MacOS & Windows – Apples & Oranges
When we first learn about digital forensics, all of our instruction is based on the Windows operating system and Windows-based forensic tools. We learn the FAT, exFAT, and NTFS file systems. We learn data streams, the MFT, jumplists, and shortcuts. These methodologies and techniques are perfect for Windows forensics using Windows-based forensic tools.
This is great until you get that Mac in the lab and attempt to use the same methodologies and techniques as if it were a Windows-based system. Approaching a macOS-based system as if it were a Windows OS is a case-altering mistake, and you will likely miss evidence.
The Windows file system and the Macintosh file system are obviously not designed the same. As we like to point out in our training, it is like comparing apples and oranges. Windows’ inability to interpret the Mac operating and file systems and artifacts make it an imperfect forensic platform for analyzing Mac computers. This makes it impossible to do a complete exam of a Macintosh system with Windows-based forensics tools.
Why is Windows the wrong choice to examine a Mac?
Windows forensics tools miss key artifacts when used to analyze a Mac. One of the most important items they do not natively know how to do is to pull together the metadata, which is not physically located with the file or its contents. Windows forensic tool developers have to reverse engineer the Mac operating and file systems in order to attempt to present a file’s data and metadata correctly. This metadata, or Extended Attribute Metadata, is crucial to macOS analysis because it can contain extremely valuable data.
Extended Attributes store information and timestamps such as “used date,” “last used date, “date added,” “file system created date,” and “where from .” There are many more Extended Attributes that may be of interest to an examiner.
Windows tools don’t parse all of the macOS Extended Attributes. In fact, most Windows tools only parse a handful of them at best, the ones the developers think are important. If you are using a Windows tool only for your analysis, you may not even know what you are missing because the data is not being presented in any format due to the tool having no way to interpret the data.
Our Mac Forensics Survival Courses teach how to analyze a Mac with a Mac. Using the macOS environment negates the issues that Windows tools have trying to understand the operating and file systems. The macOS allows us to see all of a file’s Extended Attributes either by manually using the “mdls” command or by automating it with AppleScript or Automator. Also, just the fact you are using the native environment allows the examiner to see the data and the artifacts as they are presented in the macOS.