by Brian Salmon
In 2009 AccessData introduced FTK3 with a long list of new features. Overall speed and stability were two of the major goals for this release of the forensic suite. Beyond those goals, huge strides in feature sets were laid out and accomplished as well. Among those are numerous native features designed specifically for Macintosh data analysis that were not previously available to examiners on the Windows platform. While it is always a good idea to view OS X data with its native applications or in its native environment during an analysis, FTK has made it much easier to draw valid conclusions and make meaningful reports without missing critical attributes other Windows software may not show clearly.
FTK Imager
Get it here
FTK Imager is a part of the FTK suite that is available free of charge from the Access Data website. FTK Imager can be used for physical disk imaging, copy contents of media to an evidence collection drive, or to take a quick look at contents of a target device. All versions of the Windows OS do not support reading of the HFS/HFS+ file system. When a full examination is not necessary, FTK Imager provides a quick and easy way to look at an HFS+ file system from a Windows computer. It also allows the examiner to export or acquire data for later examination.
FTK Imager showing GUID partition table with HFS+ file system
Forensic Toolkit v3
Get it here
FTK v3 now allows for native viewing of PLIST files, SQLite database files, Mac OS file metadata and support for DMG files. Access Data has incorporated many native viewing capabilities into FTK that can be seen in the “Natural” tab when viewing data. What this means for Macintosh data is that analysis and reporting has become enormously easier using a Windows based tool. In the below screen capture, you can see the basic layout of FTK v3 when showing a hard drive that contains 2 user created HFS+ partitions.
FTK v3 showing GUID partition table with HFS+ file system
Once Macintosh evidence has been added to a case (the same as any digital evidence), and the pre-processing has completed, the Overview Tab gives a great summary of the case contents. The below screen capture shows the Overview Tab for our sample evidence drive.
Overview Tab in FTK v3
PLIST Support
FTK v3 allows the examiner to view data from Property List files in an organized and easy to read report. The Natural view in the File Content window parses out all of the keys contained in the PLIST file and their associated values. This includes Binary PLIST files as well as XML PLIST files. The ability to view Binary PLIST files natively is not currently available in any other windows based forensic tools. Because OS X makes extensive use of PLIST files, and with a high percentage of these files being binary PLIST files, this feature is a key feature in FTK v3 for Mac forensic analysts. The below screen capture shows an example PLIST file in the natural view within FTK v3. This file can easily be bookmarked and included for a final report.
PLIST file shown in the Natural Tab in FTK v3
SQLite Support
Many applications that run on Macintosh computers store information in SQLite database files. Safari, Firefox, Front Row, Finder and many more Apple and third party programs use these files, often called cache.db. These files may contain information of great evidentiary value that could be missed without viewing the contents of these database files. FTK v3 will display the contents of these files in the natural view tab and allow for bookmarking and reporting of this data in a clean easy to read report. Contents of the database can also be exported out of the case and opened with other viewers or decoded with other applications. An example of this would be the iPhone backup data located on a Macintosh. FTK v3 has the ability to show the voicemail files stored in the SQLite database file stored on the Mac (or PC) and allow for the file to be exported out of the case for further processing. The below screen capture shows the Natural view of a SQLite DB file.
SQLite3 data shown in the Natural Tab in FTK v3
Metadata and EXIF data
Often while performing our analysis the metadata or EXIF data associated with files is as important as the files content. For example, if we have an image file displayed from the Explore tab, click the Properties tab below the image to display all available metadata information. Images from an iPhone could possibly can GPS coordinates for instance, or you may find an embedded email address or URL.
Sample image contents shown in the Natural Tab in FTK v3
Other possible metadata information could give us embedded created dates, make/model of the camera used, extended attributes (HFS+), document metadata such MS Word, and more. This information is made available in FTK v3 without having to export the files and run a third party tool.
Sample Image properties (metadata) shown in FTK v3
Email Viewer
The email tab in FTK v3 provides a way to view email messages from many different email applications such as Apple’s Mail, Outlook, Outlook Express, Thunderbird, Notes, Exchange and many more. Emails are displayed in a format similar to most mail clients as shown in the image below.
Email message shown in the Natural Tab in FTK v3
Email attachments are also easily viewable from the Email tab. All of the email attachments are listed in the Email Attachments tab located to the right of the message. Clicking on an attachment will display the file in a Natural, Text, Hex, or Filtered view.
Email Attachment shown in the Natural Tab in FTK v3
Reporting
One of the most powerful features of FTK v3, and this has been true since v1, is the reporting. When conducting an examination of Macintosh data, it is always a good idea to look at data within the OS X environment to draw some conclusions. For example, if a Mac user has created a password protected “sparsebundle”, this Disk Image will not be viewable within FTK v3, and will simply show as a folder. If an analyst were to mount this “sparsebundle” in the OS X environment Read-only (given the password of course), the contents can now be imaged, analyzed, copied out, etc. For this example, let us pretend that the contents are simply 10 pictures. In the Mac environment, these 10 pictures could be “printed to PDF” using Preview and then attached to the FTK v3 report using the native feature when the report is being generated. (This article won’t go in-depth on how this is done. We suggest the Access Data Mac Forensics class or any of the advanced Windows classes to learn more on building reports.)
Conclusion
FTK v3 has many features for Macintosh analysis that were not previously available in a single Windows based forensic tool. This allows analysts who are typically examining Windows systems to use the tool and platform that they are familiar with to successfully complete an examination of a Macintosh computer. This is especially important to analysts who do not have access to or the knowledge required to use a Mac to analyze a Mac.