CS663
Critical Thinking Writing Rubric - Module 10
Exceeds
Expectation
Content, Research, and Analysis
9-10 Points
Requirements
Exceeds
Expectation Includes all of the
required
components, as
specified in the
assignment.
17-20 Points
Content
Exceeds
Expectation Demonstrates
substantial and
extensive
knowledge of the
materials, with no
errors or major
omissions.
21 -25 Points
Analysis
Exceeds
Expectation Provides strong
thought, insight,
and analysis of
concepts and
applications.
5 Points
Sources
Exceeds
Expectation Sources go above
and beyond
required criteria,
and are well
chosen to provide
effective
substance and
perspectives on
the issue under
examination.
Mechanics and Writing
5 Points
Demonstrates
Exceeds
college-level
Expectation proficiency in
Project is clearly
Meets Expectation
Below Expectation
Limited Evidence
7-8 Points
Meets Expectation
- Includes most of
the required
components, as
specified in the
assignment.
5-6 Points
Below Expectation
- Includes some of
the required
components, as
specified in the
assignment.
3-4 Points
Limited Evidence Includes few of the
required
components, as
specified in the
assignment.
13-16 Points
Meets Expectation
- Demonstrates
adequate
knowledge of the
materials; may
include some
minor errors or
omissions.
9-12 Points
Below Expectation
- Demonstrates fair
knowledge of the
materials and/or
includes some
major errors or
omissions.
5-8 Points
Limited Evidence Fails to
demonstrate
knowledge of the
materials and/or
includes many
major errors or
omissions.
16-20 Points
Meets Expectation
- Provides
adequate thought,
insight, and
analysis of
concepts and
applications.
4 Points
Meets Expectation
- Sources meet
required criteria
and are adequately
chosen to provide
substance and
perspectives on the
issue under
examination.
11-15 Points
Below Expectation
- Provides poor
thought, insight,
and analysis of
concepts and
applications.
6-10 Points
Limited Evidence Provides little or no
thought, insight,
and analysis of
concepts and
applications.
3 Points
Below Expectation
- Sources meet
required criteria,
but are poorly
chosen to provide
substance and
perspectives on the
issue under
examination.
1-2 Points
Limited Evidence Source selection
and integration of
knowledge from
the course is
clearly deficient.
4 Points
Meets Expectation
- Project is fairly
well organized and
3 Points
Below Expectation
- Project is poorly
organized and
1-2 Points
Limited Evidence Project is not
organized or well
CS663
Critical Thinking Writing Rubric - Module 10
organization,
grammar and
style.
organized, well
written, and in
proper format as
outlined in the
assignment. Strong
sentence and
paragraph
structure; contains
no errors in
grammar, spelling,
APA style, or APA
citations and
references.
Total points possible = 65
written, and is in
proper format as
outlined in the
assignment.
Reasonably good
sentence and
paragraph
structure; may
include a few
minor errors in
grammar, spelling,
APA style, or APA
citations and
references.
written, and may
not follow proper
format as outlined
in the assignment.
Inconsistent to
inadequate
sentence and
paragraph
development,
and/or includes
numerous or major
errors in grammar,
spelling, APA style,
or APA citations
and references.
written, and is not
in proper format as
outlined in the
assignment. Poor
quality work;
unacceptable in
terms of grammar,
spelling, APA style,
and APA citations
and references.
CHAPTER 10: Macintosh
Forensics
MACINTOSH COMPUTERS MAY NOT BE AS UBIQUITOUS AS MICROSOFT-BASED PCS, but
they represent a significant portion of personal computers. For this reason, it is important that you
have at least a basic understanding of the Macintosh operating system and how to conduct forensics
on it. In this chapter, you will learn some history of the Macintosh operating system as well as some
operating system basics. You will also learn some basic forensic techniques to use on a Macintosh.
