Mac Marshal™ Digital Forensic Software

ATC-NY developed Mac Marshal to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications.

Mac Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It produces reports in RTF, PDF, and HTML formats, and runs on Mac OS X-based analysis machines.

Funding for the development of Mac Marshal was provided in part by the U.S. National Institute of Justice.

Features	Requirements
Analyzes Mac OS X and dual-boot disk and partition images in multiple formats Analyzes configuration and log files from common OS X applications, such as Mail, Safari, iChat and Address Book Performs rapid searches using Spotlight file metadata Gathers comprehensive machine usage information Lists detailed information about every iPod and iPhone that has been connected to the machine Detects VMWare, VirtualBox & Parallels virtual machines Detects and analyzes FileVault-encrypted user directories Supports dd, EnCase, FTK, AFF, and Apple disk images Maintains an audit trail and generates detailed reports	Mac OS X 10.4, 10.5, or 10.6 analysis machine 100MB disk space for installation Follow us on: Twitter \| RSS Read the review in SC Magazine: "Mac Forensics on Macs? You Bet! And It's Easy." Read the review on MacOSXForensics.com. Also available: P2P Marshal for analysis of peer-to-peer client use and Router Marshal for acquisition of forensic evidence from network devices.

Features

Requirements

Analyzes Mac OS X and dual-boot disk and partition images in multiple formats
Analyzes configuration and log files from common OS X applications, such as Mail, Safari, iChat and Address Book
Performs rapid searches using Spotlight file metadata
Gathers comprehensive machine usage information
Lists detailed information about every iPod and iPhone that has been connected to the machine
Detects VMWare, VirtualBox & Parallels virtual machines
Detects and analyzes FileVault-encrypted user directories
Supports dd, EnCase, FTK, AFF, and Apple disk images
Maintains an audit trail and generates detailed reports

Mac OS X 10.4, 10.5, or 10.6 analysis machine
100MB disk space for installation

Follow us on: Twitter | RSS

Read the review in SC Magazine:
"Mac Forensics on Macs? You Bet! And It's Easy."

Read the review on MacOSXForensics.com.

Also available: P2P Marshal for analysis of peer-to-peer client use and Router Marshal for acquisition of forensic evidence from network devices.