Mac Forensics: Computer Forensics in the Mac Environment
What is Digital Forensics
Forensic science or digital forensics is the application of computer science and investigative procedures for legal purposes. It can be applied in criminal and civil cases, and in the private environment.
According to the type of digital device involved, the computer forensic science can be subdivided into several branches, such as computer forensics, network forensics, and mobile device forensics. There are also other classifications, such as database forensics, and stochastic forensics.
Forensic science provides the computer forensic specialist with investigative principles and procedures. Among the forensic principles, the most fundamental one, and the basis of all computer forensic investigations is the Locard’s Exchange principle.
Locard’s Exchange Principle
The Locard’s Exchange principle is the basis of forensic investigation in general, and therefore also of computer and digital forensics. This principle, due to the French investigator, Locard, says that: “In the physical world, when perpetrators enter or leave a crime scene, they will leave something behind and take something with them.”
The task of the computer forensic investigator is to find that trace left behind. For that, the computer forensic analyst, uses computer tools, such as forensic data recovery software.
Digital Forensics Procedures
As the computer forensics definition indicates the legal purpose, digital forensics must follow some standardized procedures in order to obtain valid evidence.
The digital forensic process has several steps: identification of the crime scene, preservation and collection of evidence, preparation of electronically stored information (ESI), and the preparation of a computer forensic report.
Examination of ESI evidence is conducted on a clone, in order to avoid its manipulation. A clone is an exact bit-by-bit copy of the digital device. One of the tools available for cloning are image files, which can be obtained with forensic software such as Disk Drill.
Once the image is available, hard drive forensics needs to use forensic software to recover the data in the device. This is the task of forensic data recovery science.
The procedures ensure that the evidence used and the examination methods are acceptable in court. The computer forensic report should be written in a language for the non-technical person, as judges and lawyers and other people involved in the case may not be technically competent in computer forensic science.
Besides, as the case may need a demonstration of the forensic data recovery methods used, the forensic data recovery software must be user-friendly enough, to convince the court of its validity.
Forensic Data Recovery Science
Forensic software allows for file system forensic analysis, and for data recovery. Hard drives are not only in computers but also in mobile devices. Forensic software must therefore be able to handle both.
Forensic software is a new breed. It appeared as a result of the spread of computer usage, and as a consequence, of the use of computers for illegal purposes. It expanded as digital devices developed further, and today we have specialist cell phone forensic software, with forensic cell phone data recovery capabilities.
Even more so, the market is divided into different groups of products, such as Windows phones, Android phones and iOS phones. Computers also use different platforms, such as Windows with its many versions, Linux, OS X and a few more.
Adding to the problem, there are many applications specific to each platform. The computer forensic analyst must be able to recover emails, text messages, files of different types, such as images, documents, and sound files.
Furthermore, files, emails, text messages and other documents may have been erased on purpose or accidentally.
All these above mentioned issues create the need for specialized tools, catering for specific segments of the market.
Disk Drill is a one of the few computer forensic tools that has integrated capabilities. It can be used to create an image file of a hard drive or a partition, and to recover data from the image. It focuses on Apple devices, but it also has capabilities for Android devices, and there is also a Windows version available. It is available in more than 10 languages, including English, Turkish, Korean, Taiwanese, Arabic and Malaysian. It can be downloaded for free.