Everyone understands that Macs are different (Mac users would say better) from PCs and Apple’s recent TV commercials use humor to contrast these differences.

As a Mac user you are not subject to many of the outside intrusions of PCs. However, as a business owner or a manager, you are exposed to fraud, theft, harassment claims and other issues that can occur in a business. 

If you have a claim against you or you suspect an issue that you believe relevant data (evidence) may exist on your Macs, you will need to use a forensic examiner with Mac experience and forensic tools specifically designed for Macs.  There are differences in what can be recovered from Macs compared to PCs.

Some of the basic evidence that can be found on PCs, which is most people’s understanding, cannot be found on a Mac.  However, there are other types of evidence that can be found to build a system history.  One important difference with the Mac relates to “secure empty trash."  When this method is used the files are wiped from the drive and cannot be recovered with any forensic tool.  Keep in mind, however, that we don’t know how the user deleted data so our examiners will still search for evidence. 

As with any potential computer investigation, you need act early to preserve the data using forensically sound techniques.  We will help you with the preservation and examination of your Macs. 

Forensic analysis of a Macintosh (OSX operating system) has several very distinct differences.  For the technically inclined, following is a partial list of the differences.

• OSX is Linux based and when a file is deleted is often not recoverable 
• OSX does not create INFO2 records that record when a file was deleted
• OSX does have unallocated space, but it contains far less useable data due to the way files are deleted
• OSX has a built in wiping (erasing) utility that effective destroys any chance of recovering the data
• OSX does not create temporary link files (pointers to files that were opened
• OSX uses Alias files are intentionally created by the user
• OSX does not record what devices were attached to the Macintosh computer, except when the computer is running and the device is attached
• OSX does track system dates and times, but only Created and Modified
• OSX records a sequential File ID each time a file is created or written to the volume on the hard drive.
• OSX Mail and third party Email clients cannot be processed into the standard forensic or EDD tools and has to be extracted from the drive and then converted to a standard format before it can be processed
• OSX stores the Internet cache in one contiguous file and is limited compared to the PC Internet cache
• OSX stores user data primarily in the “user folder” for a particular user.  This is configurable by the user.
• OSX stores configuration data in multiple files and locations unlike the PC based Windows registry
• OSX is relatively MalWare and Virus free