Macintosh Forensics
A Guide for the Forensically Sound Examination of a Macintosh Computer
Ryan R. Kubasiak, Investigator - New York State Police
rev. May 29, 2007
1 of 72
About The Author
5
Contact Information
6
Email
6
Telephone
6
Fax
6
Mail
6
About This Document
7
Tools Needed and Requirements of the Document
8
Digital Examination Overview
9
File System
12
Operating Systems
12
Data Files
12
MAN Pages
13
Technologies
14
Bonjour
14
FileVault
14
Spotlight
15
UNIX and the FreeBSD System
15
Microsoft Windows on a Mac?
15
Disk Arbitration
16
Activate/Deactivate Disk Arbitration
16
Target Disk Mode
18
Target Disk Mode Procedure
19
The Macintosh Boot Process
20
Open Firmware and Extensible Firmware Interface
20
rev. May 29, 2007
2 of 72
Startup Manager
20
BootX, boot.efi, and System Initialization
21
Boot EFI Utilities
23
rEFIt
23
Booting a Macintosh from the LiveCD
24
Imaging a Target Macintosh
25
Target Disk Mode
25
LiveCD
26
Drive Removal
26
Disk Structure
27
Apple Partition Map
27
GUID Partition Table
29
Journaling
31
FileVault and MacOS X Security
32
FileVault Preference Pane
32
sparseimage and User Home Directory
35
Acquire the Encrypted User Home Directory
36
DiskUtility and DMG Files
41
DiskUtility Features
41
DMG vs. sparseimage
41
Encrypted vs. Unencrypted
42
DD and Raw Images
42
Spotlight
43
User Home Directory Structure
44
User Library Folder - In Depth
46
rev. May 29, 2007
3 of 72
Applications
48
Address Book
48
iCal
48
Mail
48
.Mac and Related Evidence
49
.Mac
49
Safari, and Other Web Browsers
50
Safari
50
iChat, and Instant Messaging Applications
51
iChat
51
Mac OS X Log Files
52
Mac OS X “plist” Files
53
Sleep and Safe Sleep
56
Detailed Macintosh Techniques
57
Apple Boot Key Combos
57
Create a Brute Force Dictionary File
58
Useful Artifacts and Commands
59
References
61
Websites
62
Recommended Utilities and Applications
63
MacOS X 10.4 Command Line Utilities and Daemons
64
rev. May 29, 2007
4 of 72
About The Author
I began my foray into the world of computers in 7th grade.
Our school laboratory was using Com
-
modore 64 computers and the BASIC programming language.
Soon, my parents purchased an Ap
-
ple IIc for our home and I continued writing in BASIC, and now
“
Apple Logo
”
as well.
My intrigue
continued thru high school developing my skills in BASIC and the Pascal programming languages.
Ultimately, I achieved Advanced Placement in Computer Science my senior year, yielding college
credits.
I went on to the State University of New York at Bu
ff
alo and earned a Bachelor of Science in Com
-
puter Science and a Concentration in Mathematics.
All of my schooling was done on the Macin
-
tosh LC, VAX/VMS and Sun Solaris based systems.
We utilized Modula
-
2 and C as programming
languages.
C++ just wasn
’
t prevalent enough during my college years.
One of my favorite achieve
-
ments of college was writing from scratch, an Assembly language code compiler.
I also wrote a
multi
-
tasking operating system for a
fi
ctitious Robot, and a dating service front and back end for a
fi
ctitious customer.
