This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.
CITATION STYLE
Craiger, P., & Burke, P. (2006). Mac OS X forensics. IFIP International Federation for Information Processing, 222, 159–170. https://doi.org/10.1007/0-387-36891-4_13
Mendeley helps you to discover research relevant for your work.