24.5. Other Forensics Tools

Although I happen to think MacForensicsLab is a pretty thorough and well-designed forensics package, it's not the only game in town. Other tools offer different ranges of features that may be more appropriate for your needs.

24.5.1. MacLockPick II

Of all the forensics software I've tried for Mac OS X, MacLockPick II, from the makers of MacForensicsLab (www.MacForensicsLab.com, $499.95), is the scariest by far. (Whether that's a good thing or a bad thing depends on your point of view.) The purpose of this application is to extract as much information as possible from the current user's account on a running Mac, without leaving behind any trace that it was even used. The software comes on a tiny, specially designed USB flash drive. After configuring the software beforehand (on either a Mac or a PC) to collect the pieces of data you want, you insert the key in the target computer, launch the MacLockPick program, and wait for a few minutes while it searches for interesting information (which it then copies to the flash drive itself or to another external volume you've connected). You can then remove the flash drive and examine the data at your leisure, on your own computer, using the MacLockPick Reader application, shown in Figure 24.15.

Figure 24.15. The MacLockPick Reader application displays all the information captured using MacLockPick II. This example shows just a tiny portion of the user's Firefox browsing history.

Here's a partial list of the ...

Get Mac® Security Bible now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.