Case Project 3 2
Lateca Ojeda
February 3, 2015
COMSC – 120
Case Project 3-2
I am not exactly sure this is the right idea of what this assignment asks for because being that it’s a page long assignment it seems to be a lot longer had I included all the asking information.
Procedure
If the suspect device is a computer running the Mac OSX Operating System:
Attach the external hard drive enclosure containing the target drive to the examination Mac laptop or desktop.
In Finder, locate the forensic image file of the suspect system on the target drive. Be careful not to mount the forensic image file before it has been locked (see limitations section below). Right-click or press ‘Command + I’ to open the “Get Info” dialog box in Finder. Select the “locked” radio button to lock the forensic image into read-only mode.
Mount the locked forensic image by double-clicking on the forensic image file.
Technical Procedure for Macintosh Native Examination Version 2 Digital/Latent Evidence Section Effective Date:
02/03/2015 Issued by Digital/Latent Forensic Scientist Manager
Page 2 of 4 All copies of this document are uncontrolled when printed.
If the suspect device is running the Mac iOS Operating System:
Create a new user account for use in examining the suspect data. Enable “fast user switching” in the process.
Using the newly created forensic examination user account, open the iTunes application. Set the option to prevent automatic syncing with the computer by selecting: iTunes Preferences and check the “Prevent iPods, iPhones, and iPads from syncing automatically” option.
Connect the device to the examination computer (see limitations section below).
Take a screenshot of the Summary tab of the iTunes application to record information concerning the device.
Right-click on the root of the device’s entry (on the left side of the screen) and select “Back-Up” from the menu. This will copy the contents of the device (see limitations section below) to the directory
February 3, 2015
COMSC – 120
Case Project 3-2
I am not exactly sure this is the right idea of what this assignment asks for because being that it’s a page long assignment it seems to be a lot longer had I included all the asking information.
Procedure
If the suspect device is a computer running the Mac OSX Operating System:
Attach the external hard drive enclosure containing the target drive to the examination Mac laptop or desktop.
In Finder, locate the forensic image file of the suspect system on the target drive. Be careful not to mount the forensic image file before it has been locked (see limitations section below). Right-click or press ‘Command + I’ to open the “Get Info” dialog box in Finder. Select the “locked” radio button to lock the forensic image into read-only mode.
Mount the locked forensic image by double-clicking on the forensic image file.
Technical Procedure for Macintosh Native Examination Version 2 Digital/Latent Evidence Section Effective Date:
02/03/2015 Issued by Digital/Latent Forensic Scientist Manager
Page 2 of 4 All copies of this document are uncontrolled when printed.
If the suspect device is running the Mac iOS Operating System:
Create a new user account for use in examining the suspect data. Enable “fast user switching” in the process.
Using the newly created forensic examination user account, open the iTunes application. Set the option to prevent automatic syncing with the computer by selecting: iTunes Preferences and check the “Prevent iPods, iPhones, and iPads from syncing automatically” option.
Connect the device to the examination computer (see limitations section below).
Take a screenshot of the Summary tab of the iTunes application to record information concerning the device.
Right-click on the root of the device’s entry (on the left side of the screen) and select “Back-Up” from the menu. This will copy the contents of the device (see limitations section below) to the directory