Sat, 30 May 2009
Well, we finally got Episode 1 uploaded! We had some minor problems with sound quality, hopefully we will get those cleared up for the next episode.
You can send any comments or questions to: Click here to send The MacDudes an e-mail Episode 1 Show Notes (Download at: Show Notes) Single User Mode: GOLDEN RULE: Use OPTION key to boot first and confirm no Firmware Password -If Firmware Password in use, power off. (Firmware Password Options will be covered in a later podcast) -Single User Mode can be used to find Date/Time of the system without making changes -After OPTION key boot and confirmation of no firmware password -REBOOT holding OPTION + ʻSʼ Key to boot into Single User Mode -Will be similar to a Verbose boot -After boot stops, type “Date” at cursor and date and time will be displayed. -To find the make & model of the installed hard drive, look for the line that starts with "Got Boot Device" -Can also run System Profiler to access information about the system Training: Forward Discovery: -Non-Tool Specific Mac Forensics Survival Course -Teaches how to do Mac Forensics using Mac -Basic and Advanced Courses being offered Internationally BlackBag Technologies: -Offers both training for non-tool and Blackbag Tool Training -Suite of Proprietary tools for using a Mac to do Mac Forensics -Beginner, Intermediate, and Advanced Courses SubRosaSoft: -Also offers tool specific training -MacForensicsLab:Proprietary software Purdue University: (Law Enforcement Only): -3 day class -Traveling Class and at the University -Beginning and Advanced Course Apple: -Several certifications: -Apple Certified Support Professional (ACSP) -Apple Certified Technical Coordinator (ACTC) -Apple Certified System Administrator (ACSA) -Range of Apple Software Pro Certifications as well Plist of the Week(PLOW): This weekʼs PLOW is: com.apple.ipod.plist 1.It is located in both Global and User: Library --> Preferences 2.Contains information about all IPod/IPhone devices connected to system. 3.Includes (not comprehensive): a.UUID: Unique ID for the Device b.Connected: Last Connected Date/Time c. Device Class: IPod/IPhone d.Firmware Version e.Serial Number f. IMEI (IPhone) g.Use Count |
Fri, 29 May 2009
TechSmith is offering Snagit for free until June 5, 2009. It is normally $49.95. This is a Windows based program that allows you to create screen captures. It is easy to use and a great program.
http://tiny.cc/Free_SnagIt Thanks to Beth for the info! If you have any tips you would like to share, let us know at: coreforensics@gmail.com The Macdudes
Category:general
-- posted at: 12:54pm PDT
|
Tue, 26 May 2009
We are currently working on Episode 1 and hope to have it uploaded within the week. Check back here or at the iTunes Store.
In Episode 1 we will be covering: Single User Mode How to get the date and time on a Mac Macintosh Forensic Training We will also have our regular feature, The Plist of the Week. If you have any comments, questions or a topic you would like covered, you can email us at, coreforensics@gmail.com Thanks The MacDudes
Category:general
-- posted at: 5:00am PDT
|
Sat, 23 May 2009
Welcome to Inside the Core, the Macintosh & Apple Device Forensics podcast.
Today is a short introduction into what Inside the Core is all about. We will cover Mac specific resources and the Plist of the Week. Resources The Mac OS X Forensics website www.macosxforensics.com The Mac OS Forensics Yahoo Group tech.groups.yahoo/group/macos_forensics Tips & Tricks at the MacForensicLabs website www.macforensicslab.com Plist of the Week com.apple.preferences.account.plist This plist is located in the Local Library (/Library/Preferences) and holds information pertaining to deleted user accounts. These user accounts can be totally deleted from the system or archived by the administrator. To see if the user accounts were archived, look in the Users folder for the Deleted Users subfolder (/Users/Deleted Users/). User accounts that have been archived will be in a disk image (DMG) format or if it was FileVaulted, a sparsebundle image. |