Spread the love

The need for timely identification, interpretation and meaningful analysis of electronic media has never been more critical. The ever-changing threat environment presented by cyber criminals and technological advances has required modern investigative processes to include on scene forensic triage. Investigators are faced with the challenges of capturing volatile data, preserving potential evidence and maintaining the integrity of the electronic crime scene while ensuring the data remains viable and accessible for further investigative efforts. The success of these operations is measured in minutes not days.

Winner of the 2007 Computer Forensics Innovation award from Law Enforcement Technology Magazine.

MacLockPick 3™ represents a new generation of forensic triage aimed at providing IT professionals, eDiscovery experts, and Law Enforcement officers a single tool that transcends the concerns of a particular operating systems. Whether the suspect (or the investigator) uses Microsoft Windows, Mac OS X, or Linux, you can perform your field triage in the same way using the same tool.

Cross platform forensic field triage for Microsoft Windows Mac OS X, & Linux.

MacLockPick 3 for Microsoft Windows, Apple Mac OS X, and Linux is a fully cross platform tool that allows digital forensics professionals and eDiscovery experts to perform field triage on live computers running a wide variety of operating systems. Similarly, once completed, the results of the field triage operation can analyzed on a wide variety of computers.

Comprehensive forensic applications such as MacForensicsLab focus on the analysis of static data. However, the need to capture live data has become paramount in an environment wrought with forensic pitfalls such as encryption, malicious running processes and networked storage pools. In cases such as child abductions, pedophiles, missing or exploited persons, time is critical. In these types of cases, investigators dealing with the suspect or crime scene need leads quickly; sometimes this is quite literally difference between life and death for the victim. MacLockPick 3 is an indispensable tool designed for first responders and law enforcement professionals performing live forensic triage on most computer systems. The solution is based on a USB Flash drive that is inserted into a suspect’s computer that is running (or sleeping). Once the MacLockPick 3 software is run, it will extract the requisite data providing the examiner fast access to the suspect’s critical information that may otherwise be rendered unreadable by modern encryption programs, hardware malfunctions, or simply powering the system down. MacLockPick 3 is minimally evasive, providing results that can hold up in a court of law.

I. What data is captured from the suspect’s computer

MacLockPick 3 is designed to capture information that might be considered valuable to an IT manager, an E-Discovery professional, or a digital forensics law enforcement officer. Such information includes details about the system, activities of the user of that system, and the online history of that user. Through the use of a plugin architecture MacLockPick 3 can be configured to collect almost any kind of information depending on the needs of the investigator. This information might include files of a specific type, chat logs, phone records, browser history, passwords, accounts, and system state data.

1. Plugins and plugins types

MacLockPick 3 is built on a plugin architecture in order to allow the investigator greater control over which processes are run in the field. These plugins are broken into 4 different categories;

  1. Built-in Plugins – pre-configured digital investigative tools. Inc. has included many built-in plugins that are shipped with MacLockPick 3. These plugins gather data from the suspect’s system and deliver that information to the logs.

  2. Copy Files or Folders – logical acquisition with hashing in MD5, SHA1, and SHA256.

    Investigators can pre-configure MacLockPick 3 to make copies of specified files and folders on a suspect’s system. Target data can be specified relative to the root of the system or relative to the user’s home folder. Filters can also be included so that only files of a specified type or name are copied.

  3. Terminal Commands – captured output from the command-line on the suspect’s computer.

    Many investigations require the execution of command-line tools on a system. MacLockPick 3 can be configured to transparently open a shell environment, execute the specified command (with or without parameters), and then record the output to the logs.

  4. External Commands – execution of third party command-line tools programs.

    The open source community, as well as digital forensics developers, have created a wide variety of tools that are useful to field investigators. MacLockPick 3 allows the investigator to configure these tools to be included in the triage process and for the output from these tools to be captured in the MacLockPick 3 logs.

2. Built-in plugins

The following is a partial list of the plugins currently being shipped with MacLockPick 3. This list is far from complete and is here as an example of the inherent product capabilities.

a) Law Enforcement Only The following two plugins are only available to law enforcement customers.

NTLM and Lan Man Password Grabber – This plugin utilizes pwdump6 (unmodified) from fizzgig. pwdump is the name of various Windows programs that output the LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM). The hashes extracted can be used to extract the passwords using brute force, dictionary, or rainbow table attacks once the MacLockPick 3 logs have been returned to the lab for further analysis.

