Mac Marshal from Architecture Technology Corporation brings a new level of analysis tool to the Macintosh platform. Mac Marshal does not try to displace full-fledged analysis tools, but it certainly does come close with the results that it produces. This application is built as a “Mac app” from the start and is easily understood by any analyst with little time spent inside of the manual itself.
Note: While Mac Marshal makes looking at Macintosh data quite easy, any analyst must always understand the results. The only way this can happen is through solid Macintosh training. See our Training section of the Resources page for suggestions on resources for this.
Once Mac Marshal is installed and launched, an analyst is asked to open a new acquisition or work with a current case. This review will be solely based from a new case. The analyst enters standard case information, and then a quick scan of attached drives occurs.
Mac Marshal New Acquisition - Drive Selection or Image Selection
Mac Marshal has the ability to examine media that is currently connected to the Macintosh or to examine a Disk Image. For this example, we are going to examine “Disk 3”. Clicking on the “Next” button causes Mac Marshal to scan this disk for several items, one of which is seen in the next screen capture, Virtual Machines.
Mac Marshal New Acquisition - Performing disk triage
The above disk triage is very powerful. It scans the disk for partitions with installed operating systems, virtual machines, and user data. The results of this scan are presented in a concise window for the analyst to continue with additional data collection.
Mac Marshal - Results of Disk triage
The above window shows the results of the Disk triage. Notice the findings. Not only do we have the installed operating system and a secondary operating system, Mac Marshal has also found ISO and DMG images and listed them here for examination. Let’s continue examining /dev/rdisk3 (“MacbookPro”) on page 2.
Continue to page 2.
Architecture Technology Corporation