Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit

Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit

by Jesse Varsalone
Released December 2008
Publisher(s): Syngress
ISBN: 9780080949185

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This book provides digital forensic investigators, security professionals, and law enforcement with all of the information, tools, and utilities required to conduct forensic investigations of computers running any variant of the Macintosh OS X operating system, as well as the almost ubiquitous iPod and iPhone. Digital forensic investigators and security professionals subsequently can use data gathered from these devices to aid in the prosecution of criminal cases, litigate civil cases, audit adherence to federal regulatory compliance issues, and identify breech of corporate and government usage policies on networks.

MAC Disks, Partitioning, and HFS+ File System Manage multiple partitions on a disk, and understand how the operating system stores data. FileVault and Time Machine Decrypt locked FileVault files and restore files backed up with Leopard's Time Machine. Recovering Browser History Uncover traces of Web-surfing activity in Safari with Web cache and .plist files Recovering Email Artifacts, iChat, and Other Chat Logs Expose communications data in iChat, Address Book, Apple's Mail, MobileMe, and Web-based email. Locating and Recovering Photos Use iPhoto, Spotlight, and shadow files to find artifacts pof photos (e.g., thumbnails) when the originals no longer exist. Finding and Recovering QuickTime Movies and Other Video Understand video file formats--created with iSight, iMovie, or another application--and how to find them. PDF, Word, and Other Document Recovery Recover text documents and metadata with Microsoft Office, OpenOffice, Entourage, Adobe PDF, or other formats. Forensic Acquisition and Analysis of an iPod Documentseizure of an iPod model and analyze the iPod image file and artifacts on a Mac. Forensic Acquisition and Analysis of an iPhone Acquire a physical image of an iPhone or iPod Touch and safely analyze without jailbreaking.

  • Includes Unique Information about Mac OS X, iPod, iMac, and iPhone Forensic Analysis Unavailable Anywhere Else
  • Authors Are Pioneering Researchers in the Field of Macintosh Forensics, with Combined Experience in Law Enforcement, Military, and Corporate Forensics