Apple Keychain Extractor – The keychain extractor takes advantage of the default state of the central password repository on Apple Mac OS X. All passwords stored in the keychain are extracted and detailed in the log files.

b) IT/eDiscovery and Law Enforcement The following plugins are shipped with all MacLockPick 3 units.

Apple iPhone – Gather information stored by the Apple iPhone and other devices using the Apple Mobile Sync system on Windows and Mac OS X computers. Information captured includes (but is not limited to) the following;

  • Incoming and outgoing phone calls including phone number, duration, date, and time.
  • Incoming and outgoing SMS messages including the phone number or name of the third party, the message content, and the date and time of the message.
  • IMEI – The International Mobile Equipment Identity is a number unique to every GSM and UMTS mobile phone as well as some satellite phones. It is usually found printed on the phone underneath the battery. The IMEI number is used by the GSM network to identify valid devices.
  • TMSI – The “Temporary Mobile Subscriber Identity” is the identity that is most commonly sent between the mobile phone and the network. TMSI is randomly assigned by the VLR to every mobile in the area, the moment it is switched on. The number is local to a location area, and so it has to be updated, each time the mobile moves to a new geographical area.
  • IMSI – An International Mobile Subscriber Identity is a unique number associated with all GSM and UMTS network mobile phone users. It is stored in the SIM inside the phone and is sent by the phone to the network. It is also used to acquire other details of the mobile in the Home Location Register (HLR) or as locally copied in the Visitor Location Register. In order to avoid the subscriber being identified and tracked by eavesdroppers on the radio interface, the IMSI is sent as rarely as possible and a randomly-generated TMSI is sent instead.
  • International Roaming Edge Status – Whether the phone is currently set to roam status.
  • Favorites – Speed dial entries including the name and phone number.
  • Safari State Documents – Pages currently open in the browser.
  • Safari History – Pages viewed in the browser.
  • Safari Bookmarks – All pages book marked.
  • Notes recorded in the notes program.
  • Address Book contacts, including all recorded details for each contact.
  • Mail Accounts setup for synchronization.

The iPhone is an Internet-enabled multimedia mobile phone designed and marketed by Apple Inc. It has a multi-touch screen with virtual keyboard and buttons, but a minimal amount of hardware input. The iPhone’s functions include those of a camera phone and portable media player (equivalent to the iPod) in addition to text messaging and visual voicemail. It also offers Internet services including e-mail, web browsing, and local Wi-Fi connectivity. The first generation phone hardware was quad-band GSM with EDGE; the second and third generations use UMTS and HSDPA.

Clipboard – Capture any text contents or graphics found in the clipboard. Any text that is found will be stored in the logs. Any graphics will be converted to jpeg form and saved to the output log folder. Valuable information is often accidentally left in the clipboard by the suspect.

Firefox – Create a summary of online activity of the suspect when/if they use Firefox version 2 and/or 3. Information captured includes (but is not limited to) the following:

  • Bookmarks – All pages that have been marked as a favorite or shortcut.
  • History – Details on all pages visited.
  • Cookies – Data items stored by web servers for future reference.
  • Downloads – URL and file name of files that have been downloaded.
  • Auto fill – Data strings used to auto complete forms, this includes addresses and often purchasing information used for online purchases.

Mozilla Firefox is a web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation. Firefox has achieved recorded usage share of web browsers as of late, making it the second-most popular browser in current use worldwide, after Internet Explorer.

Internet Explorer – Create a summary of online activity of the suspect when/if they use Internet Explorer. Information captured includes (but is not limited to) the following:

  • Bookmarks – All pages that have been marked as a favorite or shortcut.
  • History – Details on all pages visited.
  • Cookies – Data items stored by web servers for future reference.
  • Downloads – URL and file name of files that have been downloaded.

Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. It has been the most widely used web browser since 1999, attaining a peak of about 95% usage share during 2002 and 2003 with IE5 and 6 but steadily declining since.

Apple iPhoto – Copy recent contents (created or modified within the past 30 days) of iPhoto library. iPhoto is a digital photograph manipulation software application developed by Apple Inc. and released with every Macintosh personal computer as part of the iLife suite of digital life management applications. Note: Depends on the number and the resolution of the photos, it can take a long time. – Capture account preferences and the date of opening and the path to the saved file for attachments opened by on a Mac OS X System. or Apple Mail is an email program included with Apple Inc.’s Mac OS X operating system. An additional plug-in allows the capturing of recent emails (within the past 90 days).

