Mac forensics

Notes on Mac Forensics.

On the Web

• BlacBag Technologies site.
• MacForensics Lab
• Mac Forensics Yahoo Group
• Imaging a FileVault 2-Encrypted Volume using Macquisition
• Imaging a Fusion Drive with FileVault 2 Encryption using Macquisition
• Mac OS X on Forensics Wiki

Apple's Resources

• Apple Security Updates
• Apple Tech Specs

Other curricula

• Mac I: Best Practices in MAC Forensics
• Mac II: Advanced Practices in MAC Forensics

Drive Image Tools

• Carbon Copy Cloner
• DiskWarrior

Forensics Programs

• BlackLight®, by BlackBag Technologies
• https://davidkoepi.wordpress.com/2011/06/12/macosxaddressbookforensics/

Terminal Hacks

Is FV2 running?

   fdsetup status

People

Ryan Kubasiak, previously ran http://www.macosxforensics.com/, now on the digital crimes team at Apple

Archives

• MacOS X Forensics, Philip Craiger and Paul Burke, IFIP, DigitalForensics 2006, Advances in Digital Forensics II

Course Ideas

• Cracking FileVault2 with JohnTheRipper
• The Diskutil command