Mac forensics
From Simson Garfinkel
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Notes on Mac Forensics.
On the Web
- BlacBag Technologies site.
- MacForensics Lab
- Mac Forensics Yahoo Group
- Imaging a FileVault 2-Encrypted Volume using Macquisition
- Imaging a Fusion Drive with FileVault 2 Encryption using Macquisition
- Mac OS X on Forensics Wiki
Apple's Resources
Other curricula
- Google Drive from 2019 Mac Forensics Course
- Mac I: Best Practices in MAC Forensics
- Mac II: Advanced Practices in MAC Forensics
- Mac OS X Forensics Joaquin Moreno Garijo, Technical Report, RHUL–MA–2015–8 4 March 2015
Drive Image Tools
Forensics Programs
- BlackLight®, by BlackBag Technologies
- https://davidkoepi.wordpress.com/2011/06/12/macosxaddressbookforensics/
- APOLLO
Terminal Hacks
Is FV2 running?
fdsetup status
People
Ryan Kubasiak, previously ran http://www.macosxforensics.com/, now on the digital crimes team at Apple
Archives
- MacOS X Forensics, Philip Craiger and Paul Burke, IFIP, DigitalForensics 2006, Advances in Digital Forensics II
Course Ideas
- Cracking FileVault2 with JohnTheRipper
- The Diskutil command
Live system monitoring
File system monitoring
Watchdog is the common cross-platform interface for writing python programs that monitor the file system. (DOCS)
- https://pypi.org/project/watchdog/
- Example of how to use it: https://github.com/mkaz/fswatch/blob/master/fswatch.py
- https://blog.philippklaus.de/2011/08/watching-directories-for-changes-using-python_-_an-overview
- https://www.michaelcho.me/article/using-pythons-watchdog-to-monitor-changes-to-a-directory