Table of contents

  1. Brief Table of Contents
  2. Table of Contents
  3. Copyright
  4. Technical Editor
  5. Lead Authors
  6. Contributing Authors
  7. About the Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit DVD
  8. Chapter 1. Tiger and Leopard Mac OS X Operating SystemsSolutions in this chapter
    1. Introduction
    2. First Responders and Specialized Examiners
    3. Macintosh History
    4. Macintosh Aspects
    5. Macintosh Technologies
    6. Disk Structure
    7. Summary
    8. Solutions Fast Track
    9. Frequently Asked Questions
  9. Chapter 2. Getting a Handle on Mac HardwareSolutions in this chapter
    1. Introduction
    2. MacBooks and Desktop Computers
    3. iPods
    4. iPhones
    5. Other Hardware
    6. Summary
    7. Solutions Fast Track
    8. Frequently Asked Questions
  10. Chapter 3. Mac Disks and PartitioningSolutions in this chapter
    1. Introduction
    2. Disk Utility
    3. First Aid
    4. Erasing a Disk
    5. Partitioning
    6. RAID
    7. Restore
    8. Changing the Startup Disk
    9. Summary
    10. Solutions Fast Track
    11. Frequently Asked Questions
  11. Chapter 4. HFS Plus File SystemSolutions in this chapter
    1. Introduction
    2. HFS Plus Volumes
    3. Boot Blocks
    4. Volume Header
    5. Allocation File
    6. B*-trees
    7. Summary
    8. Solutions Fast Track
    9. Frequently Asked Questions
  12. Chapter 5. FileVaultSolutions in this chapter:
    1. Introduction
    2. FileVault Overview
    3. Acquiring an Unlocked FileVault
    4. Decrypting a Locked FileVault
    5. Summary
    6. Solutions Fast Track
    7. Frequently Asked Questions
  13. Chapter 6. Time Machine
    1. Introduction
    2. Configuring and Using Time Machine
    3. Restoring Files from Time Machine
    4. Forensic Implications
    5. Summary
    6. Solutions Fast Track
    7. Frequently Asked Questions
  14. Chapter 7. Acquiring Forensic ImagesSolutions in this chapter:
    1. Introduction
    2. Setting Up an Analysis Mac
    3. Imaging a Mac with a Mac
    4. Imaging a Mac with a Live CD
    5. Summary
    6. Solutions Fast Track
    7. Frequently Asked Questions
  15. Chapter 8. Recovering Browser HistorySolutions in this chapter:
    1. Introduction
    2. Recovering Items from Web Cache
    3. Recovering Items from plist Files
    4. Summary
    5. Solutions Fast Track
    6. Frequently Asked Questions
  16. Chapter 9. Recovery of E-mail Artifacts, iChat, and Other Chat LogsSolutions in this chapter:
    1. Introduction
    2. Popular E-mail Applications
    3. MobileMe (.Mac) and Web-Based E-mail
    4. Recovery of E-mail Data
    5. Address Book
    6. Popular Chat Applications
    7. Recovery of Chat Data
    8. Summary
    9. Solutions Fast Track
    10. Frequently Asked Questions
  17. Chapter 10. Locating and Recovering PhotosSolutions in this chapter
    1. Introduction
    2. Defining a Photo on a Macintosh
    3. iPhoto
    4. Recovering Images
    5. Spotlight and Shadow Files
    6. Summary
    7. Solutions Fast Track
    8. Frequently Asked Questions
  18. Chapter 11. Finding and Recovering Quicktime Movies and other Video
    1. Introduction
    2. Defining a Movie on a Macintosh
    3. iMovie
    4. Recovering Video
    5. Summary
    6. Solutions Fast Track
    7. Frequently Asked Questions
  19. Chapter 12. Recovering PDFs, Word Files, and Other DocumentsSolutions in this chapter
    1. Introduction
    2. Microsoft Office
    3. Recovering Office Files, PDFs, and Other Documents
    4. Summary
    5. Solutions Fast Track
    6. Frequently Asked Questions
  20. Chapter 13. Forensic Acquisition of an iPodSolutions in this chapter
    1. Introduction
    2. Documenting the Seizure of an iPod
    3. Using Open Source Acquisition Tools
    4. Using Proprietary Acquisition Tools
    5. Summary
    6. Solutions Fast Track
    7. Frequently Asked Questions
  21. Chapter 14. iPod ForensicsSolutions in this chapter
    1. Introduction
    2. Analyzing iPod Partitioning
    3. Analyzing the iPod Image File on a Mac
    4. Viewing iPod Artifacts from a Corresponding Mac
    5. Summary
    6. Solutions Fast Track
    7. Frequently Asked Questions
  22. Chapter 15. Forensic Acquisition of an iPhoneSolutions in this chapter:
    1. Introduction
    2. iPhone & iPod Touch Forensic Concerns
    3. iPhone & iPod Touch Logical Acquisitions
    4. Acquiring a Physical Image of an iPhone
    5. Analysis of the iPhone Image
    6. iPhone Firmware 2.1
    7. Terminology
    8. Summary
    9. Solutions Fast Track
    10. Frequently Asked Questions
  23. Chapter 16. iPhone ForensicsSolutions in this chapter
    1. Introduction
    2. iPhone Functions
    3. Carving
    4. Non-Jail breaking Method of iPhone Analysis
    5. Summary
    6. Solutions Fast Track
    7. Frequently Asked Questions
  24. Appendix A. Using Boot Camp, Parallels, and VMware Fusion in a MAC Environment
    1. Introduction
    2. Boot Camp
    3. Parallels
    4. VMware Fusion
    5. VirtualBox
    6. Summary
    7. Solutions Fast Track
    8. Frequently Asked Questions
  25. Appendix B. Capturing Volatile Data on a Mac
    1. Introduction
    2. Volatile Data Collection
    3. Summary
    4. Solutions Fast Track
    5. Frequently Asked Questions

Product information

  • Title: Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit
  • Author(s): Jesse Varsalone
  • Release date: December 2008
  • Publisher(s): Syngress
  • ISBN: 9780080949185