Ultimate Guide to
Mac OS Forensics
Last
updated: 03/16/04
If you
have any suggestions for links or comments, please feel free to e-mail me:
macbuddy@mac.com
derrick@blackbagtech.com
Recent Links:
Macintosh Forensic Software,
Hardware, Forensic training, Data Recovery, Forensic analysis, Security
consulting
BlackBag Technologies
Macintosh Forensic Forum on
Yahoo:
http://groups.yahoo.com/group/macos_forensics/
SleuthKit (Brian Carrier)
http://www.sleuthkit.org/sleuthkit/index.php
Good overall Macintosh Sites:
MacSurfer
SiteLink
Some good Mac Security Sites:
Mac
Security News Portal
http://www.macintoshsecurity.com/
STOS Darwin
Mac
OS X
http://www.applelinks.com/news/osx/
http://macspeedzone.com/html/hubs/central/os/x/Xnews.html
MacSlash
http://www.macslash.org/
Apple Support Sites:
Apple
Security Site
http://www.info.apple.com/usen/security/
Apple
Security Updates
http://www.info.apple.com/usen/security/security_updates.html
http://www.apple.com/macosx/technologies/security.html
Apple
Security Info
http://developer.apple.com/internet/macosx/securityintro.html
http://developer.apple.com/internet/macosx/securitycompare.html
Apple
Spec Database
http://www.info.apple.com/support/applespec.html
Mac Forensic
Links:
BlackBag Forensic
Software
http://www.blackbagtech.com/software.html
Link for BootCd
http://homepage.mac.com/csrstka/
Prosoft
DataRescue
http://www.prosofteng.com/index.php?datarescue&store
Good link for MD5
in Mac OS X
http://www.macsecurity.org/resources/
Very easy to
compile in Mac OS X
Fatback v1.3 -
undelete files from FAT filesystems
http://prdownloads.sourceforge.net/biatchux/fatback-1.3.tar.gz
author, Nick Harbour - DoD Computer
Forensics Lab harbourn (at) dcfl
dot gov
Original Links
for dcfl-dd:
DCFL-DD v1.0 -
(an enhanced dd with MD5 hashing)
http://prdownloads.sourceforge.net/biatchux/dcfldd-1.0.tar.gz
based on available docs, I haven't
determined who made the enhancements
Now compiled for
Mac OS X (dcfl-dd)
http://homepage.mac.com/macbuddy/.cv/macbuddy/Public/DCFLDD.pkg.sit-link.sit
Foremost v.62 - digs
through image (dd) files to recover files based on
header info
http://prdownloads.sourceforge.net/biatchux/foremost-0.62.tar.gz
authors, Jesse Kornblum and Kris Kendall
- jesse.kornblum (at)
ogn.af.mil
Read-Only
Firewire to IDE
http://www.digitalintel.com/fireblock.htm
Copy Cloner
http://www.bombich.com/software/ccc.html
MacDrive 5 ( this
would great with iLook)
http://www.media4.com/products/macdrive/
Link for the
Acard read-only Scsi to IDE
http://www.microlandusa.com/microland/product_detail.asp?non=1&p%5Fid=AEC772
0WP
A tool to extract
info from Desktop DB Files, works in Classic only:
http://www.tempel.org/macdev/#DTDBDiver
Ilook IRS
Software
http://www.ilook-forensics.org/
http://www.ilook.fsnet.co.uk/ilook/ilook.htm
Good Mac Forensic Tools:
Version Tracker
MacUpdate
VersionMaster
http://www.versionmaster.com/
Graphic Converter
http://lemkEsoft.com/gcdownload_us.html
iView
http://www.iview-multimedia.com/
Can Opener
http://www.abbottsys.com/co.html
MacLinkPlus 13
http://www.dataviz.com/products/maclinkplus/index.html
DiskWarrior
http://www.alsoftinc.com/DiskWarrior/
DiskTracker
http://www.disktracker.com/download.shtml
Norton Utilities
http://www.symantecstore.com/smbmac/
Disk Utilities
FWB
InTech
CharisMac
DiskRepair
Drive10
http://www.micromat.com/drive10.html
Priv Repair
http://docs.info.apple.com/article.html?artnum=106900
TechTool
http://www.micromat.com/techTool_Pro3/index_techTool_Pro.html
File Info
File Buddy
http://www.skytag.com/filebuddy/7/index.html
Drop Info
http://www1.iwvisp.com/kmelton/
Browser Caches
Browser Cookies
Compression
Stuffit Deluxe
