Well, we finally got Episode 1 uploaded! We had some minor problems with sound quality, hopefully we will get those cleared up for the next episode.

You can send any comments or questions to:
Click here to send The MacDudes an e-mail


Episode 1 Show Notes (Download at: Show Notes)

Single User Mode:

GOLDEN RULE: Use OPTION key to boot first and confirm no Firmware Password

-If Firmware Password in use, power off.
(Firmware Password Options will be covered in a later podcast)

-Single User Mode can be used to find Date/Time of the system without making
changes

-After OPTION key boot and confirmation of no firmware password

-REBOOT holding OPTION + ʻSʼ Key to boot into Single User Mode

-Will be similar to a Verbose boot

-After boot stops, type “Date” at cursor and date and time will be displayed.

-To find the make & model of the installed hard drive, look for the line that starts with "Got Boot Device"

-Can also run System Profiler to access information about the system

Training:

Forward Discovery:
-Non-Tool Specific Mac Forensics Survival Course
-Teaches how to do Mac Forensics using Mac
-Basic and Advanced Courses being offered Internationally

BlackBag Technologies:
-Offers both training for non-tool and Blackbag Tool Training
-Suite of Proprietary tools for using a Mac to do Mac Forensics
-Beginner, Intermediate, and Advanced Courses

SubRosaSoft:
-Also offers tool specific training
-MacForensicsLab:Proprietary software

Purdue University: (Law Enforcement Only):
-3 day class
-Traveling Class and at the University
-Beginning and Advanced Course

Apple:
-Several certifications:
-Apple Certified Support Professional (ACSP)
-Apple Certified Technical Coordinator (ACTC)
-Apple Certified System Administrator (ACSA)
-Range of Apple Software Pro Certifications as well


Plist of the Week(PLOW):

This weekʼs PLOW is: com.apple.ipod.plist

1.It is located in both Global and User: Library --> Preferences

2.Contains information about all IPod/IPhone devices connected to system.

3.Includes (not comprehensive):
  a.UUID: Unique ID for the Device
  b.Connected: Last Connected Date/Time
  c. Device Class: IPod/IPhone
  d.Firmware Version
  e.Serial Number
  f. IMEI (IPhone)
  g.Use Count

TechSmith is offering Snagit for free until June 5, 2009. It is normally $49.95. This is a Windows based program that allows you to create screen captures. It is easy to use and a great program.

http://tiny.cc/Free_SnagIt

Thanks to Beth for the info!

If you have any tips you would like to share, let us know at:

coreforensics@gmail.com

The Macdudes

We are currently working on Episode 1 and hope to have it uploaded within the week. Check back here or at the iTunes Store.

In Episode 1 we will be covering:

Single User Mode

How to get the date and time on a Mac

Macintosh Forensic Training

We will also have our regular feature, The Plist of the Week.

If you have any comments, questions or a topic you would like covered, you can email us at, coreforensics@gmail.com

Thanks
The MacDudes

Welcome to Inside the Core, the Macintosh & Apple Device Forensics podcast.

Today is a short introduction into what Inside the Core is all about. We will cover Mac specific resources and the Plist of the Week.

Resources

The Mac OS X Forensics website
www.macosxforensics.com

The Mac OS Forensics Yahoo Group
tech.groups.yahoo/group/macos_forensics

Tips & Tricks at the MacForensicLabs website
www.macforensicslab.com

Plist of the Week

com.apple.preferences.account.plist

This plist is located in the Local Library (/Library/Preferences) and holds information pertaining to deleted user accounts. These user accounts can be totally deleted from the system or archived by the administrator.

To see if the user accounts were archived, look in the Users folder for the Deleted Users subfolder (/Users/Deleted Users/). User accounts that have been archived will be in a disk image (DMG) format or if it was FileVaulted, a sparsebundle image.