Chapter 10 Topics
This chapter covers the following topics and concepts:
What the basic knowledge you need to know about Macintosh is
Where to find the logs in Macintosh
What forensically interesting directories are
What some forensic techniques for Macintosh are
How to undelete files in Macintosh
Chapter 10 Goals
When you complete this chapter, you will be able to:
Understand the basics of Macintosh and its history
Know where to find logs in a Macintosh system
Examine the virtual memory of a Macintosh
Undelete Macintosh files
Mac Basics
It is important that you have a working understanding of the Macintosh operating system before
attempting forensics. As with Linux, however, it is common for forensic examiners not to have a good
working knowledge of Macintosh systems. The reason for this is simple: Most people have more
exposure to Windows than to Macintosh. In fact, it is not uncommon to have a forensic examiner who
has never even used a Macintosh. So this section first shows you the history of the Macintosh and
then discusses the operating system fundamentals. This will establish a baseline of knowledge to
help you understand Apple systems.
Mac History
Apple began with Steve Wozniak and Steve Jobs collaborating while working from their homes. In
1975, they finished the prototype of the first Apple computer. Steve Wozniak worked for HewlettPackard, and his employment contract required him to give his employer first right of refusal on any
new inventions he came up with. However, Hewlett-Packard was not interested and released the
technology to Steve Wozniak. This led to the formation of Apple Computer in April 1976. The
company’s three founders were Steve Jobs, Steve Wozniak, and Ronald Wayne. The first computer
was the Apple I, created by Wozniak.
That computer had an 8-bit microprocessor running at just below 1 MHz. The Apple I had a built-in
video terminal, sockets for 8 kilobytes of onboard random access memory (RAM), a keyboard, and a
cassette board meant to work with regular cassette recorders.
Apple II
It wasn’t long before the team came up with the Apple II. This computer was based on the same
microprocessor, but came in a plastic case with the keyboard built in. It was also the first personal
computer with color graphics. This was followed by a series of enhancements to the Apple II: Apple
II+, IIe, IIc, IIc+, IIe Enhanced, and IIe Platinum. In 1986, the Apple IIGS was released; this computer
was 16-bit rather than 8-bit.
There were multiple operating systems for the Apple II, including the following:
Apple DOS (Disk Operating System)—The first edition was released as Apple DOS 3.1 in
1978. It had no relationship to Microsoft DOS.
Apple Pascal—This was based on the p-system, an operating system developed at UC San
Diego. It was basically a virtual machine running p-code, and Pascal was the most popular
language for it. Apple Pascal was a similar design released in 1979.
Apple SOS—This operating system was developed for the Apple III. The acronym stands for
Sophisticated Operating System. Every program that used SOS loaded the operating system
into memory as well. An SOS application disk consisted of a kernel (SOS.kernel); an
interpreter (SOS.Interp), which was often the application itself; and a set of drivers
(SOS.Driver).
ProDOS—This was meant as a replacement for Apple DOS 3.3 and was based on SOS. It
had more support for programming, including assembly and BASIC. Eventually, this led to a
16-bit version called ProDOS 16.
Lisa OS—This operating system had a full graphical user interface with a file browser that was
navigated with mouse clicks. It also came with some basic office programs.
Beyond the Apple II
After the Apple II, the company changed the name to Macintosh and took a new direction with its
computers. The main points in that evolution are as follows:
The Macintosh—Although today many people may think of Apple and Macintosh as
synonymous, the Macintosh was actually released by Apple in January 1984. It had an 8-MHz
Motorola processor, a black-and-white monitor, and a 3.5-inch floppy drive. The operating
system for Macintosh was System 1. This eventually led to the Macintosh II running System 7.
System 7—This system allowed text dragging between applications, viewing and switching
applications from a menu, a control panel, and cooperative multitasking.
Mac OS for PowerPC—This Mac introduced the System 7.1.2 operating system.
AIX for PowerPC—In 1996, Apple had a product called Apple Network Server that used a
variation of the IBM AIX system. It also used the Common Desktop Environment, a graphical
user interface that is popular in the UNIX world. This product did not do well in the market and
was discontinued in 1997.
Mac OS X
The next major change was the introduction of Mac OS X, which is still used in Macintosh computers
today. The public beta version of the product was named Kodiak. The real change with OS X was
that the operating system was based on FreeBSD, a UNIX clone. When using Mac OS X, you can
navigate to a shell and run UNIX/Linux shell commands. The initial release of OS X was followed by
periodic improvements, each with an animal name:
Mac OS X v10.0, named Cheetah, was released in March 2001.
Mac OS X v10.1 was released the same year and was named Puma.
The next release was Mac OS X v10.2 in 2002, called Jaguar. This release included improved
graphics and iChat messaging.
In 2003, Apple released Mac OS X v10.3, named Panther.
Mac OS X v10.4, named Tiger, was released in 2005. This release had built-in support for
FireWire, and it had a new dashboard and updated mail program.
Mac OS X v10.5, called Leopard, was released in 2007. It had over 300 new features, support
for Intel x86 chips, and support for the new G3 processor.
In 2009, Apple released Mac OS X v10.6, Snow Leopard. Most of the changes in this release
were performance enhancements, rather than new features. For example, Snow Leopard had
support for multicore processors.
Mac OS X v10.7 was released in 2011 and code-named Lion. The major interface change
with this release was to make it more like the iOS interfaces used on the iPhone and iPad.
Mac OS X v10.8, named Mountain Lion, was released in 2012. This release had built-in
support for iCloud, to support cloud computing.
Mac OS X v10.10, code-named Yosemite, was released in October 2014. The most important
part of this release, from a forensics standpoint, is that it allowed users who had iPhones with
iOS 8.1 or later to pass certain tasks to their Macintosh computer. For example they could
complete unfinished iPhone emails on the Macintosh computer. This was called the Handoff.
Mac OS X v10.12, named Sierra, is the most recent version (as of March 2017). It is meant to
be more in synch with the style of other Apple systems, such as iOS and WatchOS.
The Mac OS X desktop is shown in FIGURE 10-1.
When performing forensics on an Apple system, you are most likely to encounter OS X, because it is
the most widely used Apple operating system today. In fact, it is the only operating system still
supported by Apple.
Mac File Systems
In this section, you will learn details about the Hierarchical File System and other file systems used
by Macintosh operating systems.
Macintosh File System
Macintosh File System (MFS) is an older Apple technology that has not been used in over 15 years.
You are unlikely to encounter it. It has long since been replaced, first with HFS, and then with HFS+.
It shipped with the first Macintosh in 1984.
Hierarchical File System
The Hierarchical File System (HFS) was used on the Macintosh Plus. Apple introduced this file
system in 1985, specifically to support its new Apple hard drive. It replaced the earlier Macintosh File
System (MFS).
FIGURE 10-1
Mac OS X.
Screenshot reprinted with permission from Apple Inc.
HFS used concepts from the earlier SOS operating system that had been designed for the Apple III.
HFS was able to support file names as long as 255 characters, which was not available in FAT
(used by DOS).
Hierarchical File System Plus
This is an enhancement of the HFS file system, first used with Mac OS 8.1. Because HFS was the
standard for Macintosh, it became known as HFS Standard, while HFS+ became known as HFS
Extended. HFS+ is the preferred file system on Mac OS X. Most important, it supports journaling.
Journaling is basically the process whereby the file system keeps a record of what file transactions
take place so that in the event of a hard drive crash, the files can be recovered. Journaling file
systems are fault tolerant because the file system logs all changes to files, directories, or file
structures. The log in which changes are recorded is referred to as the file system’s journal—thus,
the term journaling file systems.
HFS+ also supports disk quotas. That allows the administrator to limit the amount of disk space a
given user can use, keeping that user from taking up all the space. HFS+ has two types of links. The
first type is the hard link, which is an inode that links directly to a specific file. A soft link, or symbolic
link, is essentially a shortcut.
HFS+ is architecturally similar to HFS, which is not surprising because it is an enhancement to HFS;
however, there are some key differences. One such difference is that HFS+ uses 32 bits for
allocation blocks, rather than 16 bits. HFS+ also supports long filenames, up to 255 characters.
Furthermore, HFS+ uses Unicode, which is the international standard for information encoding (for
file naming), rather than ASCII (American Standard Code for Information Interchange), which is a set
of codes defining all the various keystrokes you could make, including letters, numbers, characters,
and even the spacebar and Return keys.
For forensic examinations, one of the more important differences in HFS+ to keep in mind is aliases.
Aliases are like symbolic links; they allow you to have multiple references to a single file or directory.
HFS+ also has a very interesting optimization scheme. It essentially does defragmentation on a perfile basis. The following conditions are checked, and if met, the file is defragmented when it is
opened:
The file is less than 20 megabytes in size.
The file is not already in use.
The file is not read-only.
The file is fragmented.
The system uptime is at least three minutes.
This means an HFS+ volume is routinely defragmenting itself. This is a significant advantage over
some other file systems, such as NTFS and FAT.
With an HFS+ volume, the first two sectors (sectors 0 and 1) are the boot blocks and are identical to
the boot blocks used in HFS. The third sector (Sector 2) has the volume header. It has a great deal
of pertinent forensic information, such as the size of allocation blocks and a timestamp that
describes when the volume was created.
The allocation file is important for forensics. It keeps track of which allocation blocks are free and
which are not. A 0 indicates the block is free, whereas a 1 indicates the block is in use. The catalog
file contains the records for all the files/directories on that volume. It uses a B-tree structure to hold
the data. Each record in the catalog file is 8 kilobytes in size.
Of particular interest is the command prompt. The command prompt in Macintosh OS X is a Bash
shell so you can execute Linux commands. This means you can use commands such as lsof,
pstree, and others.
Because HFS+ is the preferred file system for Mac OS X, it is one you will likely encounter when
doing forensic examinations of Apple computers.
ISO9660
ISO9660 is the file system used by compact discs (CDs). ISO9660 is not Macintosh specific, but
Apple does have its own set of ISO9660 extensions. Although a CD may be readable on either a PC
—Windows or Linux—or a Macintosh, the files on that CD may require a specific operating system in
order to be read.
Microsoft Disk Operating System
Mac OS X includes support for Microsoft Disk Operating System (MS-DOS) file systems FAT12,
FAT16, and FAT32. This allows a Macintosh machine to read floppy disks (FAT12), as well as files
created with DOS/Windows 3.1.
New Technology File System
Mac OS X includes read-only support for the New Technology File System (NTFS). This means if
you have a portable drive that is NTFS, Mac OS X can read that partition. But like ISO9660, the files
on that drive may be operating–system specific.
Universal Disk Format
Universal Disk Format (UDF) is the file system used by DVD-ROM discs (both video and audio).
Like ISO9660, this only guarantees that Mac OS X can read the partition or drive; it does not
guarantee that Mac OS X can read the files.
UNIX File System
UNIX File System (UFS) is the file system used by FreeBSD and many other UNIX variants. Being
based on FreeBSD, Mac OS X can read UFS volumes.
Partition Types
Partition types are referred to in Apple documents as partition schemes. The partition type
determines how the partition is organized on the drive. Apple directly supports three different
partition schemes: the GUID Partition Table, the Apple Partition Map, and the master boot record. All
three partition types are described in this section.
GUID Partition Table
The GUID Partition Table (GUID stands for “globally unique identifier”) is used primarily with
computers that have an Intel-based processor. It requires OS X v10.4 or later. Intel-based Macintosh
machines can boot only from drives that use the GUID Partition Table.
Apple Partition Map
The Apple Partition Map is used with any PowerPC-based Mac. Intel-based Macs can mount and
use a drive formatted with the Apple Partition Map, but they cannot boot from the device. PowerPCbased Macs can both mount and use a drive formatted with the Apple Partition Map, and they can
also use it as a start-up device.
Master Boot Record
The master boot record (MBR), contained in the boot sector, is used when DOS- or Windows-based
computers start up. The MBR contains important information such as a partition table, bootstrap
code, and other information.
Macintosh Logs
One of the first steps in any forensic examination should be to check the logs. Remember that logs
are very important when examining a Windows or a Linux computer. They are just as important when
examining a Macintosh computer. This section examines the Macintosh logs and what is contained
in them.
The /var/log Log
The name of this log should suggest that it is a general repository for a lot of information. The naming
structure should also seem familiar. Remember that Mac OS X is based on FreeBSD, so seeing file
structures similar to Linux should be no surprise.
This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes,
including the dates they were mounted. This is very important in cases involving stolen data. You
can see what devices have been attached and get data from them.
This folder includes data on removable media, including serial numbers.
The /var/spool/cups Folder
In this folder, you will find information about printed documents. If you need to know what documents
have been printed from this Macintosh, this folder can give you that information. This includes the
name of the document printed and the user who printed it.
The /Library/Receipts Folder
This folder contains information about system and software updates. It is less useful for a forensic
investigation than some of the other folders; however, it can be useful to know if a given patch was
applied and when it was applied. This might be of some interest in investigating malware crimes.
The /Users//.bash_history Log
As you know, Mac OS X is based on FreeBSD, a UNIX variant. When you launch the terminal
window, what you actually get is a Bash shell. So, this particular log can be very interesting. It will
show you a variety of commands. You might look for commands such as rm, which would be
removing or deleting something, or dd, indicating the user might have tried to make an image of the
drive.
The /var/vm Folder
In this folder, you will find a subfolder named app profile. This will contain lists of recently opened
applications, as well as temporary data used by applications. Both of these can be very interesting in
a forensic examination.
The /Users/ Directory
This is where various users’ files are stored. It is always a good idea to check in this directory to find
out if users have saved data here that could be used as evidence.
The /Users//Library/Preferences/ Folder
As you probably suspect, this folder contains user preferences. This might not seem that interesting
for a forensic investigation, except for one small issue: This folder even maintains the preferences of
programs that have been deleted. This could be a very valuable place to get clues about programs
that have been deleted from the system.
Directories
As with Windows and Linux, Macintosh has a number of directories. Some are more important than
others. You must know the ones in the following sections in order to do an effective forensic
examination of a Macintosh machine.
The /Volumes Directory
This directory contains information about mounted devices. You will find data here regarding hard
disks, external disks, CDs, DVDs, and even virtual machines. This is a very important directory in
your forensic examination.
The /Users Directory
This directory contains all the user accounts and associated files. This is clearly critical to your
investigation of a Macintosh machine.
The /Applications Directory
This directory is where all applications are stored. Particularly in cases of malware, this is a critical
directory to check.
The /Network Directory
This directory contains information about servers, network libraries, and network properties.
The /etc Directory
Just as in Linux, this is where configuration files are located. Obviously, configuration files can be
quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the
system’s configuration. Sometimes this is done in order to facilitate the criminal’s return to the
system later.
The /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File
This file contains the network configuration data for each network card. This is important information
to document before beginning your search for evidence.
Macintosh Forensic Techniques
This section covers some general forensic techniques to use on Macintosh systems. In the
preceding sections, you learned about the Macintosh operating system, and you learned where to
look for important logs, which is a valuable step in any forensic investigation. Now, you will learn a
variety of forensic techniques.
Target Disk Mode
One of the most fundamental steps in forensics is to create a bit-level copy of the suspect drive. If
the suspect drive is a Macintosh, all the techniques you know from Linux or Windows can still be
used. You can utilize the dd command along with netcat to make a forensic copy. You can also use
the imaging tools within EnCase or Forensic Toolkit. However, Macintosh provides another way to
make a forensically sound copy of a drive. You begin by placing the suspect computer into Target
Disk Mode. When you put the computer in that mode, it cannot be written to, so there is no chance of
altering the source disk. Then simply connect to the suspect computer with universal serial bus
(USB) or FireWire and image the disk.
Also, Target Disk Mode allows you to preview the computer on-site. This allows investigators to do a
quick inspection before disconnecting and transporting the computer to a forensic lab. This is
important because, just like with Windows or Linux, you will want to check running systems’
processes before shutting the machine down. You simply have to reboot the machine in Target Disk
Mode, as shown in FIGURE 10-2.
NOTE
Because Mac OS X is based on FreeBSD, Linux commands can be used here. So before shutting
the suspect Macintosh down, you will want to run netstat to see any connections the system has.
You may also want to run ps, pstree, and top to check running processes.
Searching Virtual Memory
Checking virtual memory is just as important with a Macintosh as it is with a Windows or Linux
computer. With Macintosh OS X, the swap file/virtual memory is located in the folder /var/vm/. You
can check it with simple Linux commands like ls (for listing files). A good option is ls —al, which
gives you a listing of all the files in virtual memory, as well as of who launched the program and
when. The best news is that you can use the grep search tool to search in the virtual memory folder.
FIGURE 10-2
Target Disk Mode.
Screenshot reprinted with permission from Apple Inc.
Shell Commands
Because Mac OS X is based on FreeBSD, you can use shell commands to extract information. A
number of commands can be quite useful in your forensic examination. Some additional commands
are available that are specific to Macintosh.
The date Command
The date command returns the current date and time zone. It is good for documenting when exactly
you begin your forensic examination. If you need the date in Coordinated Universal Time (UTC), then
use the date −u version of the command.
