O'Reilly logo

Mac® Security Bible by Joe Kissell

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

24.1. Overview of Computer Forensics

Investigating the manner in which a Mac may have been compromised and how it came to be that way can be a lengthy and tedious process. Whether you choose to undertake it at all and the extent to which you delve into a computer's secrets depend on the severity and impact of the problem, the amount of time you have available, and what's at stake. For example, if a random malware program has started displaying advertising messages or running a chat service on a single Mac, that's an annoyance, for sure—but not serious enough to spend days of detailed work tracking down. On the other hand, if someone has broken into your Mac over the network and stolen company secrets, if an employee has been sending confidential information to your competitors, or if files on a Mac may contain evidence of a crime, it's clearly worth pulling out all the stops to investigate.

The very first decision you must make when you discover or suspect that a Mac has a serious security issue is what to do next — and it's an extremely important decision, with potentially long-term consequences. Specifically, doing anything at all, including turning off the computer, could potentially alter its data in ways that make it harder to analyze later or even destroy the very evidence you're looking for. To decide what you should do next, consider the following factors.

24.1.1. Live versus deferred analysis

When a Mac is running — even if it's actively doing something bad, such as ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required