Macintosh Forensics

User Generated

Zhngu2000

Computer Science

Description

Macintosh Forensics

In this assignment, you assume the role of an employee of the DigiFirm Investigation Company. One of your clients is a small music production company. One day you receive a phone call from Andrea, the owner and president of the music company.

Andrea believes one of her employees, a sound technician, has been stealing intellectual property from the company. She thinks he is copying original music scores and then selling them to upstart musicians, claiming that he wrote them. Andrea checked the employee’s computer the previous night and thinks he has been deleting the files to cover his tracks.

Andrea’s employee uses a Macintosh computer. There are several tools available for recovering files that have been deleted from a Mac, including:

Although all of the tools accomplish the same goal, each has one or more unique features. You should consider the full capability set of each tool when gathering information, and determine which tool would be the best choice for the scenario in this assignment.

You will research three tools that can aid in recovering deleted Macintosh files and write a paper about their capabilities. You must also recommend one product for use in this case and justify your recommendation.

Reference:Chapter 10 in System Forensics, Investigation, and Response
https://books.google.com.sa/books?id=lWtuAAAAQBAJ&...

Deliverable:

For this assignment, you are to:

  • Research three tools that can aid in recovering deleted Macintosh files, compare the capabilities and, write a professional report in which you recommend one product for use in this case and justify your recommendation.
  • Your report should be at 2-3 pages in length. Be sure your report adheres to the University academic writing standards and APA style guidelines, citing references as appropriate.
  • Follow the rubric attached for expectations.

