• Mac OS X,  Mac Security

    Preserving the Chain of Custody for Mac OS X

    One of the most important aspects of performing forensics work in Mac OS X is to write-block the volumes that you are inspecting in order to maintain the chain of custody for the evidence (or potential evidence). One way to do this is to use a physical write blocker so that when you plug a USB, SATA, eSATA or other type of drive into the write blocker you will only be presented with a read only volume on the computer. For example, some good write blockers can be found at Digital Intelligence. WeibeTech also makes a nice USB device for write blocking on the Mac. But this can get kinda’…