Ryan Kubasiak has released a new imaging tool on his website. Ryan’s got a ton of good info on his site for Mac Forensics and I highly recommend checking it out.

This has been in the works for quite some time. In the Files section, is Release Candidate 1 of MacOSXForensics Imager. Based upon the ‘libewf’ foundation, I have created an imaging application that will run on Mac OS X 10.5 to create Encase E01 files! I have tested it for Encase v4, v5 and v6 formats and it has been very successful with MD5 and SHA1 hashing. The program will also support imaging in FTK evidence file format, but I have not done extensive testing of this format yet. There is a Read Me file and associated Help file to get you started. I look forward to your feedback on this free-to-everyone application!

This is interesting to me as many examiners have been moving towards using Macs as their exam platform. One of the issues we’ve encountered is that virtual machines don’t support Firewire devices. Having an imaging solution that runs natively on OS X means that you can take advantage of the speed of Firewire without using BootCamp or having to worry about VMs.