24.1. Overview of Computer Forensics
Investigating the manner in which a Mac may have been compromised and how it came to be that way can be a lengthy and tedious process. Whether you choose to undertake it at all and the extent to which you delve into a computer's secrets depend on the severity and impact of the problem, the amount of time you have available, and what's at stake. For example, if a random malware program has started displaying advertising messages or running a chat service on a single Mac, that's an annoyance, for sure—but not serious enough to spend days of detailed work tracking down. On the other hand, if someone has broken into your Mac over the network and stolen company secrets, if an employee has been sending confidential information to your competitors, or if files on a Mac may contain evidence of a crime, it's clearly worth pulling out all the stops to investigate.
The very first decision you must make when you discover or suspect that a Mac has a serious security issue is what to do next — and it's an extremely important decision, with potentially long-term consequences. Specifically, doing anything at all, including turning off the computer, could potentially alter its data in ways that make it harder to analyze later or even destroy the very evidence you're looking for. To decide what you should do next, consider the following factors.
24.1.1. Live versus deferred analysis
When a Mac is running — even if it's actively doing something bad, such as ...
Get Mac® Security Bible now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
