Mac OS X Forensics

Philip Craiger, Paul Burke

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.
Original languageAmerican English
Title of host publicationAdvances in Digital Forensics II
DOIs
StatePublished - Jan 2006
Externally publishedYes

Keywords

  • Macintosh computers
  • Mac OS X forensics

Disciplines

  • Computer and Systems Architecture
  • Forensic Science and Technology

Cite this