The first configuration change required, is to disable auto-mounting of drives. When the Macintosh uses the automount feature to mount a drive, it mounts it in read-write mode. Mounting in this mode will change the access times of certain files, rendering the evidence tainted (Hawkins 2002.) Disabling automount will allow the investigator to later mount the device in read only mode, or make an image of the device without mounting it, a technique that is useful in recovering data from a corrupt file system. To disable the auto mount feature, the investigator must edit the hostconfig file in the /etc directory (/etc/hostconfig), changing the automount flag to –NO-. Once this setting is changed, the user must reboot. They are now ready to connect the suspect device to the system.
There are a number of attachments for connecting IDE, SCSI, and SATA drives to a MacBook through the firewire port. Once the device is connected to the computer, the investigator can issue the ‘mount’ command without any options to see what the address of the device is. Unix-based operating systems assign all drives a filename in the /dev directory. From here, the investigator has the option of mounting the device in read only mode by executing the mount command with the –r flag: $ mount –t ext2 –r /dev/disk1s1 (where disk1s1 is the suspect device.) It is preferable, however; to create a forensic copy of the device.
To create this copy, the investigator can use Mac’s built in ‘dd’ or ‘datadump’ utility. This utility will create a bit by bit copy of the device without mounting it and/or changing any files on the device. To use dd to make a forensic copy pass the location of the device you wish to copy along with a destination for the new image. (# dd if="/dev/disk3s1" of="/Users/donny/badguysstuff.dmg") The .dmg extension is the Macintosh disk image format. These images can be mounted as disks and even booted to if the image is a copy of a complete Mac filesystem. Once the original device is removed and stored in an evidence container, the user can begin the investigation.
At this point, there are a number of tools the investigator can install to aide in discovery. Most of these are commercial products that require nominal to hefty fees to use. One of the more useful commercial utilities is Norton DiskEdit, which can recover deleted files. There is also an entire suite of forensic tools for Macintosh from a company called “BlackBag.” This tool is priced at roughly $500, but gives the user everything he or she needs to get started. While more expensive tools will perform better in most instances, there are freely available forensic tools that can be used on the Mac.
To start, there are a number of command line utilities built into the operating system that can give the investigator useful information regarding the device’s partition structure and access times. Data can be retrieved using the hexdump command. The hexdump command can print to the screen or a file the bit-by-bit information contained on the drive, allowing for analysis at the lowest level (Donnelly 2004.) There is an additional utility, ‘OD’, that can also dump data in ASCII, Octal, and Decimal format.
In addition to these utilities, there is also an open source tool available called ‘Sleuthkit.’ Sluethkit, along with its graphical front-end, ‘Autopsy’, can be downloaded for free at http://www.sluethkit.org. The install is reasonably easy by Unix standards. It is important to remember to install sluethkit before installing autopsy. Once installed, run the autopsy server and login with a browser to http://127.0.0.1:9999. The interface is easy to use and allows for data inspection at the bit level as well as case tracking and note taking.
With a few easy configuration changes, the Macintosh platform can be a very powerful computer forensic tool at a reasonably affordable cost.
Sources
Donnelly, Derrick (2004) O’reily Mac OSX Conference notes Retrieved November 25, 2006 from website http://conferences.oreillynet.com/cs/macosx2004/derrick_donnelly.pdf
Hawkins, Peter (2002) Macintosh forensic analysis using os x Retrieved November 25, 2006 from website http://www.sans.org/reading_room/whitepapers/apple/269.php
