Mac forensics
From Simson Garfinkel
Notes on Mac Forensics.
On the Web
- BlacBag Technologies site.
- MacForensics Lab
- Mac Forensics Yahoo Group
- Imaging a FileVault 2-Encrypted Volume using Macquisition
- Imaging a Fusion Drive with FileVault 2 Encryption using Macquisition
- Mac OS X on Forensics Wiki
Apple's Resources
Other curricula
- Google Drive from 2019 Mac Forensics Course
- Mac I: Best Practices in MAC Forensics
- Mac II: Advanced Practices in MAC Forensics
- Mac OS X Forensics Joaquin Moreno Garijo, Technical Report, RHUL–MA–2015–8 4 March 2015
Drive Image Tools
Forensics Programs
- BlackLight®, by BlackBag Technologies
- https://davidkoepi.wordpress.com/2011/06/12/macosxaddressbookforensics/
- APOLLO
Terminal Hacks
Is FV2 running?
fdsetup status
People
Ryan Kubasiak, previously ran http://www.macosxforensics.com/, now on the digital crimes team at Apple
Archives
- MacOS X Forensics, Philip Craiger and Paul Burke, IFIP, DigitalForensics 2006, Advances in Digital Forensics II
Course Ideas
- Cracking FileVault2 with JohnTheRipper
- The Diskutil command
Live system monitoring
File system monitoring
Watchdog is the common cross-platform interface for writing python programs that monitor the file system. (DOCS)
- https://pypi.org/project/watchdog/
- Example of how to use it: https://github.com/mkaz/fswatch/blob/master/fswatch.py
- https://blog.philippklaus.de/2011/08/watching-directories-for-changes-using-python_-_an-overview
- https://www.michaelcho.me/article/using-pythons-watchdog-to-monitor-changes-to-a-directory
