Contribution to Book
Mac OS X Forensics
Advances in Digital Forensics II
(2006)
Abstract
This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.
Keywords
- Macintosh computers,
- Mac OS X forensics
Disciplines
Publication Date
January, 2006
Editor
Martin S. Olivier and Sujeet Shenoi
Publisher
Springer
Series
IFIP Advances in Information and Communication
ISBN
978-0-387-36890-0
DOI
https://doi.org/10.1007/0-387-36891-4_13
Publisher Statement
A paper from the 2nd IFIP International Conference on Digital Forensics, held at the National Center for Forensic Science, Orlando, Florida, January 29-February 1, 2006.
Citation Information
Philip Craiger and Paul Burke. "Mac OS X Forensics" New York, NYAdvances in Digital Forensics II Vol. 222 (2006) p. 159 - 170 Available at: http://works.bepress.com/john_craiger/32/