Testing Memory Forensics Tools for the Macintosh OS X Operating System

Memory acquisition is essential to defeat anti-forensic operating-system features and investigate cyberattacks that leave little or no evidence in secondary storage. The forensic community has developed tools to acquire physical memory from Apple’s Macintosh computers, but they have not much been tested. This work tested three major OS X memory-acquisition tools. Although the tools could capture system memory accurately, the open-source tool OSXPmem appeared advantageous in size, reliability, and support for memory configurations and versions of the OS X operating system

An Evaluation of Windows-Based Computer Forensics Application Software Running on a Macintosh

The two most common computer forensics applications perform exclusively on Microsoft Windows Operating Systems, yet contemporary computer forensics examinations frequently encounter one or more of the three most common operating system environments, namely Windows, OS-X, or some form of UNIX or Linux. Additionally, government and private computer forensics laboratories frequently encounter budget constraints that limit their access to computer hardware. Currently, Macintosh computer systems are marketed with the ability to accommodate these three common operating system environments, including Windows XP in native and virtual environments. We performed a series of experiments to measure the functionality and performance of the two most commonly used Windows-based computer forensics applications on a Macintosh running Windows XP in native mode and in two virtual environments relative to a similarly configured Dell personal computer. The research results are directly beneficial to practitioners, and the process illustrates effective pedagogy whereby students were engaged in applied research

Implementasi Metode National Institute of Justice (NIJ) Pada Fitur TRIM SOLID STATE DRIVE (SSD) Dengan Objek Eksperimental Sistem Operasi Windows, Linux dan Macintosh

Solid State Drive (SSD) is the latest solution to speed up data processing from various multiplatform desktop computers. The TRIM features on SSDs has contribute for eliminating garbage data which is permanently deleted by users, where this method has the benefit of extending the service life of SSD devices. Contradiction of implement this method is obstacle potential for forensic investigators to recover deleted data in term of cyber crime in the case of evidence in the form of computers with SSD storage. The experimental object in this study is based on the perspective of mainstream operating systems, namely Windows, Linux and Macintosh installed on the SSD where each operating system simulates the deletion of stored data with a comparison of TRIM enable and TRIM disabled configurations. National Institute of Justice (NIJ) Digital Forensic method implemented in this case, because this method serves as a reference in the practice of Digital Forensics in this study. The SLEUTH KIT Autopsy software is a Digital Forensic tool being used in the perspective of investigators in the acquisition and analysis of SSD evidence in the case simulation of this study. Novelti obtained from the research content is that the operating system which is the object of experimentation is the latest release of Windows, Linux and Macintosh operating systems which certainly has great potential in terms of exploration, especially Digital Forensics. Windows has the greatest chance of recovery results among the other 2 operating systems in this study.Solid State Drive (SSD) merupakan solusi terkni untuk mempercepat pemrosesan data dari berbagai komputer desktop yang bersifat multiplatform. Fitur TRIM yang ada pada SSD berguna untuk menghilangkan garbage data yang dihapus permanen oleh user, dimana metode ini memiliki benefit untuk memperpanjang usia pakai dari perangkat SSD. Kontradiksi dari penggunaan metode ini adalah sulitnya bagi investigator forensik untuk melakukan recovery data yang telah terhapus apabila terjadi praktek cyber crime dalam kasus barang bukti berupa komputer dengan storage SSD. Objek eksperimen dalam penelitian ini berdasarkan perspektif sistem operasi mainstream yaitu Windows, Linux dan Macintosh yang terinstall pada SSD dimana pada masing-masing sistem operasi dilakukan simulasi penghapusan data yang tersimpan dengan perbandingan konfigurasi TRIM enable dan TRIM disable. Metode Digital Forensik yang diimplementasikan pada hal ini adalah National Intitute of Justice (NIJ) dimana metode ini berlaku sebagai acuan dalam praktek Digital Forensik pada penelitian ini. Perangkat lunak SLEUTH KIT Autopsy merupakan perangkat Digital Forensik yang digunakan dalam perspektif investigator dalam akusisi dan analisis barang bukti SSD pada simulasi kasus penelitian ini. Novelti yang didapatkan pada konten penelitian adalah sistem operasi yang menjadi objek eksperimen merupakan sistem operasi Windows, Linux, dan Macintosh rilis terkini yang tentunya memiliki potensi yang besar dalam hal eksplorasi, khususnya Digital Forensik. Windows memiliki peluang hasil recovery paling besar diantara 2 sistem operasi lainnya dalam penelitian ini