Unformatted Attachment Preview

CS663 Critical Thinking Writing Rubric - Module 10 Exceeds Expectation Content, Research, and Analysis 9-10 Points Requirements Exceeds Expectation Includes all of the required components, as specified in the assignment. 17-20 Points Content Exceeds Expectation Demonstrates substantial and extensive knowledge of the materials, with no errors or major omissions. 21 -25 Points Analysis Exceeds Expectation Provides strong thought, insight, and analysis of concepts and applications. 5 Points Sources Exceeds Expectation Sources go above and beyond required criteria, and are well chosen to provide effective substance and perspectives on the issue under examination. Mechanics and Writing 5 Points Demonstrates Exceeds college-level Expectation proficiency in Project is clearly Meets Expectation Below Expectation Limited Evidence 7-8 Points Meets Expectation - Includes most of the required components, as specified in the assignment. 5-6 Points Below Expectation - Includes some of the required components, as specified in the assignment. 3-4 Points Limited Evidence Includes few of the required components, as specified in the assignment. 13-16 Points Meets Expectation - Demonstrates adequate knowledge of the materials; may include some minor errors or omissions. 9-12 Points Below Expectation - Demonstrates fair knowledge of the materials and/or includes some major errors or omissions. 5-8 Points Limited Evidence Fails to demonstrate knowledge of the materials and/or includes many major errors or omissions. 16-20 Points Meets Expectation - Provides adequate thought, insight, and analysis of concepts and applications. 4 Points Meets Expectation - Sources meet required criteria and are adequately chosen to provide substance and perspectives on the issue under examination. 11-15 Points Below Expectation - Provides poor thought, insight, and analysis of concepts and applications. 6-10 Points Limited Evidence Provides little or no thought, insight, and analysis of concepts and applications. 3 Points Below Expectation - Sources meet required criteria, but are poorly chosen to provide substance and perspectives on the issue under examination. 1-2 Points Limited Evidence Source selection and integration of knowledge from the course is clearly deficient. 4 Points Meets Expectation - Project is fairly well organized and 3 Points Below Expectation - Project is poorly organized and 1-2 Points Limited Evidence Project is not organized or well CS663 Critical Thinking Writing Rubric - Module 10 organization, grammar and style. organized, well written, and in proper format as outlined in the assignment. Strong sentence and paragraph structure; contains no errors in grammar, spelling, APA style, or APA citations and references. Total points possible = 65 written, and is in proper format as outlined in the assignment. Reasonably good sentence and paragraph structure; may include a few minor errors in grammar, spelling, APA style, or APA citations and references. written, and may not follow proper format as outlined in the assignment. Inconsistent to inadequate sentence and paragraph development, and/or includes numerous or major errors in grammar, spelling, APA style, or APA citations and references. written, and is not in proper format as outlined in the assignment. Poor quality work; unacceptable in terms of grammar, spelling, APA style, and APA citations and references. CHAPTER 10: Macintosh Forensics MACINTOSH COMPUTERS MAY NOT BE AS UBIQUITOUS AS MICROSOFT-BASED PCS, but they represent a significant portion of personal computers. For this reason, it is important that you have at least a basic understanding of the Macintosh operating system and how to conduct forensics on it. In this chapter, you will learn some history of the Macintosh operating system as well as some operating system basics. You will also learn some basic forensic techniques to use on a Macintosh. Chapter 10 Topics This chapter covers the following topics and concepts: What the basic knowledge you need to know about Macintosh is Where to find the logs in Macintosh What forensically interesting directories are What some forensic techniques for Macintosh are How to undelete files in Macintosh Chapter 10 Goals When you complete this chapter, you will be able to: Understand the basics of Macintosh and its history Know where to find logs in a Macintosh system Examine the virtual memory of a Macintosh Undelete Macintosh files Mac Basics It is important that you have a working understanding of the Macintosh operating system before attempting forensics. As with Linux, however, it is common for forensic examiners not to have a good working knowledge of Macintosh systems. The reason for this is simple: Most people have more exposure to Windows than to Macintosh. In fact, it is not uncommon to have a forensic examiner who has never even used a Macintosh. So this section first shows you the history of the Macintosh and then discusses the operating system fundamentals. This will establish a baseline of knowledge to help you understand Apple systems. Mac History Apple began with Steve Wozniak and Steve Jobs collaborating while working from their homes. In 1975, they finished the prototype of the first Apple computer. Steve Wozniak worked for HewlettPackard, and his employment contract required him to give his employer first right of refusal on any new inventions he came up with. However, Hewlett-Packard was not interested and released the technology to Steve Wozniak. This led to the formation of Apple Computer in April 1976. The company’s three founders were Steve Jobs, Steve Wozniak, and Ronald Wayne. The first computer was the Apple I, created by Wozniak. That computer had an 8-bit microprocessor running at just below 1 MHz. The Apple I had a built-in video terminal, sockets for 8 kilobytes of onboard random access memory (RAM), a keyboard, and a cassette board meant to work with regular cassette recorders. Apple II It wasn’t long before the team came up with the Apple II. This computer was based on the same microprocessor, but came in a plastic case with the keyboard built