New ITC Episode posted

Posted by MacLovin On November - 15 - 2009

We have uploaded a new episode of the podcast. There is an iTunes enhanced and an MP3 version. The iTunes version has embedded links for some of the software we talk about.

We are lucky to have Ben Charnota of BlackBag Technologies talking about their new software write block solution, Soft Block. Soft Block is a fire and forget write block solution for Macintosh computers. Once started, it runs quietly in the background until an external media is inserted into the computer. Soft Block then prompts you to mount the device Read Only or Read/Write. I have been running the demo version of the software on my MacBook Pro for a couple of weeks and forget it is there until I plug in a drive. The Soft Block prompt isn’t bothersome, it only takes a second to deal with and you are on your way. The nice thing about Soft Block is that, coupled with your laptop, you are ready to respond to the field with your preview system and a write blocker in one unit.

I will be doing a more in depth review of Soft Block and will post it on our sister site, MacOSXForensics.com.

Chris talks about the com.apple.recentitems.plist in this episode’s Plist of the Week (PLoW).  By default, each section, Applications, Documents, Hosts, & Servers, will have 10 entries. This can be modified in the System Preferences > Appearances section or by using Plist Editor to change the values. This is usually one of the first plists we look at during an examination. The Recent Items plist will show the last items, which were accessed by the user, such as programs, images, movies and documents. It is a good indication of what he/she was up to prior to the seizure or imaging of the computer and could be the smoking gun. I like to restore the drive, as part of my analysis, and then take a screenshot of the Recent Items menu, as the user would see them. As they say, a picture is worth a thousand words.

We take a good part of this show to talk about the basics of how we prep a Mac to become an analysis system. The first thing that should always be done is the installation of the Apple Developer Tools. The Developer Tools provides us with several programs and commands that will be of great use to us when we start our examinations. The most useful is the Plist Editor, which allows us to see a plist in an easy to read format. The newer versions of the Plist Editor allows us to print the plist while older versions had the ability to do a data dump, which allowed us to copy the code for review. Essentially, if you aren’t using Plist Editor or the third party, Plist Editor Pro, you are doing yourself a disservice. Another good tool that comes with the Tools is the GetFileInfo command. A Terminal command, GetFileInfo provides a number of arguments, which will allow you to retrieve file data such as creation/modification dates, creator code, file type code and file attributes.

Be Safe,

Dave

Leave a Reply

VIDEO

TAG CLOUD

BlackBag PLOW Podcast Tools Featured (4)
MacLovin (3)
OS X (1)
Passwords (1)
Podcast (1)
Tools (1)

WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.

Sponsors
Get Adobe Flash playerPlugin by wpburn.com wordpress themes

About Me

There is something about me..

Twitter

    Photos