Macintosh Forensic Analysis Using OS X

Computer forensic analysis is a method of studying and acquiring digital evidence in a manner that ensures the data's integrity. The duty to perform such an analysis often falls upon a police officer in his quest to gather valuable evidence of a crime. Sometimes, however, system administrators and security professionals are required to partake in such functions when they suspect that someone has tampered with their system. The ability to do a proper analysis using sound forensic practices that are accepted in a court of law, opens the door to the possibility of pursuing criminal or civil action against the perpetrator. The purpose of this paper is to describe sound forensic techniques as they pertain to the Macintosh. In order to accomplish this task, I must first describe basic forensic techniques that apply to all computer systems. Then I will provide a brief history of the various Macintosh models and operating systems, as each one can provide some intriguing problems. Finally, I will follow this up with a specific outline of how to perform the proper analysis of a Macintosh computer system using an OS X based system as the analysis machine. The result of this paper will be a useful reference to those people who may be required to perform a computer forensic analysis on a Macintosh.