Skip to main content
Journal ArticleOPEN ACCESS

Mac OS X forensics

IFIP International Federation for Information Processing (2006) 222 159-170
DOI: 10.1007/0-387-36891-4_13
1Citations
Citations of this article
27Readers
Mendeley users who have this article in their library.

This article is free to access.

Abstract

This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal.

Author supplied keywords

Cite

CITATION STYLE

APA

Craiger, P., & Burke, P. (2006). Mac OS X forensics. IFIP International Federation for Information Processing, 222, 159–170. https://doi.org/10.1007/0-387-36891-4_13

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free