in. It was also the first personal computer with color graphics. This was followed by a series of enhancements to the Apple II: Apple II+, IIe, IIc, IIc+, IIe Enhanced, and IIe Platinum. In 1986, the Apple IIGS was released; this computer was 16-bit rather than 8-bit. There were multiple operating systems for the Apple II, including the following: Apple DOS (Disk Operating System)—The first edition was released as Apple DOS 3.1 in 1978. It had no relationship to Microsoft DOS. Apple Pascal—This was based on the p-system, an operating system developed at UC San Diego. It was basically a virtual machine running p-code, and Pascal was the most popular language for it. Apple Pascal was a similar design released in 1979. Apple SOS—This operating system was developed for the Apple III. The acronym stands for Sophisticated Operating System. Every program that used SOS loaded the operating system into memory as well. An SOS application disk consisted of a kernel (SOS.kernel); an interpreter (SOS.Interp), which was often the application itself; and a set of drivers (SOS.Driver). ProDOS—This was meant as a replacement for Apple DOS 3.3 and was based on SOS. It had more support for programming, including assembly and BASIC. Eventually, this led to a 16-bit version called ProDOS 16. Lisa OS—This operating system had a full graphical user interface with a file browser that was navigated with mouse clicks. It also came with some basic office programs. Beyond the Apple II After the Apple II, the company changed the name to Macintosh and took a new direction with its computers. The main points in that evolution are as follows: The Macintosh—Although today many people may think of Apple and Macintosh as synonymous, the Macintosh was actually released by Apple in January 1984. It had an 8-MHz Motorola processor, a black-and-white monitor, and a 3.5-inch floppy drive. The operating system for Macintosh was System 1. This eventually led to the Macintosh II running System 7. System 7—This system allowed text dragging between applications, viewing and switching applications from a menu, a control panel, and cooperative multitasking. Mac OS for PowerPC—This Mac introduced the System 7.1.2 operating system. AIX for PowerPC—In 1996, Apple had a product called Apple Network Server that used a variation of the IBM AIX system. It also used the Common Desktop Environment, a graphical user interface that is popular in the UNIX world. This product did not do well in the market and was discontinued in 1997. Mac OS X The next major change was the introduction of Mac OS X, which is still used in Macintosh computers today. The public beta version of the product was named Kodiak. The real change with OS X was that the operating system was based on FreeBSD, a UNIX clone. When using Mac OS X, you can navigate to a shell and run UNIX/Linux shell commands. The initial release of OS X was followed by periodic improvements, each with an animal name: Mac OS X v10.0, named Cheetah, was released in March 2001. Mac OS X v10.1 was released the same year and was named Puma. The next release was Mac OS X v10.2 in 2002, called Jaguar. This release included improved graphics and iChat messaging. In 2003, Apple released Mac OS X v10.3, named Panther. Mac OS X v10.4, named Tiger, was released in 2005. This release had built-in support for FireWire, and it had a new dashboard and updated mail program. Mac OS X v10.5, called Leopard, was released in 2007. It had over 300 new features, support for Intel x86 chips, and support for the new G3 processor. In 2009, Apple released Mac OS X v10.6, Snow Leopard. Most of the changes in this release were performance enhancements, rather than new features. For example, Snow Leopard had support for multicore processors. Mac OS X v10.7 was released in 2011 and code-named Lion. The major interface change with this release was to make it more like the iOS interfaces used on the iPhone and iPad. Mac OS X v10.8, named Mountain Lion, was released in 2012. This release had built-in support for iCloud, to support cloud computing. Mac OS X v10.10, code-named Yosemite, was released in October 2014. The most important part of this release, from a forensics standpoint, is that it allowed users who had iPhones with iOS 8.1 or later to pass certain tasks to their Macintosh computer. For example they could complete unfinished iPhone emails on the Macintosh computer. This was called the Handoff. Mac OS X v10.12, named Sierra, is the most recent version (as of March 2017). It is meant to be more in synch with the style of other Apple systems, such as iOS and WatchOS. The Mac OS X desktop is shown in FIGURE 10-1. When performing forensics on an Apple system, you are most likely to encounter OS X, because it is the most widely used Apple operating system today. In fact, it is the only operating system still supported by Apple. Mac File Systems In this section, you will learn details about the Hierarchical File System and other file systems used by Macintosh operating systems. Macintosh File System Macintosh File System (MFS) is an older Apple technology that has not been used in over 15 years. You are unlikely to encounter it. It has long since been replaced, first with HFS, and then with HFS+. It shipped with the first Macintosh in 1984. Hierarchical File System The Hierarchical File System (HFS) was used on the Macintosh Plus. Apple introduced this file system in 1985, specifically to support its new Apple hard drive. It replaced the earlier Macintosh File System (MFS). FIGURE 10-1 Mac OS X. Screenshot reprinted with permission from Apple Inc. HFS used concepts from the earlier SOS operating system that had been designed for the Apple III. HFS was able to support file names as long as 255 characters, which was not available in FAT (used by DOS). Hierarchical File System Plus This is an enhancement of the HFS file system, first used with Mac OS 8.1. Because HFS was the standard for Macintosh, it became known as HFS Standard, while HFS+ became known as HFS Extended. HFS+ is the preferred file system on Mac OS X. Most important, it supports journaling. Journaling is