Mac Forensics

All operating systems and file systems are not equal!This especially is true when you compare a Mac system to a Windows system.[Insert Apple commercial here]I commonly come across examiners who try to apply Windows forensics facts when examining a Mac computer.They get in trouble pretty fast!

We oftentimes use the old Library card catalog system with our clients to explain how the deletion of files works on both Macintosh and Windows based computers. The card catalog in a typical library system contains the book name, author, publisher and most importantly the location of the book in the library.The Master File Table, or “MFT”, is the card catalog equivalent in the Windows computer world.The “MFT” contains the location of a file, when it was created, modified, accessed, etc.The “book” in the card catalog system is a file.When a file is deleted within a Windows computer, a special designation is made in the “MFT” keeping track of the deletion.No, the “librarian” does not take the “book” off the shelf and throw it away, burn it or even rip out pages.Once you hit the delete key, the file is still fully recoverable until a new file is put in the space where the old file existed.There is no way to predict when this will occur.If that special designation is removed from the file, the file is fully recoverable!