Mac Forensics is different!
When taking on new digital forensics cases, keep in mind that all operating systems and file systems are not equal! This especially is true when you compare a Mac system to a Windows system. [Insert Apple commercial here] I commonly come across examiners who try to apply Windows forensics facts when examining a Mac computer. They get in trouble pretty fast. Macintosh forensics is different!
We oftentimes use the old Library card catalog system with our clients to explain how the deletion of files works on both Macintosh and Windows based computers. The card catalog in a typical library system contains the book name, author, publisher and most importantly the location of the book in the library. The Master File Table, or “MFT”, is the card catalog equivalent in the Windows computer world. The “MFT” contains the location of a file, when it was created, modified, accessed, etc. The “book” in the card catalog system is a file.When a file is deleted within a Windows computer, a special designation is made in the “MFT” keeping track of the deletion. No, the “librarian” does not take the “book” off the shelf and throw it away, burn it or even rip out pages. Once you hit the delete key, the file is still fully recoverable until a new file is put in the space where the old file existed. There is no way to predict when this will occur.If that special designation is removed from the file, the file is fully recoverable!
In the Mac World, the card catalog is the “iNode”.(Commonly known as “Index Node” or “Identification Node”) Here is one instance where misinterpretation of artifacts commonly occurs.Once the delete key is hit on a Mac system, a permanent separation occurs between the “iNode” entry and the file itself. There is no longer any association between the metadata of a file and the file itself!Many tools claim to be able to recover this information fully, but this is irresponsible and incorrect!To make matters worse, the “iNode” entries are quickly compressed therefore permanently removing the “card catalogs” from the Mac Operating system! Now you may ask, what happened to the book then when the card in the card catalog is gone? The entire book is still available, but you have to search the library to find it! A process called “carving” is utilized to find the file in the “sea of books” on the hard drive.The “iNode” information is no longer available.
One of the most common misinterpretations of Mac artifacts occurs in the interpretation of dates within a Mac computer system. The first order of business as computer forensic examiners is to decide what type of file systems are we dealing with on the computers we are examining and to understand their differences. For example, within the Windows world the NTFS file system “create” date of a file is when the file came into existence on a volume. Why did I say it that way? Well, let’s say that you received an email from your significant other today and it contained a picture of the family pet that was taken when you first adopted them. It has been a number of years since you adopted the pet, but you wanted the daily reminder of how cute they used to be so you download it to your Windows computer. The picture was taken a number of years ago, but the create date on the NTFS volume is recorded as the date and time you downloaded the picture which was today.
Let’ say that your significant other, who uses a Mac computer, is worried that the picture they took a year ago would be lost forever so they decided to make a backup of the picture that is located on their Mac which has an HFS+ partition. They buy a hard drive that is formatted HFS+, which is one of the common file systems supported by a Mac operating system. They copy the pictures to this backup hard drive. The “create” date of the picture on the backup would not be the date and time this most recent copied occurred, but when the picture was originally transferred to the Mac from the digital camera years ago!
The MAC forensic analysis of various file systems can get pretty tricky, but with an understanding of how different file systems work and thorough testing you can avoid a lot of headaches!