Mac OS X forensics website and book

A lot of the forensic software, research and investigations are still about Windows software, reflecting the market share that this operating system has. However, it looks like Apple is definitely doing some good work to grab its piece of the market.

When you run into one of these machines, it might give you a bit of a forensic challenge, as you have to deal with both another operating system (which is luckily Unix/BSD based) and with new hardware. Take a look at the various guides at http://www.ifixit.com/Guide/Mac/ to get a feeling about the number of screws you have to remove to get to a hard drive in a MacBook Pro for example…(luckily there are some other ways to create an image without removing the drive, for example using target disk mode).

To gain more insight into doing forensics on these machines, Ryan Kubasiak’s website http://www.macosxforensics.com/ is an excellent resource for all hardware and software related questions. The site covers not just Apple computers, but also iPhones and iPods. Since a few days, he has added a forum to the website so that might be cool to checkout as well.

He also announced the upcoming release of a new book on Macintosh Forensics, of which he is one of the co-authors. It should be available in December (Christmas present ;-) ?) and you can already pre-order it via Elsevier.

Finally, if you are interested in having one of these shiny machines as your own forensic workstation, check out the section on the setup of your own Forensic Macintosh :)