Network – An analysis of the network activity on the suspect’s computer. This information includes ARP tables, interfaces, and netstat activity. ARP converts an Internet Protocol (IP) address to its corresponding physical network address. ARP is a low-level network protocol, operating at Layer 2 of the OSI model. From a forensics point of view the ARP table shows what computers were connected to the suspect’s machine on their local area network at the time of analysis. Interface tables describe what interfaces are in use on the system and what the individual MAC address is for each of them. The Media Access Control (MAC) address is a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number. Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems. It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.

Processes – Use the OS to list all active applications running on the suspect’s computer at the time of analysis. This module is important in determining if malware is present as well as any active tools used by the suspect. Note: This will not show background and system processes. OS specific plugins are included for this purpose.

Apple Safari – Create a summary of online activity of the suspect when/if they use Safari. Information captured includes (but is not limited to) the following:

  • Bookmarks – All pages that have been marked as a favorite or shortcut.
  • History – Details on all pages visited.
  • Cookies – Data items stored by web servers for future reference.
  • Downloads – URL and file name of files that have been downloaded.

Safari is a web browser developed by Apple Inc. and included in Mac OS X. It was first released as a public beta on January 7, 2003, and is the default browser in Mac OS X v10.3 and later. It is also the native browser on the Apple iPhone, iPad, and iPod touch. Safari for Windows was released on June 11, 2007. Windows XP, Windows Vista and Windows 7 are supported.

Safari Social Agent– Extract cached traces of social networking activity stored by Apple Safari on Mac OS X. Social Agent can quickly scan Macs running the Apple Safari web browser for evidence of social network activity and can identify social networking web pages visited by the suspect. The initial support includes popular social networking sites such as Facebook, Twitter, YouTube, Friendster, Meetup, and others.

Screen shot – Capture and save a screen shot of the main screen on the suspect’s system. The plugin will temporarily hide MacLockPick 3 during the process and save the file to your output folder along side the captured logs database.

Skype – Create transcripts of communications the suspect has made using Skype. Information captured includes (but is not limited to) the following:

  • VoIP calls, including the name or phone number.
  • Instant messages including the name of the third party, content of the message, and the date and time of the message.
  • SMS messages, including the phone number of the third party, and content of the message.
  • File Transfers.
  • Buddy list and details including addresses imported from other systems by Skype.

Skype is a software program that allows users to make telephone calls over the Internet. Calls to other users of the service are free of charge, while calls to land lines and cell phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing.

System Information – Create a profile of the hardware in use by the suspect. Information captured includes (but is not limited to) the following:

  • User Name
  • Computer Name
  • Operating System
  • System Serial number (where available)
  • Processor
  • RAM
  • Model
  • UUID
  • Time Zone
  • Country Code

USB Flash Drive History – USB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They’re small, portable, and often contain evidence that can be helpful to an investigation. When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Windows Registry – This module will extract all settings from the registry on Microsoft Windows systems. The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

II. What is included with your MacLockPick 3

Your MacLockPick 3 was created by Inc. to provide you a complete solution to assist in your eDiscovery and digital forensics field triage tasks. It is comprised of 3 separate but integrated components, the hardware, the software, and the people standing behind it.

1. The Hardware

The MacLockPick 3 Flash Storage device operates as your dongle, storage for the applications, and storage for the logs and data captured from the suspect’s system. The physical specifications for this device are as follows;

  • 2 GB, yet the size of your fingertip
  • 31.3mm x 12.4mm x 3.4mm
  • Polished Chrome finish
  • Shock and water-resistant
  • USB2 speed rating, 30MB/second
  • Mac OS X, Windows, and Linux compatible

The flash drive is formatted in FAT32 format. This format is the only file system openly and fully supported on all major operating systems. The format has performance and efficiency challenges which are creatively overcome by technology within the MacLockPick 3 software.

