Extract and analyze digital evidence from Mac OS X systems

ATC-NY released Mac Marshal 2.0 which automates the forensics process for a cyber investigator. It scans a Macintosh disk, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools to extract Mac OS X-specific forensic evidence written by the OS and common applications.

Mac Marshal Forensic Edition runs on an investigator’s Mac workstation to analyze a disk image.

Mac Marshal Field Edition runs on a Mac target machine from a USB drive. It extracts volatile system state data, including a snapshot of physical RAM. The Field Edition also analyzes disk-based data, with the same capabilities as the Forensic Edition.

New features available in Mac Marshal 2.0:

• Streamlined analysis, including Spotlight searches, on E01-format disk images.
• New analysis tools including system configuration analysis and swap file / hibernation file acquisition. Investigators can now see, for instance, any prior Wi-Fi access points the computer was associated with and whether there is a Time Machine backup drive to be examined for evidence.
• New Live State and Physical Memory acquisition tools that let the user examine the volatile state of a live machine before seizing it. [Field Edition only]
• Integrated thumbnail browser for previewing large numbers of image files.
• Improved analysis of data from Apple’s Safari Web browser, including graphical previews of pages from Safari 4 and 5.
• Analysis of information from iPhone/iPad/iPod devices and support for creating or extracting backups of those devices.

Mac Marshal provides analysis of Mac application and operating system usage, including the detection and extraction of virtual machine images and FileVault-encrypted user directories. It maintains a thorough audit trail and generates detailed reports in RTF, PDF and HTML formats.