Determining Files and Folders Accessed in OS X - SANS DFIR Summit 2015

Sara Newcomer, Computer Forensic Examiner, Lockheed Martin One important component of a digital forensic investigation can be determining what files and folders were accessed and which user account was used for this access. In the OS X operating system, entries are created in a database as users navigate through folders using Finder, the OS X equivalent of Windows Explorer. Using the database, an investigator can look for specific file names of interest, the contents of a directory of interest, the name of files that have been deleted, or files on external media. The information can be attributed a specific user account. The database tracks a user’s Finder navigation activities, creating entries as folders are accessed including locally attached storage and network attached storage media. It is located in a hidden operating system directory not typically navigated to by users, inaccessible to non-admin accounts, and not part of the user’s profile. Even after a user account is removed from the system this database can be used to provide insight about data accessed in Finder by deleted user accounts. Additional information in the database may also provide information about when the actions occurred, the number of times a folder was accessed, and if files were renamed or moved. Sara Newcomer is a computer forensic examiner for Lockheed Martin. Ms. Newcomer has a Master of Science degree in Information Technology from Towson University and a Bachelor of Science degree in Computer Engineering from Virginia Tech. Download Slides Here: http://digital-forensics.sans.org/community/summits# For more information on Mac Forensics Course, please check out SANS FOR518 Mac Forensics: http://www.sans.org/course/mac-forensic-analysis

Видео Determining Files and Folders Accessed in OS X - SANS DFIR Summit 2015 автора MySQL Инновационные подходы