IN THIS CHAPTER
Understanding the basics of computer forensics
Finding software that shouldn't be running on your Mac
Discovering what network connections are in progress
Examining a compromised Mac with MacForensicsLab
Using other forensics utilities
The word forensics has a number of meanings and can conjure up images of everything from high school speech competitions to medical examiners performing autopsies. In the computer world, forensics refers to an examination of a computer's data that, ideally, prevents any of that data from changing in the course of the investigation. For example, if a computer is suspected of having been used in a crime or if an employer believes that an employee has misused company equipment, investigators or law enforcement personnel might undertake a forensic examination of a computer to look for evidence of wrongdoing. In such cases, it's important that the integrity of the data be preserved during the investigation so potential evidence doesn't disappear while it's being examined and so investigators can't be accused of planting false evidence.
As interesting and important as that aspect of forensics may be, however, the main focus of this chapter isn't on tracking down incriminating files to be used in legal proceedings. This being a book on Mac security, my primary concern here is helping you discover the source of a digital security breach (such as a malware infestation or a network intrusion) ...