Sarah Edwards (mac4n6) has a nice quick write up with the latest techniques for mounting various disk images when you are using a macOS computer. I’ve dealt with many of these issues including core storage and encrypted FileVault disk images. It’s great to see more info out there! Link to mac4n6 article http://www.mac4n6.com/blog/2017/11/26/mount-all-the-things-mounting-apfs-and-4k-disk-images-on-macos-1013
Category Archives: Mac
I’ve updated FindUSBMSC to allow it to handle corrupted gzip files. You can find the latest version on my GitHub page at the link below. Download Here’s where you can get version v20171030 Change log # v20171026 – Fixes issue with gzipped logs not being processed due to wrong variable being returned. # v20171030 –
FindUSBMSC is a script to parse the system logs on macos. It looks for USBMSC storage device plugins and links them back to the product information. This release includes some important fixes and improvements. # v20171016 – Logic cleanup. Improve pid and vid parsing. Added list of unique devices. Added options parser. # v20171017 –
Recently I had to do some testing to see what causes the modified date for a fat32 volume label to get changed. It has been understood for as long as i can remember that the modified date for a volume name is set when you format your thumb-drive or hard disk partition. So I did
Inevitably someone is going to have an online account hacked. Someone gets access to your email, cloud or phone using your information through various means. They could have done this because they want something or they just don’t like you, the list is long. Recently someone was in this exact situation and needed some advice.
I have been doing testing with MacOS 10.11, El Capitan. Specifically I wanted to see if erasing a disk or disk partition using DiskUtil would leave a DiskUtil.log as it did in previous versions of MacOS. So far I have been unable to cause a DiskUtil.log to get created. I have read that DiskUtil has
If you have ever been looking for a way to access your computer disk without having to deal with user permissions and constrains the operating system enforces then this is the series to read. David Cowen is working on an excellent series called “Automating DFIR” (Digital Forensics Incident Response) on his blog “Hacking Exposed Computer
When reviewing activity from a Mac OSX system there are a number of great artifacts to consider in your investigations. In this post I’m going to talk about the Quicklook database that stores metadata for thumbnails of files you view in the Mac Finder. When Finder session renders that thumbnail it tracks the thumbnail information
Recently I had a need to get Address Book information from an imaged Mac without having that computer up and running. Since I didn’t have the ability to do it on the running Mac I decided to try to reverse engineer the SQLite database that stores the AddressBook information. Below is what I put together.