Abstract
This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.
Original language | American English |
---|---|
Title of host publication | Advances in Digital Forensics II |
DOIs | |
State | Published - Jan 2006 |
Externally published | Yes |
Keywords
- Macintosh computers
- Mac OS X forensics
Disciplines
- Computer and Systems Architecture
- Forensic Science and Technology