basically the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered. Journaling file systems are fault tolerant because the file system logs all changes to files, directories, or file structures. The log in which changes are recorded is referred to as the file system’s journal—thus, the term journaling file systems. HFS+ also supports disk quotas. That allows the administrator to limit the amount of disk space a given user can use, keeping that user from taking up all the space. HFS+ has two types of links. The first type is the hard link, which is an inode that links directly to a specific file. A soft link, or symbolic link, is essentially a shortcut. HFS+ is architecturally similar to HFS, which is not surprising because it is an enhancement to HFS; however, there are some key differences. One such difference is that HFS+ uses 32 bits for allocation blocks, rather than 16 bits. HFS+ also supports long filenames, up to 255 characters. Furthermore, HFS+ uses Unicode, which is the international standard for information encoding (for file naming), rather than ASCII (American Standard Code for Information Interchange), which is a set of codes defining all the various keystrokes you could make, including letters, numbers, characters, and even the spacebar and Return keys. For forensic examinations, one of the more important differences in HFS+ to keep in mind is aliases. Aliases are like symbolic links; they allow you to have multiple references to a single file or directory. HFS+ also has a very interesting optimization scheme. It essentially does defragmentation on a perfile basis. The following conditions are checked, and if met, the file is defragmented when it is opened: The file is less than 20 megabytes in size. The file is not already in use. The file is not read-only. The file is fragmented. The system uptime is at least three minutes. This means an HFS+ volume is routinely defragmenting itself. This is a significant advantage over some other file systems, such as NTFS and FAT. With an HFS+ volume, the first two sectors (sectors 0 and 1) are the boot blocks and are identical to the boot blocks used in HFS. The third sector (Sector 2) has the volume header. It has a great deal of pertinent forensic information, such as the size of allocation blocks and a timestamp that describes when the volume was created. The allocation file is important for forensics. It keeps track of which allocation blocks are free and which are not. A 0 indicates the block is free, whereas a 1 indicates the block is in use. The catalog file contains the records for all the files/directories on that volume. It uses a B-tree structure to hold the data. Each record in the catalog file is 8 kilobytes in size. Of particular interest is the command prompt. The command prompt in Macintosh OS X is a Bash shell so you can execute Linux commands. This means you can use commands such as lsof, pstree, and others. Because HFS+ is the preferred file system for Mac OS X, it is one you will likely encounter when doing forensic examinations of Apple computers. ISO9660 ISO9660 is the file system used by compact discs (CDs). ISO9660 is not Macintosh specific, but Apple does have its own set of ISO9660 extensions. Although a CD may be readable on either a PC —Windows or Linux—or a Macintosh, the files on that CD may require a specific operating system in order to be read. Microsoft Disk Operating System Mac OS X includes support for Microsoft Disk Operating System (MS-DOS) file systems FAT12, FAT16, and FAT32. This allows a Macintosh machine to read floppy disks (FAT12), as well as files created with DOS/Windows 3.1. New Technology File System Mac OS X includes read-only support for the New Technology File System (NTFS). This means if you have a portable drive that is NTFS, Mac OS X can read that partition. But like ISO9660, the files on that drive may be operating–system specific. Universal Disk Format Universal Disk Format (UDF) is the file system used by DVD-ROM discs (both video and audio). Like ISO9660, this only guarantees that Mac OS X can read the partition or drive; it does not guarantee that Mac OS X can read the files. UNIX File System UNIX File System (UFS) is the file system used by FreeBSD and many other UNIX variants. Being based on FreeBSD, Mac OS X can read UFS volumes. Partition Types Partition types are referred to in Apple documents as partition schemes. The partition type determines how the partition is organized on the drive. Apple directly supports three different partition schemes: the GUID Partition Table, the Apple Partition Map, and the master boot record. All three partition types are described in this section. GUID Partition Table The GUID Partition Table (GUID stands for “globally unique identifier”) is used primarily with computers that have an Intel-based processor. It requires OS X v10.4 or later. Intel-based Macintosh machines can boot only from drives that use the GUID Partition Table. Apple Partition Map The Apple Partition Map is used with any PowerPC-based Mac. Intel-based Macs can mount and use a drive formatted with the Apple Partition Map, but they cannot boot from the device. PowerPCbased Macs can both mount and use a drive formatted with the Apple Partition Map, and they can also use it as a start-up device. Master Boot Record The master boot record (MBR), contained in the boot sector, is used when DOS- or Windows-based computers start up. The MBR contains important information such as a partition table, bootstrap code, and other information. Macintosh Logs One of the first steps in any forensic examination should be to check the logs. Remember that logs are very important when examining a Windows or a Linux computer. They are just as important when examining a Macintosh computer. This section examines the Macintosh logs and what is contained in them. The /var/log Log The name of this log should suggest that it is a general repository for a lot of information. The naming structure should also seem familiar. Remember that Mac OS X is based on FreeBSD, so seeing file structures similar to Linux should be no surprise. This directory has