Apple MAC

1.Introduction b

MAC OS X is a modern operating system that combines a stable core with advanced technologies to help you deliver world-class products. The technologies in MAC OS X help you do everything from managing data to displaying high-resolution graphics and multimedia content; all while delivering the consistency and ease of use that are hallmarks of the Macintosh experience.

2.Client

Computer forensics and eDiscovery have not only become more challenging in the last few years, they have become practically unmanageable in terms of volume and cost. Many tools seem to ignore the issues faced by computer forensic examiners and investigators, by shepherding them into one-size-fits all approach. One company has been watching and listening to the clamor of complaints – Perlustro.

Perlustro partnered with SUMURI to deliver training and certifications related to Perlustro products. SUMURI is Cellebrite's oldest and longest running officially authorized training provider. SUMURI's training is designed for front-line law enforcement, intelligence, military and corporate investigators, who want to gain a practical, hands-on understanding of cellular technology in addition to obtaining an official certification as a Certified Cellebrite UFED Mobile Device Examiner.

With tools designed to handle the obstacles that exist today and those that may arise tomorrow, Perlustro has solutions that overcome the limitations that exist in other forensic tools. It allows your examiners and agency to be more productive and efficient with today's ever-increasing case loads.

3.Requirement

Computer forensic and eDiscovery software for examining Macintosh computers and devices is limited at best. The purpose of computer forensics and eDiscovery is to extract, preserve and report on data contained on a computer which may be of evidentiary value. One common problem with Macintosh forensics is that those tasked with performing an analysis of a Macintosh computer or Apple device usually do not have the knowledge base or skills to successfully conduct an examination.

The primary purpose of this project is to develop a forensic application to assist computer forensic examiners or eDiscovery professionals in extracting items of evidentiary value and place that information into a well organized report via a simplistic user interface. The application should conform to current eDiscovery standards for producing reports if this option is selected (eDiscovery Mode).

Items of value to an investigator are:

• System Information/Log Files
• Emails
• Contacts
• Calendar/Event data
• Document Files
• Internet History
• Chat/VOIP Communications and Data
• Media Files
• iPhone Backup Files
• Peer 2 Peer data
• Bit-torrent data
• Trash Files

4.Solution Provided

Each section represents a step in the examination process. Each new run of the application is referred to as "CASE". Some steps are mandatory and others are optional. Each section user has to select options and provide necessary information for examination. The selection information will be saved as the user can retrieve the selection or save it as a template.

User enters the appropriate case information and selects the forensic image or drive from which data has to be extracted. User selects various options under each section regarding the type of data that is to be extracted.



Various sections involved in the process are:

CASE INFROMATION

The user would enter the case details, examiner details and investigator's details.

EVIDENCE SELECTION

The user would attach the hard drive that is to be examined. The user can attach the hard drive with physical write blocker. Alternatively, the user can also attach hard drive with Disk Arbitration turned-off. The user is provided with an option to disable or enable Disk Arbitration. The user can attach a forensic image file also.

USER SELECTION

This section provides the user accounts that they would like to examine. Once the user selects the user account, the examination process starts where user can select items of interest.



SYSTEM INFORMATION

TThe user would extract information, which relates to the system. This section provides user with available log files from which user can extract the data.

EMAIL INVESTIGATION

TThis section allows the user to extract information, which relates to the email (Apple Mail Client and Entourage).



CONTACTS

This section allows the user to extract information, which relates to Contacts (Apple Address Book and Entourage).

CALENDAR EVENTS

This section allows the user to extract information, which relates to Calendar Events (Apple iCal and Entourage).

DOCUMENT FILES

This section allows the user to extract information, which relates to Documents.



INTERNET HISTORY

This section allows the user to extract information, which relates to Internet History (Safari and Firefox).



INSTANT MESSENGER/ VOIP Applications

This section allows the user to extract information, which relates to Instant Messenger and VOIP Applications (iChat,Yahoo Messenger, AIM, MSN Messenger, Skype).



MEDIA FILES

This section allows the user to export files and/or information, which relate to media files and applications (images, videos, iPhoto, iMovie, iDVD).



PEER 2 PEER/BITTORRENT Applications

This section allows the user to extract information, which relates to P2P and Bit Torrent applications (Limewire, Vuze).

IPHONE/IPOD TOUCH BACKUP FILES

This section allows the user to extract information contained in the iPhone backup files.

TRASH FILES

This section allows the user to list and extract information about files found in the hidden trash directory.