24.4. Using MacForensicsLab
SubRosaSoft's MacForensicsLab (www.macforensicslab.com/ProductsAndServices/index.php?main_page=product_info&cPath=1&products_id=1, $1,195, with a $200 discount for law enforcement) is the best-known full-featured forensics suite for Mac OS X. In contrast to the programs and procedures described earlier in this chapter, MacForensicsLab isn't geared toward finding malware or security leaks. Rather, it's designed to look for data on a hard disk that can be used as evidence that the computer was involved in some type of wrongdoing or to provide leads for law enforcement or corporate officials investigating a crime or policy violation. If you watch movies or TV shows in which agents swoop into the bad guy's lair, confiscate a bunch of computers, and shortly thereafter turn up the name of Mr. Big, the location of the missing canisters, or pictures of previous victims, MacForensicsLab is exactly the kind of software they would have used to figure that out.
MacForensicsLab takes the strict notion of forensics quite seriously. The program is designed from top to bottom to preserve data in the state in which it was found, to validate the integrity of that data (to prove it wasn't tampered with after the fact), and to log every action an investigator takes so that any search or discovery can be re-created by a third party. The program can provide a detailed data trail of everything that happened with a disk to serve as evidence in legal proceedings.
Some of the ...