The final day of training focused on the Macintosh disk format and operating system. Mac’s use the HFS + disk format which is significantly different from NTFS and presents some interesting challenges to forensic examiners. The design of the HFS + makes it very unlikely that a forensic investigation will recover deleted files. In the digital archival community this fact is not necessarily a bad thing but I’ll need to muse on this in a future post. I’ll end with the most useful tidbit I learned in today’s training. Mac’s don’t use bios but firmware to bootstrap the operating system. The command to get into the firmware to record the system time is to hold down the OPTION + COMMAND + O + F during start up.
Advanced Forensics Day 4 – Macintosh OS and HFS +
Mon, 01/25/2010 - 19:42