There was a problem with the sound quality of the Episode 7 interview. Yes, sound quality issues, imagine that. I corrected the problem and uploaded a new version yesterday afternoon. Still trying to get it right. Sorry for the inconvenience it is causing while listening. Be safe, Dave

This episode, the MacDudes have an interview with Lee Whitfield of the Forensic 4cast Podcast, talk about features in Snow Leopard that are of interest to examiners, and the Plist of the Week.

Also discussed;

Problems with Time Capsule
Linkedin Groups
Bodega application
Twitter's Computer Forensic Information
Snow Leopard's Problems with Guest Accounts
MobileSyncBrowser


Look for show notes soon.

In this Episode, Ryan interviews Al Lewis of SubRosaSoft, Chris talks with Social Media & Communications expert, Christ M. Miller about her website, Cops2Point0.com.

The MacDudes also discuss:

HFS+ read support in BootCamp 3.0
Mac OS's native screenshot capabilities
Plist of the Week: com.apple.sidebarlists.plist

We're still struggling with some sound quality issues,  hopefully we will have this worked out with the next round of interviews.

Show notes will be posted shortly.

In this episode, the MacDudes talk about iPhone backup files and tools to parse them, imaging iPods, how to extract a dictionary file from swap files over 2GB in size and the Plist of the Week.

This episode covers why we point everyone to the user's Home folder first. Ryan talks about Diskarbitration for Leopard and Tiger. Chris showcases the Plists of the Week, Safari bookmarks, history, downloads, TopSites & Last Session.

Websites of the Week:  MacTracker & EveryMac

Podcasts to listen to: CyberSpeak & Forensic 4Cast

Show notes are available for download. They are more detailed than the synopsis below:

Click here to Download

Show notes synopsis:

Home Folder:
-Most of the evidence is located in the Userʼs Home Folder
-Majority of the Preference PLists with user-specific settings are in 
 User/Library/ Preferences

 -User Logs:
  -Indicative of the userʼs activity
  -Not system activity, but user specific logs

-Preferences:
 -PLists files or proprietary format files for the User
 -Contains configurations and settings for the User
 -I.E. Online activity, buddy lists, email, logins, etc.

-Application Support:
 -Mozilla Cache, iPhone backup files from MobileSync folder  -Application PLists with information

LEOPARD:
-Disk Arbitration looks at devices and mounts the device and makes icon 
  to access this device available to the user
-On Boot, Disk Arbitration recognizes the internal hard drive. Recognizes
  file system. Mounts partitions on desktop.
 -In order to prevent writes, we must prevent the mount.

 -To turn off Disk Arbitration, enter Terminal and type:

sudo launchctl unload System/Library/LaunchDaemon/com.apple.diskarbitrationd.plist

-Now when you connect a disk, the disk will not mount

-To turn back on, enter Terminal and type:
sudo launchctl load System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist

or Reboot system and diskarbitration will become active again

TIGER:
-Not controlled by LaunchCtl process
-Need to move the PList from one location to another

-Method:
1. Make copy of the diskarbitrationd.plist
2.Once the copy is made, use the remove command in Terminal to delete  
   the com.apple.diskarbitrationd.plist from the /etc/mach_init.d folder
3.Reboot system
4.Only OS Boot partition will mount.

To UNDO, Copy the diskarbitrationd.plist back to the /etc/mach_init.d  
   folder and reboot the system.

PList(s) of the Week(PLOW):

User/Library/Safari:

Bookmarks.plist:
 -User created/maintained bookmarks

Downloads.plist
 -Any downloads specific to Safari
 -Download history

History.plist:
 -History from Safari if not cleared

TopSites.plist
 -Came with Safari 4
 -When a New Tab is opened, it opens thumbnails of  most visited sites
 -Instead of typing URL,  just click on thumbnail and it opens the site.

LastSession.plist:
 -Indicates what was open on last Safari session
 -If multiple windows opened, it will indicate each as a different Item