Digital Evidence and Computer Crime, Second Edition
12.2 Overview of Digital Evidence Processing Tools
The most common approach to creating a bitstream copy of a hard drive from a Macintosh system is to remove it and connect it to another computer. Although it is possible to boot Macintosh systems using a CD-ROM, this is mainly useful for noting the time of the system clock and copying individual files from the system. If it is necessary to boot a Macintosh using a CD-ROM, hard drives should be disconnected from the system first to avoid accidental alteration. In one case, a system administrator who was helping investigators attempted to boot an iBook using a CD-ROM but mistakenly booted from the hard drive, altering file date-time stamps in the process.
HFS and HFS Plus can be acquired and examined using MacOS X, Linux, SMART, or EnCase on Windows. Be aware that when MacOS X boots up, it will attempt to mount an evidence disk unless automount is turned off, an eventuality that digital evidence examiners will want to avoid. Figure 12.2 shows the same file as Figure 12.1 viewed using EnCase.
Currently, digital evidence examiners can use The Sleuth Kit on MacOS X to examine NTFS, FAT, UFS, and EXT but not HFS file systems.
There are various utilities for examining special Macintosh files such as Desktop databases discussed later in this chapter. Also, corrupt Catalog files can be repaired using tools such as Disk Warrior[1] or Norton Disk Doctor, recovering files, folders, and related file system details than were not previously visible. To run these tools, it is necessary to create a clone of the original system and perform recovery or other examination operations on the copy.
[1]http://www.alsoft.com
Категории