By Kevin J. Ripa
PI, GSEC, GCFE, GCFA, EnCE, BAI, CDRP, CEH
Mar 10, 2016
Mac computers present many challenges for forensic collection that are both easier, and harder than their Windows counterparts.
Although Macs provide extensive information about their inner workings via the Apple “About This Mac” feature, what happens in a forensic seizure situation when the computer is not on? Maybe you need to know what type of hard drive, and its location in the computer? Much like a Service Tag on a Dell, Mac computers provide a surprising amount of data without ever turning them on.
Let’s look at the seeming minimalist information provided in the writing on an actual device. In our example, we are looking at the data on the back of a Mac laptop of some kind.
The important information here is the Serial # of C02PH77KFVH7, and the Model # of A1502.
With this information, go to www.powerbookmedic.com and plug the serial number in to the “Search for Parts” field. You will find all of the specs displayed about this device, as shown below.
The only information it doesn’t give is the hard drive specification. Scroll down the page and you will see a listing of all model numbers, and this will have the hard drive size, as seen below.
One further important component of the website is that on a tab beside the information regarding the computer, there are all the details about replacement parts for the computer.
Probably the best site on the Internet to assist with taking Macs apart would be at www.ifixit.com.
Some of the best websites on the Internet to assist with Mac forensics in generally, are listed below.
Apple File Vault Decryption
http://www.swiftforensics.com/2013/03/decrypting-apple-filevault-full-volume.html
Forensic Implications of Fusion Drives
http://ojs.jdfsl.org/index.php/jdfsl/article/download/275/220
Sarah Edwards Website
http://www.mac4n6.com
Using System Profiler in Terminal
http://macstuff.beachdogs.org/blog/?p=21
Fusion Drive and Core Storage Forensics
http://cyanline.com/blog.php?entryT=Fusion%20Drive%20and%20Core%20Storage%20Forensics
General Mac Forensics Knowledge – (But getting quite dated)
http://www.appleexaminer.com
