Macintosh Examinations with EnCase
- Apple and Mac history
- Coursepurpose, content, and methodology
- Necessity to possess a Mac in order to examine Mac data
- Issues associated with the forensic preservation of Macintosh on-disk data
- The structure of Mac on-disk data and low-level information regarding the Apple Map and GUID Partition Table (GPT) partitioning schemes
- Impact of Apple’s implementation of GPT as opposed to that used by MS Windows
- The structure of HFS+ volumes
- The structure of the Catalog file
- The concept of HFS+ b-tree files and how the b-tree nodes in the Catalog file are used to index and store HFS+ file and folder records
- Locating and examining the structure of Catalog file and folder records manually and by using EnScript modules.
- The structure of the Extents Overflow file
- An examination of some fundamental aspects of Mac OS X that are likely to play a part in any Macintosh examination
- Examination of Macintosh disks and disk images using the examiner’s own forensic Macintosh computer
- An examination of the Mac OS X operating system artifacts associated with the system as a whole rather than a specific user.
- A review of user-specific Mac OS X operating system artifacts.
- An examination of Mac OS X application artifacts
- An examination of Internet-related Mac OS X application