is before even getting into analyzing the data. But there is more, obviously, such as salvaging headers, file types and scanning, exploring the directory structure, building reports and garnering information from logs. There are also five appendices on menu shortcuts, a glossary, log file formats, where to get more information and the software license agreement.
From other reviews I’ve read, this app does more than any disk recovery program can do, but you need to be patient with some of the work it does in acquiring information from Linux, Mac or Windows-based systems.
There is a salvage function for recovering lost or deleted files from just about every computer-generated media known to man.
We provided the web-based links above, that SubRosaSoft so thoughtfully organized on the MacForensicsLab website.
Bookmarks can be established when browsing and categorizing evidence and these are captured in logs to keep the electronic papertrail viable.
If you really want to get into Computer Forensics, you will need some hardware. I would recommend the Forensics kits that WiebeTech offers, while waiting for an all-in-one solution from SubRosaSoft.
There are 10 areas in the Lab; Case Management, Main, Logs, Acquire, Catalog, Analyze, Salvage, Browse, Notepad and Attaching and Detaching Disk Images.
If you need to (and you will), there is a Terminal mode within the app so you do not need to exit to the OS to do the Command Key stuff.
The Main window shown here was purposely “fuzzed” to protect data mining.
A cool feature is that the bus can be scanned for any hidden information, devices or partitions.
“Acquiring” entails creating a mirror image without disturbing the original system and it works around media faults so damaged media is not too much of an issue.
If you want to get geeky about the processes used, the manual can take you deeper into unknown territory.
We won’t try to befuddle you with the computer engineering jargon that might be required for those who might want to show off their knowledge and intelligence.
Just let it be
said that the app is smart enough to ask questions that need to be answered by
trained analysts who do Forensics for a living – and that is one of the
reasons why it is such an expensive package. I just wish I had this app 10
years ago when I was working with a guy who did this for a living. He now works
for the CIA probably doing the same stuff. He was for the most part,
self-taught.
There is a separate Salvage window that puts everything in one place. And no doubt you are curios as to what that might look like so here goes:
It probably goes without saying, but I will anyway. It is used for recovering damaged data.
And there is the
all-important Browse window for bookmarking and investigating data further:
If you’ve done Byte-by-Byte analysis before, this certainly makes the job easier.
And of course there are the Logs, not to make wilderness homes from, but to use to create reports:
The reports can be exported to HTML as a web page with logs, case notes and bookmarks.
Click the Write Report button so this window appears:
Yes, those are slider buttons for thumbnails and Log lines per page.
That is pretty much it. A lot of the tedium to establish a case just got a lot easier to wade through.
Dig Deeper
http://en.wikipedia.org/wiki/Forensics
http://en.wikipedia.org/wiki/Computer_forensics
http://computerforensics.99er.net/?POSTNUKESID=98f3c1e5f9e3d14e3ba3deff3db40db9