many logs in it. The /var/log/daily.out contains data on all mounted volumes, including the dates they were mounted. This is very important in cases involving stolen data. You can see what devices have been attached and get data from them. This folder includes data on removable media, including serial numbers. The /var/spool/cups Folder In this folder, you will find information about printed documents. If you need to know what documents have been printed from this Macintosh, this folder can give you that information. This includes the name of the document printed and the user who printed it. The /Library/Receipts Folder This folder contains information about system and software updates. It is less useful for a forensic investigation than some of the other folders; however, it can be useful to know if a given patch was applied and when it was applied. This might be of some interest in investigating malware crimes. The /Users//.bash_history Log As you know, Mac OS X is based on FreeBSD, a UNIX variant. When you launch the terminal window, what you actually get is a Bash shell. So, this particular log can be very interesting. It will show you a variety of commands. You might look for commands such as rm, which would be removing or deleting something, or dd, indicating the user might have tried to make an image of the drive. The /var/vm Folder In this folder, you will find a subfolder named app profile. This will contain lists of recently opened applications, as well as temporary data used by applications. Both of these can be very interesting in a forensic examination. The /Users/ Directory This is where various users’ files are stored. It is always a good idea to check in this directory to find out if users have saved data here that could be used as evidence. The /Users//Library/Preferences/ Folder As you probably suspect, this folder contains user preferences. This might not seem that interesting for a forensic investigation, except for one small issue: This folder even maintains the preferences of programs that have been deleted. This could be a very valuable place to get clues about programs that have been deleted from the system. Directories As with Windows and Linux, Macintosh has a number of directories. Some are more important than others. You must know the ones in the following sections in order to do an effective forensic examination of a Macintosh machine. The /Volumes Directory This directory contains information about mounted devices. You will find data here regarding hard disks, external disks, CDs, DVDs, and even virtual machines. This is a very important directory in your forensic examination. The /Users Directory This directory contains all the user accounts and associated files. This is clearly critical to your investigation of a Macintosh machine. The /Applications Directory This directory is where all applications are stored. Particularly in cases of malware, this is a critical directory to check. The /Network Directory This directory contains information about servers, network libraries, and network properties. The /etc Directory Just as in Linux, this is where configuration files are located. Obviously, configuration files can be quite interesting in a forensic investigation. It is often true that cybercriminals like to adjust the system’s configuration. Sometimes this is done in order to facilitate the criminal’s return to the system later. The /Library/Preferences/SystemConfiguration/dom.apple.preferences.plist File This file contains the network configuration data for each network card. This is important information to document before beginning your search for evidence. Macintosh Forensic Techniques This section covers some general forensic techniques to use on Macintosh systems. In the preceding sections, you learned about the Macintosh operating system, and you learned where to look for important logs, which is a valuable step in any forensic investigation. Now, you will learn a variety of forensic techniques. Target Disk Mode One of the most fundamental steps in forensics is to create a bit-level copy of the suspect drive. If the suspect drive is a Macintosh, all the techniques you know from Linux or Windows can still be used. You can utilize the dd command along with netcat to make a forensic copy. You can also use the imaging tools within EnCase or Forensic Toolkit. However, Macintosh provides another way to make a forensically sound copy of a drive. You begin by placing the suspect computer into Target Disk Mode. When you put the computer in that mode, it cannot be written to, so there is no chance of altering the source disk. Then simply connect to the suspect computer with universal serial bus (USB) or FireWire and image the disk. Also, Target Disk Mode allows you to preview the computer on-site. This allows investigators to do a quick inspection before disconnecting and transporting the computer to a forensic lab. This is important because, just like with Windows or Linux, you will want to check running systems’ processes before shutting the machine down. You simply have to reboot the machine in Target Disk Mode, as shown in FIGURE 10-2. NOTE Because Mac OS X is based on FreeBSD, Linux commands can be used here. So before shutting the suspect Macintosh down, you will want to run netstat to see any connections the system has. You may also want to run ps, pstree, and top to check running processes. Searching Virtual Memory Checking virtual memory is just as important with a Macintosh as it is with a Windows or Linux computer. With Macintosh OS X, the swap file/virtual memory is located in the folder /var/vm/. You can check it with simple Linux commands like ls (for listing files). A good option is ls —al, which gives you a listing of all the files in virtual memory, as well as of who launched the program and when. The best news is that you can use the grep search tool to search in the virtual memory folder. FIGURE 10-2 Target Disk Mode. Screenshot reprinted with permission from Apple Inc. Shell Commands Because Mac OS X is based on FreeBSD, you can use shell commands to extract information. A number of