The ls
/dev/disk?
Command
This command lists the current device files that are in use. You should document this information
before shutting the system down for transport to the forensic lab.
The /hdiutil
partition /dev/disk0
Command
This command lists the partition table for the boot drive. Clearly, it is important to know the partitions
the machine recognizes upon boot-up.
The system_profiler
SPHardwareDataType
Command
This command returns the hardware information for the host system. This provides information
useful for the basic documentation of the system prior to beginning your forensic examination. There
are related commands, such as system_profiler SPSerialATA-DataType. This command gives
information on all the attached Serial Advanced Technology Attachment (SATA) devices.
The system_profiler
SPSoftwareDataType
Command
Related to system_profiler SPHardwareDataType, this command returns information about the
operating system. This is also important for documenting the system prior to starting the forensic
examination.
NOTE
There is an interesting trick you can do to circumvent passwords in Macintosh. If you change the
amount of physical memory, the firmware password is automatically reset. So simply add or remove
RAM, and then reboot.
How to Examine a Mac
Many forensics tools do a wonderful job of extracting data from Windows machines, but are less
effective in Macintosh. OSForensics version 4.0 will include Mac OS X artifacts in its recent history,
but to examine the directories mentioned in this chapter, or to execute the Bash commands, you may
need more than tools can provide.
One technique is to create a copy of the forensic image and then mount it as a read-only virtual
machine (VM). It is critical that you mount it read only. You can find instructions on the Internet for
converting a forensic image to a virtual machine (such as a VMWare or Oracle VirtualBox). However,
the forensic tool Forensic Explorer (http://www.forensicexplorer.com) will mount forensic images as
read-only virtual machines, using the VM of your choice. OSForensics version 4
(http://www.osforensics.com) will also allow you to create a virtual machine from a forensic image.
Can You Undelete in Mac?
Recall that in Windows systems, deleting actually just removes a file from the master file table (MFT)
or file allocation table (FAT) and marks those clusters as available. The file’s data is still there and
can be recovered. What happens when a file is deleted on an HFS or HFS+ volume? Although the
details are a bit different, a similar thing occurs. The references to the file are gone and the clusters
might be used and overwritten. But, depending on how soon after the deletion you attempt to recover
data, you may be able to recover some or all of the data. Even if the data is overwritten, data may still
exist in unallocated space and in index nodes. When a file is deleted in Macintosh, it is moved to the
trash folder—much like the Recycle Bin in Windows. The trash is represented on the file system as a
hidden folder, .Trash, on the root directory of the file system. You can list the contents with a shell
command, as shown here:
$/.Trash ls -al
total 764
drwx------ 7 pc pc 306 Oct 30 15:05 .
drwxr-xr-x 30 pc pc 1054 Oct 30 12:44 ..
-rw------- 1 pc pc 6148 Oct 30 14:38 .DS_Store
-rw-r--r-- 1 pc pc 187500 Oct 27 15:41 Resume.pdf
-rw-r--r-- 1 pc pc 108382 Oct 27 15:43 VacationPIC.jpg
-rw-r--r-- 1 pc pc 108382 Oct 27 15:43 Report.pdf
Now files in the trash directory can be recovered just by copying or moving them to any other
location.
Note that the trash (.Trash folder) contains four files, each of which can be recovered by simply
copying or moving it to an alternate location. There are tools that will recover files, even after the
trash bin has been emptied. A few are given here:
Mac Undelete at http://www.macundelete.com
Free Undelete Mac at http://www.freeundeletemac.com
MacKeeper at http://mackeeper.zeobit.com
Any of these tools can aid you in recovering deleted Macintosh files.
CHAPTER SUMMARY
In this chapter, you learned the fundamentals of the Macintosh operating
system. It is important to have a working understanding of any operating
system before attempting forensics on that system. You also learned
where to look for log files and what is contained in those logs.
The shell commands that you learned in this chapter are critical. It is
important that you remember those and be able to use them on Macintosh
computers you examine. It is also important that you understand imaging a
suspect Macintosh computer and recovering deleted files.
KEY CONCEPTS AND TERMS
American Standard Code for Information Interchange (ASCII)
ISO9660
Unicode
Universal Disk Format (UDF)
Purchase answer to see full
attachment