Mac Marshal™—Macintosh Evidence Gathering and Analysis

ATC-NY has developed Mac Marshal, an extensible Macintosh Evidence Gathering and Analysis tool suite for investigators to assess and collect data on dual-boot Apple Mac OS X systems, and to gather and analyze forensically-relevant data specific to Mac OS X. With development sponsored by the U.S. National Institute of Justice, the tool is available free of charge to the U.S. law enforcement community.

Existing forensic tools do not gather such OS X-specific data and cannot handle dual-boot systems, thereby ignoring vital sources of potential evidence. Mac Marshal enables an investigator to quickly assess the operating systems installed on a Mac OS X disk image or machine, including the last boot times and other information for each. This information lets the forensic examiner quickly pinpoint the disk partitions most likely of interest, and apply operating system-specific tools to those partitions. This will save valuable investigative resources, particularly in time-sensitive cases.

Mac Marshal has been expanded to provide a broad suite of Mac OS X-specific tools, addressing Mac-specific forensic data such as encrypted home directories, enhanced file metadata, Spotlight searches, Safari web caches, the OS-wide Address Book, and iTunes/iPod information (e.g., linking an iPod found at the scene to a machine in a suspect's residence) – the focus will be on Mac-specific tools that best meet law enforcement and NIJ needs.

Download this article from the 2008 Digital Forensic Research Workshop (DFRWS) for a discussion of Mac Marshal (717K PDF).

For more information about Mac Marshal, visit www.macmarshal.com