2. The Software

The MacLockPick 3 solution is made up of 2 applications, 2 files, and 4 special folders. Each of the applications has three versions, one for Microsoft Windows (Win32 binary), one for Mac OS X (Universal binary for PowerPC and Intel computers) and one for Linux. Details on each of these items are as follows;

MacLockPick MacLockPick.exe (Windows) and (OS X) and MacLockPick (Linux) This is the program that is run to perform the data extraction from a suspect’s computer. For most field investigators, this is the only program that will be used. The interface (as seen in the sections below) does not require any user intervention at all. To use it, the investigator would simply run the program and wait until the process is complete.
MacLockPick Manager MacLockPick Manager.exe (Windows) and (OS X) and MacLockPick (Linux) The MacLockPick Manager is used for configuring MacLockPick, manage log files, apply of authentication, manage archives and view the help file.
The Shared Resources folder contains the items that MacLockPick uses to configure and acquire data from a suspect system.Shared Resources Folder Shared Resources Folder This folder contains the MacLockPick Help Files, the MacLockPick Plugins folder, the MacLockPick Report Template folder, and the MacLockPick.dat file. These are items that MacLockPick share across all three of the various operating system versions that MacLockPick is compatible with.
MacLockPick Output Folder MacLockPick Output Folder This folder is normally found on the flash device but can be stored on an alternative storage device. It contains the output from the MacLockPick process. Logs are stored in SQLite format to maintain flexibility, speed, and open standards. File archives default to MacLockPick archive format but can optionally be stored in raw file/folder format (this is not recommended on a FAT32 device as it will be very slow to create the output). Additional files stored here include the command-line history (on unix based computers), and JPEG files taken from screen shots or clipboard contents.
MacLockPick plugins MacLockPick Plugins The complete list of plugins available to you are contained in this folder. If you add plugins (either by creating them in MacLockPick Setup or by importing plugins from the web site) then the will be stored here. The MacLockPick Plugins folder is stored in the Shared Resources folder on the MacLockPick device. Plugins are defined in XML format with associated files where appropriate.
MacLockPick Report Template MacLockPick Report Template You can create reports in HTML format using MacLockPick Reader. These reports are based on an simple XHTML templates found in this folder. If you wish to change the look and feel of your reports you can do so by changing the template files and/or graphics contained. The MacLockPick Report Template folder is stored in the Shared Resources folder on the MacLockPick device.
MacLockPick Registry.inf MacLockPick Registry.inf Each MacLockPick device is individually authenticated by Inc. This file is unique to every MacLockPick 3 device and cannot be transferred from one device to another. The MacLockPick Registry.inf file is stored in the Shared Resources folder on your MacLockPick device. If this file is missing from your device the software will not function and you will need to contact your supplier or Inc. to obtain one. To contact Inc. please email us at with your proof of purchase.
MacLockPick.dat MacLockPick.dat The MacLockPick.dat file determines where the MacLockPick Output Folder will be located. It is generated by the MacLockPick software and can be copied to the root of another device in order to specify that device as the output device. You can also perform this task automatically using the MacLockPick Manager program. The MacLockPick.dat file is stored in the Shared Resources folder on your MacLockPick device by default.

3. Service, Support and Maintenance

We provide free technical support both via email or phone during the hours 10am to 6pm Pacific Standard Time (GMT -8) Monday to Friday. By email, we can be reached at the following address: By phone, we can be reached at: +1 (510) 870-7883, or by fax on +1 (510) 868-3407. In addition to any support question(s), the investigator must include ALL of the following pieces of information:

  • Valid proof of purchase.
  • System configuration(s) – hard drive make, model etc.
  • System OS version.

Training and maintenance programs are available on request. For more information please contact

III. MacLockPick 3 – How to operate in the field

The investigator or eDiscovery professional in the field will find MacLockPick 3 simple to use. The basic steps involved are to insert the USB device into the suspect’s computer, locate the MacLockPick 3 application, open the application, allow the software to gather the data, then remove the device from the computer being audited.

1. Plugging in the USB Device

Locate an available USB port on the suspect’s machine. The MacLockPick 3 device should inserted with the graphic side up. USB ports can be identified by the USB logo. Examples of the USB logo are as follows;

It is recommended (but not compulsory) that the investigator purchase and carry a bus powered USB 2.0 hub for the occasions where the suspect may not have a spare USB port.