http://www.stuffit.com/stuffit/deluxe/index.html
Stuffit Lite
http://www.stuffit.com/stuffit/lite/index.html
Stuffit Expander
http://www.stuffit.com/expander/index.html
Backup
Retrospec
Folder Synchronizer
http://www.softobe.com/products/flsy/pp.html
Disk Copy Utilities
Cloning
Carbon Copy Cloner
http://www.bombich.com/software/ccc.html
CloneX
http://www.tri-edre.com/english/cloner.html
CD Burning
Toast
http://www.roxio.com/toastosx/
Volume/File Backup
Other Utilities
TinkerTool
http://www.bresink.de/osx/TinkerTool2.html
Hardware
General Online Mac Commercial
Sites
http://www.clubmac.com/clubmac/
http://www.maczone.com/cgi-bin/zones/site/home/index.html?zone=mac
http://www2.warehouse.com/default.asp?home=mac&origin=homemac&cat=mac
http://www.transintl.com/newstuff/index.cfm
FireWire Depot
http://www.fwdepot.com/catalog/default.php
FirewireDirect
http://www.firewiredirect.com/
MegaHaus
MCE
OWC
Granite Digital
http://www.scsipro.com/catalog/pg19_firewirebridgeboards.htm
Digital Intel
Sonnet Cards
http://www.sonnettech.com/product/tempo.html
KeySpan
http://www.keyspan.com/products/homepage-FireWire.spml
Pyro Drive Kits
http://www.adstech.com/products/PYRO1394DriveKit/intro/API800intro.asp?pid=API-800
Cool Mac Stuff
http://www.crywolfstore.com/cool/
http://www.crywolfstore.com/cool/?action=Details&sku=29
Firewire Hubs
http://www.devdepot.com/list.html?cref=402
IOGear
Iomega
http://www.iomega.com/na/landing.jsp
APS
http://www.apstech.com/
VST
MacRaid
HyperMicro
http://www.hypermicro.com/store/index.htm
Rotec
http://www.ratocsystems.com/english/index.html
OrangeMicro
Firewire
http://www.orangemicro.com/firewire.html
SCSI
http://www.orangemicro.com/grapplerscsi.html
Belkin Products
LogiCube
ICS
GreyStone
http://www.abcusinc.com/hd_duplication/hd_duplication.html
http://www.storageheaven.com/products/duplication_harddrive.asp
Adaptec
Macintosh
Firewire
SCSI
SCSI for Macintosh
SCSI for PowerBooks
SCSI Cables
http://www.ramelectronics.net/html/scsi.html
http://www.scsisource.com/scsi_cables/
Firewire Cables
http://www.firewirestuff.com/cables1.html
http://www.synchrotech.com/product-1394/
http://www.technowarehousellc.com/fircabkit.html
Windows Tools to analyze Macs
http://www.asy.com/scrtm_go.htm
http://www.sf-soft.de/index-m.html
http://www.forensics-intl.com/
DD Imaging from CrazyTrain
(Thomas Rude)
http://www.crazytrain.com/dd.html
http://www.crazytrain.com/dd2.html
Forensics from Linux (Thomas
Rude)
http://www.crazytrain.com/monkeyboy/Next_Generation_Forensics_Linux.pdf
The Law Enforcement
Introduction to Linux (Barry J. Grundy)
http://home.columbus.rr.com/bgrundy/linlaw/linuxintro-1.8.1.pdf
Good linux links
http://www.porcupine.org/forensics/tct.html
http://www.dmares.com/maresware/linux.htm
http://www.cpc.gc.ca/courses/descript/linux_e.htm
http://staff.washington.edu/dittrich/talks/blackhat/blackhat/forensics.html
http://www.computer-investigators.com/forensic_links.html
http://www.rcfg.org/gmu2002/lab_linux_forensics.htm
http://biatchux.dmzs.com/?section=tools
http://www.crazytrain.com/presentations.html
http://www.forensic-computers.com/HTML_ONLY/links.htm
http://www.forensic-computers.com/
http://www.crazytrain.com/links.html
http://www.accessdata.com/Product04_Support.htm?ProductNum=04
http://www.compuforensics.com/training.htm
http://vip.poly.edu/kulesh/forensics/list.htm
http://www.vogon.co.uk/mobile-station.htm
http://www.digital-detective.co.uk/
http://www.computer-forensics.com/
http://www.sandersonforensics.co.uk/
http://www.cybersnitch.net/tucofs/tucofs.asp
http://virlib.ncjrs.org/lawe.asp?category=48&subcategory=193
DD Report
http://www.ojp.usdoj.gov/nij/pubs-sum/196352.htm