Web Browser Private Mode Forensics Analysis

To maintain privacy of the end consumers the browser vendors provide a very good feature on the browser called the Private Mode . As per the browser vendors, the Private Mode ensures Cookies, Temporary Internet Files, Webpage history, Form data and passwords, Anti-phishing cache, Address bar and search AutoComplete, Automatic Crash Restore (ACR) and Document Object Model (DOM) storage information is not stored on the system [45]. To put to test the browser vendors claim, I had setup a test to confirm the claims. During the first test the file system was monitored for all reads and writes. On the second test the image of the RAM was taken after the browser was used in private mode. The image was analyzed to check if the RAM contained any data related to the user browsing. The browsers chosen to perform this test were: Internet Explorer, Firefox, Google Chrome and Safari. During the file system monitoring analysis for the browsers in private mode it was found that Google Chrome and Firefox didn\u27t write any data on the file system. Safari wrote data on just a single file called WebpageIcons.db . Internet Explorer wrote browsing data on the file system and then deleted it. This data can be recovered using any recovery tool such as Recuva. During the memory dump based analysis for the browsers in private mode, it was found that browser data was recoverable for all the browsers. Therefore from data privacy perspective Google Chrome and Firefox are safer to use than Safari and Internet Explorer

STUDI BANDING EMAIL FORENSIC TOOLS

Over the last few decades, email has become a carrier source for transporting spam and malicious content. The Email Network is also a major source of criminal activity on the Internet. Computer Forensics is a systematic process for storing and analyzing email stored on a computer for the purpose of proof in legal proceedings and other civil matters. Email analysis is challenging because it is not only used in various fields that can be done by hackers or malicious users, but also the flexibility of composing, editing, deleting email using offline (eg, MS Outlook) or online email (eg Webmail) applications. To anticipate this, an approach is taken using email forensic tools to understand the extent to which these tools will be useful for detecting and performing appropriate forensic analysis. In this paper, we conducted a comparative study of a set of common features to compare and compare five popular opensource tools forensic email. The study found that all forensic email tools are not similar, offering all types of facilities. Combining these tools allows analysis to get detailed information in the field of forensic email

Acquiring OS X File Handles through Forensic Memory Analysis

Memory analysis has become a critical capability in digital forensics because it provides insight into system state that cannot be fully represented through traditional media analysis. The volafox open source project has begun the work of structured memory analysis for OS X with support for a limited set of kernel structures. This paper addresses one memory analysis deficiency on OS X with the introduction of a new volafox module for parsing file handles associated with running processes. The developed module outputs information comparable to the UNIX lsof (list open files) command, which is used to validate the results

Digital forensics formats: seeking a digital preservation storage format for web archiving

In this paper we discuss archival storage formats from the point of view of digital curation and preservation. Considering established approaches to data management as our jumping off point, we selected seven format attributes which are core to the long term accessibility of digital materials. These we have labeled core preservation attributes. These attributes are then used as evaluation criteria to compare file formats belonging to five common categories: formats for archiving selected content (e.g. tar, WARC), disk image formats that capture data for recovery or installation (partimage, dd raw image), these two types combined with a selected compression algorithm (e.g. tar+gzip), formats that combine packing and compression (e.g. 7-zip), and forensic file formats for data analysis in criminal investigations (e.g. aff, Advanced Forensic File format). We present a general discussion of the file format landscape in terms of the attributes we discuss, and make a direct comparison between the three most promising archival formats: tar, WARC, and aff. We conclude by suggesting the next steps to take the research forward and to validate the observations we have made

Book Review: Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit

This document is Dr. Kessler\u27s review of MAC OS X, iPod, and iPhone Forensic Analysis DVD Toolkit, edited by Jesse Varsalone. Syngress, 2009. ISBN: 978-1-59749-297-3

A comparative forensic analysis of privacy enhanced web browsers

Growing concerns regarding Internet privacy has led to the development of enhanced privacy web browsers. The intent of these web browsers is to provide better privacy for users who share a computer by not storing information about what websites are being visited as well as protecting user data from websites that employ tracking tools such as Google for advertisement purposes. As with most tools, users have found an alternative purpose for enhanced privacy browsers, some illegal in nature. This research conducted a digital forensic examination of three enhanced privacy web browsers and three commonly used web browsers in private browsing mode to identify if these browsers produced residual browsers artifacts and if so, if those artifacts provided content about the browsing session. The examination process, designed to simulate common practice of law enforcement digital forensic investigations, found that when comparing browser type by browser and tool combination, out of a possible 60 artifacts, the common web browsers produced 26 artifacts while the enhanced privacy browsers produced 25 for a difference of 2\%. The tool set used also had an impact in this study, with FTK finding a total of 28 artifacts while Autopsy found 23, for a difference of 8\%. The conclusion of this research found that although there was a difference in the number of artifacts produced by the two groups of browsers, the difference was not significant to support the claim that one group of browsers produced fewer browsers than the other. As this study has implications for privacy minded citizens as well as law enforcement and digital forensic practitioners concerned with browser forensics, this study identified a need for future research with respect to internet browser privacy, including expanding this research to include more browsers and tools