Three issues surround the use of Macs in forensics. One is getting law enforcement and forensics experts familiar with Mac OS X and its file system. Apple’s computers are as popular as they’ve ever been, selling in record numbers. Both Blackbag and SubRosaSoft offer training and consulting on Mac-based forensics. Since many OS X apps store data in standardized and well-documented ways built in to the system, this actually helps law enforcement separate the wheat from the chaff—in other words, separating important evidence from the billions of bits filling up the average hard drive.

Read More from ars technica.

Ryan Kubasiak has released a new imaging tool on his website. Ryan’s got a ton of good info on his site for Mac Forensics and I highly recommend checking it out.

This has been in the works for quite some time. In the Files section, is Release Candidate 1 of MacOSXForensics Imager. Based upon the ‘libewf’ foundation, I have created an imaging application that will run on Mac OS X 10.5 to create Encase E01 files! I have tested it for Encase v4, v5 and v6 formats and it has been very successful with MD5 and SHA1 hashing. The program will also support imaging in FTK evidence file format, but I have not done extensive testing of this format yet. There is a Read Me file and associated Help file to get you started. I look forward to your feedback on this free-to-everyone application!

This is interesting to me as many examiners have been moving towards using Macs as their exam platform. One of the issues we’ve encountered is that virtual machines don’t support Firewire devices. Having an imaging solution that runs natively on OS X means that you can take advantage of the speed of Firewire without using BootCamp or having to worry about VMs.