Mac Forensics

Forensic analysis of a Macintosh (OSX operating system) has several very distinct differences.
For the technically inclined, following is a partial list of the differences.
OSX is Linux based and when a file is deleted is often not recoverable OSX does not create INFO2 records that record when a file was deleted OSX does have unallocated space, but it contains far less useable data due to the way files are deleted OSX has a built in wiping (erasing) utility that effective destroys any chance of recovering the data OSX does not create temporary link files (pointers to files that were opened OSX uses Alias files are intentionally created by the user OSX does not record what devices were attached to the Macintosh computer, except when the computer is running and the device is attached OSX does track system dates and times, but only Created and Modified OSX records a sequential File ID each time a file is created or written to the volume on the hard drive.
OSX Mail and third party Email clients cannot be processed into the standard forensic or EDD tools and has to be extracted from the drive and then converted to a standard format before it can be processed OSX stores the Internet cache in one contiguous file and is limited compared to the PC Internet cache OSX stores user data primarily in the “user folder” for a particular user.
This is configurable by the user.
OSX stores configuration data in multiple files and locations unlike the PC based Windows registry OSX is relatively MalWare and Virus free.
