Digital Evidence Analysis: Macintosh Digital Forensic Tools

Much of the technology developed for digital forensics operates exclusively on Windows operating systems. As Macintosh computers rise in popularity, compatible digital evidence collection and analysis tools are needed. Now that Macintosh computers can run both Mac OS X and Windows, new programs are necessary to examine more complex and varied digital evidence.

NIJ funded the development of a new tool, Mac Marshal, to help forensics experts to reduce backlogs of seized Macintosh computers awaiting analysis. Previously developed Macintosh forensics tools focused on low-level forensics and did not gather the majority of critical evidence from the machine.

The tool, available free for download by law enforcement personnel, offers the following capabilities:

  • Assessment and analysis of collected data from OS X-specific applications that have been installed on a Macintosh computer, which may include Apple Mail, Safari, iChat, iTunes and Quick Time Player.
  • Detection and analysis of encrypted user directories.
  • iPod forensic data collection.
  • Report generation and audit trail.
  • Triage mode to allow law enforcement officers to make better informed decisions about where to begin searching for evidence on Mac hard drives.
  • Easy adaptation to newer versions of the Mac OS.
  • New automatic analysis tools for commonly requested forensic data.
  • The ability to conduct Mac Marshal investigations on live, running systems and gather volatile data.
Date Created: November 5, 2010