Difference between revisions of "Mac forensics"
From Simson Garfinkel
Jump to navigationJump to search
m (→On the Web) |
|||
| (8 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
==On the Web== | ==On the Web== | ||
* [https://www.blackbagtech.com/resources/mac-forensics.html BlacBag Technologies] site. | * [https://www.blackbagtech.com/resources/mac-forensics.html BlacBag Technologies] site. | ||
* [https://macforensicslab.com MacForensics Lab] | |||
* [https://groups.yahoo.com/neo/groups/macos_forensics/info Mac Forensics Yahoo Group] | * [https://groups.yahoo.com/neo/groups/macos_forensics/info Mac Forensics Yahoo Group] | ||
* [https://www.blackbagtech.com/blog/2014/11/13/imaging-a-filevault-2-encrypted-volume-using-macquisition-2/ Imaging a FileVault 2-Encrypted Volume using Macquisition] | |||
* [https://www.blackbagtech.com/blog/2015/04/08/imaging-a-fusion-drive-with-filevault-2-encryption-using-macquisition/ Imaging a Fusion Drive with FileVault 2 Encryption using Macquisition] | |||
* [https://www.forensicswiki.org/wiki/Mac_OS_X Mac OS X on Forensics Wiki] | |||
==Apple's Resources== | ==Apple's Resources== | ||
* [https://support.apple.com/en-us/HT201222 Apple Security Updates] | * [https://support.apple.com/en-us/HT201222 Apple Security Updates] | ||
* [https://support.apple.com/specs Apple Tech Specs] | * [https://support.apple.com/specs Apple Tech Specs] | ||
==Other curricula== | |||
* [https://drive.google.com/drive/folders/145wtnnHCX40myGEYAmxJbO1frfRLXOj5 Google Drive from 2019 Mac Forensics Course] | |||
* [https://www.iacis.com/training/macintosh-forensic-survival-course-mfsc/ Mac I: Best Practices in MAC Forensics] | |||
* [https://www.iacis.com/training/mac-ii-advanced-practices-in-mac-forensics/ Mac II: Advanced Practices in MAC Forensics] | |||
* [https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-8.pdf Mac OS X Forensics Joaquin Moreno Garijo, Technical Report, RHUL–MA–2015–8 4 March 2015] | |||
==Drive Image Tools== | ==Drive Image Tools== | ||
| Line 15: | Line 25: | ||
==Forensics Programs== | ==Forensics Programs== | ||
* [https://www.blackbagtech.com/blacklight.html BlackLight®], by BlackBag Technologies | * [https://www.blackbagtech.com/blacklight.html BlackLight®], by BlackBag Technologies | ||
* https://davidkoepi.wordpress.com/2011/06/12/macosxaddressbookforensics/ | |||
* [https://github.com/mac4n6/APOLLO APOLLO] | |||
==Terminal Hacks== | ==Terminal Hacks== | ||
| Line 25: | Line 37: | ||
==Archives== | ==Archives== | ||
* [https://link.springer.com/chapter/10.1007/0-387-36891-4_13 MacOS X Forensics], Philip Craiger and Paul Burke, IFIP, DigitalForensics 2006, Advances in Digital Forensics II | * [https://link.springer.com/chapter/10.1007/0-387-36891-4_13 MacOS X Forensics], Philip Craiger and Paul Burke, IFIP, DigitalForensics 2006, Advances in Digital Forensics II | ||
==Course Ideas== | |||
* Cracking FileVault2 with JohnTheRipper | |||
* The Diskutil command | |||
==Live system monitoring== | |||
===File system monitoring=== | |||
Watchdog is the common cross-platform interface for writing python programs that monitor the file system. [https://media.readthedocs.org/pdf/watchdog/latest/watchdog.pdf (DOCS)] | |||
* https://pypi.org/project/watchdog/ | |||
* Example of how to use it: https://github.com/mkaz/fswatch/blob/master/fswatch.py | |||
* https://blog.philippklaus.de/2011/08/watching-directories-for-changes-using-python_-_an-overview | |||
* https://www.michaelcho.me/article/using-pythons-watchdog-to-monitor-changes-to-a-directory | |||
===Live system monitoring=== | |||
* https://nicolargo.github.io/glances/ | |||
Latest revision as of 14:52, 18 June 2020
Notes on Mac Forensics.
On the Web
- BlacBag Technologies site.
- MacForensics Lab
- Mac Forensics Yahoo Group
- Imaging a FileVault 2-Encrypted Volume using Macquisition
- Imaging a Fusion Drive with FileVault 2 Encryption using Macquisition
- Mac OS X on Forensics Wiki
Apple's Resources
Other curricula
- Google Drive from 2019 Mac Forensics Course
- Mac I: Best Practices in MAC Forensics
- Mac II: Advanced Practices in MAC Forensics
- Mac OS X Forensics Joaquin Moreno Garijo, Technical Report, RHUL–MA–2015–8 4 March 2015
Drive Image Tools
Forensics Programs
- BlackLight®, by BlackBag Technologies
- https://davidkoepi.wordpress.com/2011/06/12/macosxaddressbookforensics/
- APOLLO
Terminal Hacks
Is FV2 running?
fdsetup status
People
Ryan Kubasiak, previously ran http://www.macosxforensics.com/, now on the digital crimes team at Apple
Archives
- MacOS X Forensics, Philip Craiger and Paul Burke, IFIP, DigitalForensics 2006, Advances in Digital Forensics II
Course Ideas
- Cracking FileVault2 with JohnTheRipper
- The Diskutil command
Live system monitoring
File system monitoring
Watchdog is the common cross-platform interface for writing python programs that monitor the file system. (DOCS)
- https://pypi.org/project/watchdog/
- Example of how to use it: https://github.com/mkaz/fswatch/blob/master/fswatch.py
- https://blog.philippklaus.de/2011/08/watching-directories-for-changes-using-python_-_an-overview
- https://www.michaelcho.me/article/using-pythons-watchdog-to-monitor-changes-to-a-directory