commands can be quite useful in your forensic examination. Some additional commands are available that are specific to Macintosh. The date Command The date command returns the current date and time zone. It is good for documenting when exactly you begin your forensic examination. If you need the date in Coordinated Universal Time (UTC), then use the date −u version of the command. The ls /dev/disk? Command This command lists the current device files that are in use. You should document this information before shutting the system down for transport to the forensic lab. The /hdiutil partition /dev/disk0 Command This command lists the partition table for the boot drive. Clearly, it is important to know the partitions the machine recognizes upon boot-up. The system_profiler SPHardwareDataType Command This command returns the hardware information for the host system. This provides information useful for the basic documentation of the system prior to beginning your forensic examination. There are related commands, such as system_profiler SPSerialATA-DataType. This command gives information on all the attached Serial Advanced Technology Attachment (SATA) devices. The system_profiler SPSoftwareDataType Command Related to system_profiler SPHardwareDataType, this command returns information about the operating system. This is also important for documenting the system prior to starting the forensic examination. NOTE There is an interesting trick you can do to circumvent passwords in Macintosh. If you change the amount of physical memory, the firmware password is automatically reset. So simply add or remove RAM, and then reboot. How to Examine a Mac Many forensics tools do a wonderful job of extracting data from Windows machines, but are less effective in Macintosh. OSForensics version 4.0 will include Mac OS X artifacts in its recent history, but to examine the directories mentioned in this chapter, or to execute the Bash commands, you may need more than tools can provide. One technique is to create a copy of the forensic image and then mount it as a read-only virtual machine (VM). It is critical that you mount it read only. You can find instructions on the Internet for converting a forensic image to a virtual machine (such as a VMWare or Oracle VirtualBox). However, the forensic tool Forensic Explorer (http://www.forensicexplorer.com) will mount forensic images as read-only virtual machines, using the VM of your choice. OSForensics version 4 (http://www.osforensics.com) will also allow you to create a virtual machine from a forensic image. Can You Undelete in Mac? Recall that in Windows systems, deleting actually just removes a file from the master file table (MFT) or file allocation table (FAT) and marks those clusters as available. The file’s data is still there and can be recovered. What happens when a file is deleted on an HFS or HFS+ volume? Although the details are a bit different, a similar thing occurs. The references to the file are gone and the clusters might be used and overwritten. But, depending on how soon after the deletion you attempt to recover data, you may be able to recover some or all of the data. Even if the data is overwritten, data may still exist in unallocated space and in index nodes. When a file is deleted in Macintosh, it is moved to the trash folder—much like the Recycle Bin in Windows. The trash is represented on the file system as a hidden folder, .Trash, on the root directory of the file system. You can list the contents with a shell command, as shown here: $/.Trash ls -al total 764 drwx------ 7 pc pc 306 Oct 30 15:05 . drwxr-xr-x 30 pc pc 1054 Oct 30 12:44 .. -rw------- 1 pc pc 6148 Oct 30 14:38 .DS_Store -rw-r--r-- 1 pc pc 187500 Oct 27 15:41 Resume.pdf -rw-r--r-- 1 pc pc 108382 Oct 27 15:43 VacationPIC.jpg -rw-r--r-- 1 pc pc 108382 Oct 27 15:43 Report.pdf Now files in the trash directory can be recovered just by copying or moving them to any other location. Note that the trash (.Trash folder) contains four files, each of which can be recovered by simply copying or moving it to an alternate location. There are tools that will recover files, even after the trash bin has been emptied. A few are given here: Mac Undelete at http://www.macundelete.com Free Undelete Mac at http://www.freeundeletemac.com MacKeeper at http://mackeeper.zeobit.com Any of these tools can aid you in recovering deleted Macintosh files. CHAPTER SUMMARY In this chapter, you learned the fundamentals of the Macintosh operating system. It is important to have a working understanding of any operating system before attempting forensics on that system. You also learned where to look for log files and what is contained in those logs. The shell commands that you learned in this chapter are critical. It is important that you remember those and be able to use them on Macintosh computers you examine. It is also important that you understand imaging a suspect Macintosh computer and recovering deleted files. KEY CONCEPTS AND TERMS American Standard Code for Information Interchange (ASCII) ISO9660 Unicode Universal Disk Format (UDF)
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

COMPLETE. go through the work and let me know if everything is okay

Running head: MACINTOSH FORENSICS

1

Macintosh Forensics
Name
Course
Instructor
Date

MACINTOSH FORENSICS

2

The field of science and technology has greatly improved with new inventions and
innovations taking place almost on a daily basis. Technology is enormously applied in various
sectors as they make work easier and also provides high efficiency. Digital migration has been
witnessed in various sectors where new technologies are used to do almost everything. Despite
the fact that technology has been embraced so much because of the benefits that it offers, there
are a number of challenges that face people who use computers and computer systems (Casey &
Altheide, 2010). It has been a big challenge to detect evidence in a computer especially those that
have been deleted. For this reason, computer f...


Anonymous
Nice! Really impressed with the quality.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags