Philip Craiger, PhD
Assistant Director for Digital Evidence
National Center for Forensic Science &
Department of Engineering Technology
University of Central Florida
Paul K. Burke
Senior Digital Evidence Research Assistant
National Center for Forensic Science
There are few resources that describe a forensics analysis of an Apple Mac computer. The purpose of this paper is describe procedures to conduct a forensics examination of an Apple Mac running the newest operating system, Mac OS X, and its default file system, the Hierarchical File System Plus (HFS+). Our chapter is divided into four sections. In the first we demonstrate Target Disk Mode to create a forensic duplicate of a Mac hard drive and an on-site preview of a suspect’s computer. In the second we describe the HFS+ file system and describe the data structures used to represent files and are important in the recovery of deleted files. In the third section we describe several procedures one can use to recover evidence at a physical level to recover evidence from unallocated, slack space, and virtual memory. Finally, we describe methods to recover trace evidence from Mac OS X default email, web browser, and instant messaging applications, as well as forensic procedures to recover commands issued from a terminal window.
Keywords: Mac OS X, Mac OS X forensics, digital forensics, computer forensics.
Mac Forensics: Mac OS X and the HFS+ File System
The Apple Macintosh (or Mac) was first introduced to the public in 1984. Since then it has an enjoyed a small, albeit vocal, user base – typically somewhere between 3 and 8% of the installed operating system base. It is not surprising then that there has been very little published regarding digital forensics on Macintosh computers.
partially rectify this lack of information in this chapter we present an introduction to forensics for the Macintosh.
Due to space limitations we make certain assumptions about the suspect’s computer and operating system. The reason for these assumptions is that in our research we discovered that different versions of Mac OS X behave differently. Thus, these assumptions will determine what procedures are required to ensure the forensic integrity of our examination, i.e., some procedures may be proper for one version of Mac OS X, but not another. These assumptions are as follows:
The forensic acquisition computer and the suspect’s computer are running version 10.4.3 of Mac OS X (The latest version as of November 2005).
The Open Firmware password has not been set on the suspect’s computer. (Open Firmware is a processor and system independent boot firmware used in Mac, an analogue to the PCs BIOS.
The suspect has not used encryption via the Mac OS X FileVault – a virtual image that uses 128-bit AES encryption to create a virtual encrypted volume on the hard drive.
The suspect’s hard drive is formatted with the Hierarchical File System Plus (commonly referred to as HFS+). This HFS+ file system has been the default file system since Mac OS X’s inception in 2000.
The suspect’s computer was used primarily as a personal workstation as opposed to a server. A version of Mac OS X for servers is available, and its use as a server would require a different forensic protocol.
We begin by describing a method for creating forensic duplicates of the suspect’s hard drive. This method also supports an onsite preview of the suspect’s hard drive, a common procedure used by law enforcement to determine if there is any contraband or probative evidence on the suspect’s computer prior to seizing it. We then describe the HFS+ file system, the default file system for Mac OS X installations. We describe HFS+ layout and data structures that are important for recovering deleted files.
describe procedures for recovering deleted files from unallocated...