This report presents the features and manufacturer claims for Mac Marshal Version 2.0.3 - which automates the analysis of disk images for the Mac OS X computer operating system - and the results are presented for performance testing of the Mac Marshal by the National Institute of Justice's Electronic Crime Technology Center of Excellence.
Apple's Mac OS X is quickly becoming a popular operating system; however, the majority of digital forensic examinations performed on computers by State and local law enforcement investigators have been based on the Windows operating systems. Mac Marshal automates the identification of the operating environment of the Mac OS X-based system, and it also automates the extraction of usage information left by the operating system and Mac OS X applications. The manufacturer of Mac Marshal notes that "Mac Marshal's unique implementation of the capability to use the Spotlight search functionality is invaluable in speeding searches for files based upon sophisticated content or metadata criteria." In the three performance tests conducted, Mac Marshal performed according to manufacturer claims. Several times it required the user to enter the system password to access information. The information the tool collected was displayed well and easy to read. This would enable a law enforcement investigator to quickly interpret the OS X-specific data on the machine. Mac Marshal Forensic Edition would either require a dedicated OS X-based forensics examination machine or a request for a new license in order to examine each and every case. At $199.00, the Mac Marshal Field Edition is a cost-efficient way to have a tool that could examine multiple OS X-based machines. The test bed configuration is described, and results are presented from each of the three performance tests conducted. Extensive figures