Chapter 19
Digital Evidence on Macintosh Systems
On completion of this chapter, the student will:
Be aware of how to HFS (and HFS Plus) manage folders and files.
Recognize the unique features of HFS.
Be aware of the differences between HFS and HFS Plus.
Be aware of various data recovery methods that can be used for HFS.
Chapter Guide
Macs represent a small but growing segment of the total number of computers and are sufficiently
common to crop up frequently in digital investigations. Therefore, forensic examiners must be prepared to
collect and analyze data from the Mac environment. This task can be a challenge as there are currently
Unlike Intel-based systems, Macs do not have a BIOS per se. Instead, they use Open Firmware that can
ginning of the boot process. The
current system date and time is generally visible in the opening message of newer versions of Open
Firmware.
As with Windows, the Mac boot process is very invasive. To prevent altering evidentiary data,
conventional wisdom dictates that the hard drives be disconnected before attempting to power up a Mac.
The Mac file systems (16-bit HFS and 32-bit HFS+) are structured similar to other file systems discussed
in the text. Boot records reside at the beginning of each volume. System file structures consist of Catalog
files and Extents Overflow files. Relevant to forensic examiners is how date-time stamps are recorded.
Catalog file records are organized in a balanced tree (B-tree), a storage structure optimized for searching.
Each record contains a Catalog Node ID. Four types of records are supported: folders, files, folder
threads, and file threads. Notable data such as folder and file names and MAC times can be found here.
Deletion of a file results in it being moved to the Trash folder but it is not marked as deleted until it is
removed from the there. When a file is deleted, its key length is zeroed and reference to it may be
removed from the catalog. The net result is that the data may only be recoverable by keyword search of
unallocated space.
Older Macintosh systems do not keep logs but Mac OS 9 and Mac OS X have a logging capability. Of
interest to examiners are the systems logs that Mac OS X keeps. Some items tracked such as external
media connected to the computer, user logon/logoff activity, and system clock changes can be evident
from temporal discontinuities in these logs. Macs also keep records of recently accessed applications and
documents. Tools like Desktop DB Diver can provide a great deal of information about what applications
Mac OS 9 and X are network-aware, and keep exploitable network-related information. Also, Internet
applications record activities to some degree. Netscape history files are exploitable and may contain a
Multiple Choice Questions
1. Macintosh stores its partition table in:
2. The boot sector and additional details about the volume are stored in:
3. HFS supports a maximum of ________ clusters.
4. HFS represents time as:
5. The HFS equivalent to the NTFS MFT is:
6. A difference between HFS and other file systems studied is that folders:
7. It may not be possible to recover the file names and date-time stamps from an HFS
volume with forensic tools because:
8. The most common approach to salvaging deleted data on Macintosh systems is to:
9. On Mac OS X, when a file is deleted, it is copied to the:
10. Recently accessed files and applications are listed in:
11. The last access times of files copied from a Mac running OS 9 onto a FAT-formatted
disk are meaningless because HFS does not maintain:
12. The default browser used on Mac OS X is:
13. The folder ~/Library/Mail Downloads contains:
14. Keychains (~/Library/Keychains) are files that store:
15. When a file is deleted, its Catalog entry may be deleted as well. If this occurs,
True or False Questions
1. There is a wide selection of forensic tools available for exploiting Macs.
2. Macintosh disks can only be examined on a Macintosh system.
3. By default, when Mac OS X boots up, it will attempt to mount an evidence disk.
4. HFS Plus stores file and folder names in Unicode format.
5. Examination of a Mac computer must be
6. On a Macintosh, when a file is deleted, its key length is set to zero.
7. Digital evidence examiners can use The Sleuth Kit on Mac OS X to examine NTFS,
FAT, UFS, EXT, and HFS file systems.
8. Due to the design of the Macintosh Catalog file, it is easy to recover deleted files
9. Mac OS X has logging capabilities, but OS9 did not.
10. Internet Explorer cookies are always found in System
11. Typically, the degree of e-mail logging is dependent on the application.
12. By default, Eudora for Macintosh records more information than Eudora for Windows.
13.
14. In each volume of a Macintosh system, ther
contains information about activities on the system including programs that were run and
files and websites that were accessed.
15. One of the interesting file system traces that is created when files are saved from a
Discussion Questions
For each of the following questions, develop discussion notes and be prepared to discuss your findings.
1. Are Macintosh systems more or less useful than Windows systems as sources of digital evidence?
3. How does Mac OS 9 differ from Mac OS X and what significance does this have from a forensic
perspective?