Morning Read: OS X as a Forensic Platform

Welcome to the Morning Read, a daily post where I recommend and discuss a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.

Today’s Morning Read is OS X as a Forensic Platform, written by David M. Martin. This whitepaper was submitted as a SANS GIAC Gold Certification paper, and can be found here (backup available here).

Screenshot of the cover page of OS X as a Forensic Platform


Mr. Martin’s paper provides his walkthrough for setting up one’s Mac for DFIR collection and analysis. As someone who now has a DFIR Mac, I found it helpful to have a guide that covered basic concepts as well as provided realistic examples. Furthermore, despite being “only” an introduction, there is a wealth of technical data. Mr. Martin put in some time to compare multiple methodologies, speeds, concepts, tools and products. This paper is the result of that effort.


  • Utilize a package manager to make your life easier. Mr. Martin highlights Mac package managers, honing in on MacPorts and Homebrew. I appreciate the work done to compare the two, and I think it provides readers with just enough information to determine which may work for them.
  • Homebrew. I’m a huge Homebrew fan. That is all.
  • Know your install paths. The paper discusses the installation of Python, and where files may be placed depending on installation vehicle. I’ll quickly extrapolate this to machines that have been in use for some time with multiple package managers and software installed — think about what you may be leaving behind in “unknown” directories.
  • Containers. I was happy to see a DFIR paper that actually discussed the use of containers, Docker in particular in this case. Oftentimes I see folks begin the download regimen of a new system with some sort of virtualization software, when a container could easily do what they need done.
  • Virtualization on the Command Line. Mr. Martin doesn’t hold back, and gives VirtualBox credit where credit is due. Not bad for free software! He also provides command-line options to create and/or interact with virtual machines.
  • Forensic Tools. Lastly, the paper also included a wide-range of tools that I use on a daily basis, and the “availability” of those tools on a Mac. Tools included The Sleuth Kit, Autospy, Plaso/Log2timeline, Timesketch, Rekal, and Volatility. That’s a pretty solid lineup of must-haves for any analysis machine.
  • Actual commands. Some papers simply discuss theory or the possibility of doing something. By providing code, the author helps you get a better ROI on the paper, and get up and running faster.
  • Imaging. The author took the time to actually perform imaging tests, and provide the results. This section will remain a reference of mine for a while to come — highly recommend reading if you need to optimize collection of evidence using a Mac.
Screenshot of Appendix C from the paper “OS X as a Forensic Platform”

Suggestions for Analysts

As I read through this paper, I easily found spots where my personal setup would differ. I think the important suggestion for DFIR analysts here is that you don’t have to follow the described setup exactly. Instead, set yourself some sort of baseline on your analysis systems. Windows, Mac, Linux, whatever. This way, as you move from machine to machine or environment to environment, you at least have common ground to perform analysis on.

Until tomorrow’s morning read, keep learning!

Show your support

Clapping shows how much you appreciated Matt B’s story.