Analyzing Evidence from Mac OS X
Two weeks ago, D&B Investigations was hired to conduct an incident response for a major oil company in North Dakota. The company’s senior management had reason to suspect that one or more company employees were looking to commit corporate espionage. The incident response team went on-site, began monitoring the network, and isolated several suspects. They captured forensic images from the machines the suspects used. Now, your team leader has asked you to examine a forensic image captured from a suspect’s computer, which runs the Mac OS X operating system. The suspect’s name is John Smith, and he is one of the company’s research engineers.
· Review the information on the Mac OS X file structure provided in the chapter titled “Macintosh Forensics” in the course textbook.
· Using Paraben P2 Commander/E3, create a case file and add the image the incident response team captured (filename: Mac OS JSmith.img).
· Sort and review the various directories within the Mac OS X image. Look for evidence or indicators that John Smith was or was not committing corporate espionage. This may include direct evidence that John Smith took corporate property, as well as indirect evidence or indicators about who the suspect is and what his activities were during work hours. You can use the software features to help you keep track of the evidence you identify, for instance, by bookmarking sections of interest and exporting files.
· Write a report in which you:
· Document your investigation methods.
· Document your findings. Explain what you found that may be relevant to the case, and provide your rationale for each item you have identified as an indicator or evidence that John Smith was or was not committing corporate espionage.
· Analyze the potential implications of these findings for the company and for a legal case.