Computer Forensics Mac
In modern times network infrastructure is far more complex than it has ever been, particularly in the area of mixed platform environments. Disklabs understands that even those companies with in-house security resources may have an experience shortfall when it comes to less common machine architecture. Disklabs provide a whole range of computer forensics services for both PC and Mac forensics. If you are facing legal action and require dependable Mac forensics data and are lacking internal knowledge and expertise to obtain it, Disklabs have qualified Mac forensics analysts, fully capable of utilising a whole range of Mac forensics techniques. The Apple Mac differs from the PC in many ways and it is important that you have a qualified and knowledgeable technician gathering your critical forensics data.
Much of the basic types of evidence which can be found easily on a PC are just not available on a Mac; therefore Mac forensics requires a somewhat different approach. Possibly the main difference between PC forensics and Mac forensics is in the fact that PC forensics will often rely heavily upon interrogating deleted data. However, with Mac forensics the use of the OSX "secure empty trash" feature by the user will wipe this deleted data entirely from the hard disk. Mac forensics differs in a variety of ways, some of which are listed below:
OSX contains a data wiping feature which destroys data completely.
OSX does not create temporary or pointer files.
OSX does not keep a log of devices that have been attached.
OSX stores the Internet browser cache in a single file, which is much harder to interrogate than the PC equivalent data.
OSX does not store configuration data in a single system registry as does the PC; instead it stores configuration data in multiple folders and files in multiple locations.
As we can clearly see, Mac forensics is far less straightforward than similar PC forensics and requires a well-trained Mac forensics analyst to produce effective results. Mac forensics followed a similar pattern or methodology to PC forensics whereby a forensically clean disk image will be created as a first step. Once this disk image has been saved the Mac forensics technician can then begin to interrogate the saved data. Meta data interrogated as part of Mac forensics is less complete than the data obtainable from a PC as the Mac does not record system dates and times, only file creation and modification dates. One final hurdle for the Mac forensics analyst lays in the fact that Mac users often use a larger range of e-mail clients, each of which cannot be interrogated by standard computer forensics tools.