hdiutil mount /Volumes/Images/badguy.dmg in Objective-C

Generate DataMatrix in Objective-C hdiutil mount /Volumes/Images/badguy.dmg

NOTE: This is an example of various techniques for mounting disk images. Do not use the above command on live data, as it will attempt to clean the file system. If the data should be tracked as part of an actual investigation, then proceed on with the subsequent examples. Now, we re going to add the -shadow option and follow it with the location of the shadow mount:

You can now write data into the image or remove data from the image and then unmount it:

Remounting the image should give you an image that did not save any of the previous changes. While forensics is one place for this type of technology, there are others, such as the NetBoot environment, where you don t want users writing data anywhere except for a userland space. Another place for this is the default EC2 environment, where users will be working on virtual machines all day long, but will only write changes back in if they save a copy of the machine into a local space, such as their S3 account. It also makes for a nice way to store images (and images containing packages) during the imaging process for a number of environments.

SFT (Safari Forensic Tools) is a collection of command line tools that can be used to analyze information from Safari. The tools include parsers for Safari history, downloads, cookies, bookmarks, icon caches, and other information. They re easy to use and can aid you in learning a bit more about what kind of information you leave behind on your own system. To download SFT visit http://jafat.sourceforge.net/files.html.

A wide variety of command-line tools are included with Leopard that can be used with forensic investigations and primarily the acquisition of forensic images. You can use the mount command to mount connected disks to a forensic system. To mount a system as read-only for inspection, you can use the mount r command. Once the disk is mounted, you will typically want to use dd on the drive. The dd command is a method for creating disk images that can be used for acquiring a forensic disk image. The dd command is preferred over Disk Utility, because it can create a disk image without being required to actually mount a drive, which, as discussed, can potentially contaminate the drive for future use as evidence. The dd command can also split disk images into segments, allowing you to burn the image to optical media or place it onto hard drives to present evidence to another party for their own forensic investigation. Once the disk has been imaged, you can move on to building a hash of the drive using the openssl command. Be aware, though, that unless you know exactly what you are doing with the command-line tools, you run the risk of contaminating your evidence. This is one instance where the danger of breaking your chain of custody may outweigh the cost of purchasing a package like MacForensicsLab.

Summary

In this chapter we took a cursory look at the delicate art of forensics. We also looked heavily at using MacForensicsLab to perform the acquisition and analysis of a drive, but we wouldn t want to take anything away from many of the other solutions out there. They are almost all fantastic. What software cannot do is actually parse through every single file and folder and return all of the relevant data. This could be because a date is stored in some kind of encoded format, or because it s in an image. Manual analysis of the acquired data will net a far more accurate account of events if done so in the hands of a well-trained forensics analyst. Use this chapter as a reference to perform front-line forensics analysis or as a reference for porting existing forensics skills from Windows to Mac OS X. However, if you have an in-depth investigation that you would like to perform consult a professional in that field.