Examining Mac OS X User & System Keychains

Simon Key

Introduction

To forensic examiners with little or no knowledge of Mac OS X, the concept of a Mac OS X keychain may be an alien one. This article aims to provide an overview of the following with regards to Mac OS X keychains –

Safari Form Values Decryptor

James Habben

As a forensic investigator, you are likely already familiar with the artifacts left in storage on a disk from the use of a web browser. The mainstream browsers all provide, for the most part, the same functionality of things like tabbed browsing, remembering history and exposing it in date ranges, storing bookmarks for later viewing, etc.

One of those features is the topic of this blog post: remembering data that a user typed into a form field so that same value doesn’t have to be typed into that same form next time. This is generally referred to as an autofill form values feature. Firefox, Chrome, Internet Explorer, Safari, they all offer this feature, but each of them store these values in a different way.

Good guys working together

Ken Mizota

In my role at Guidance Software as a product manager, I have a fun job. Every day, I get to come into the office and work with some of the best and brightest engineers who build tools for the most brilliant digital investigators in the world. I get to meet investigators in government, law enforcement and corporations, our customers, who do the good work of investigating crime, fraud and general wrongdoing. Working with talented, focused people is rewarding. Working with talented focused people for a good cause is downright enjoyable.

Announcing our CEIC Caption Contest Winner

Guidance Software

Congratulations to Paul Webel from Vestige. His caption won our caption contest by a landslide! Thank you to all who participated. Your captions generated quite a few chuckles around Guidance Software.

Again, congratulations to Paul!

Difficult Times for iOS Investigations

Ken Mizota

A recent CNet story “Apple deluged by police demands to decrypt iPhones” was recently picked up by slashdot.org. The original article is a good read of one of the pain points in today’s iOS investigations, but the comments on the Slashdot.org post are downright illuminating. A veteran digital investigator probably already knows: iPhone 4S, iPhone 5 and iPad version 2+ passcode and encryption have been virtually impossible to bypass. Even built-for-purpose mobile device forensic companies plainly admit, iOS forensics has been advancing slowly.

Foul?