2. Folder Layout

Figure 1: MacLockPick 3 layout on Microsoft Vista


Figure 2: MacLockPick 3 partition on Apple Mac OS X


Figure 3: MacLockPick 3 partition on Ubuntu Linux

The USB device is laid out to allow easy access to the various versions of MacLockPick and the MacLockPick output files. Within the USB drive you will find three partitions. A Windows compatible partition named MACLOCKPICK – contains the Microsoft Windows version of MacLockPick along with the MacLockPick Manager application. The applications are built for Win32 and run natively on most modern Microsoft computers. A Mac OS compatible partition named MacLockPick (OS X) – contains the Mac OS version of MacLockPick along with the MacLockPick Manager application. The applications are compatible with Mac OS 10.5 or above, and require Intel based Mac to operate. A Linux based partition named MacLockPick Linux – contains the Linux version of MacLockPick along with the MacLockPick Manager application. The applications are built for Linux platforms such as Ubuntu and Suse. Within each partition you will find several folders. • Applications Containts the MacLockPick application along with the MacLockPick Manager application. • Shared Resources – Contains a number of folders with resources shared by the various MacLockPick operating system specific versions.

MacLockPick Help Files – Contains the help files (you are reading them now) outlining the use of the full suite of digital forensics field triage tools. • MacLockPick Plugins – This folder contains the plugins that MacLockPick may run. Each plugin is contained in it’s own folder within the folder. Adding additional plugins may be done via the MacLockPick Manager application in the ‘Applications – OS X’, ‘Applications – Windows’ and ‘Applications – Linux’ folder. • MacLockPick Registry.inf – Each MacLockPick 3 device is individually authenticated by Inc. This file is unique to every MacLockPick and cannot be transferred from one device to another. If this file is missing from your device the software will not function and you will need to contact your supplier or Inc. to obtain one. To contact Inc. please email us on with your proof of purchase handy. • MacLockPick Report Template – This folder contains the template for the report MacLockPick generates when the user selects the report option. The index.html file and image files contained within the ‘images’ are user-editable to create a customized report. The user may also leave the templates in their default state for a simple and professional report format. • MacLockPick.dat – The MacLockPick.dat file determines where the MacLockPick Output Folder will be located. It is generated by the MacLockPick software and can be copied to the root of another device in order to specify that device as the output device. You can also perform this task automatically using the MacLockPick Manager program.

3. Gathering data from a suspect’s system

To gather data from a suspect’s system using MacLockPick 3 simply double-click the MacLockPick application in the ‘Applications – OS X’, ‘Applications – Windows’, or ‘Applications – Linux’ folder corresponding to the type of operating system the suspect is using. MacLockPick will launch and run automatically. MacLockPick will notify the user when the process has finished and inform you that the acquired information has been stored in the MacLockPick Output folder on your specified device.

Figure 4: MacLockPick application on Microsoft Windows 7


Figure 5: MacLockPick application on Apple Mac OS X


Figure 6: MacLockPick application on Ubuntu Linux system


Some compuers running Microsoft Windows support a feature built into the operating system called “auto run”. Auto run or auto play is the ability of many modern computer operating systems to automatically take some action upon the insertion of removable media such as a CD-ROM, DVD-ROM, or flash media. Your flash device has been pre-configured to take advantage of this feature to automatically launch MacLockPick 3 when the device is inserted. This feature is not supported by Apple Mac OS X and may be disabled on certain Microsoft Windows machines. Note: If you wish to insert your MacLockPick flash drive into a PC and NOT automatically start the triage process you can do so by holding down the shift key. MacLockPick will sense the shift key being held down and will automatically quit itself immediately upon launch. This is important if your lab computer is running Microsoft Windows and you do not want MacLockPick to extract forensics information from it automatically.

Once the application is launched it will determine what plugins to use and perform the forensics tasks you have previously selected using the setup application. If you have not used the setup application then MacLockPick 3 will perform all of the default actions and record the the results to the flash device. There is no need for the investigator to interact with MacLockPick 3 during the triage process. MacLockPick 3 is designed to do all the field work as an automated task. The operator should simply wait for the completion of the process then eject the drive and move onto the next task (either return to the lab or perform further investigations on other systems).

Figure 7: MacLockPick has completed the data capture tasks on a Microsoft Windows Vista system.


Figure 8: MacLockPick has completed the data capture tasks on an Apple Mac OS X system.


4. Hidden Features

a. Saving the results to a different device

The MacLockPick.dat file dictates where the MacLockPick Output Folder with the MacLockPick log files are stored. It will be created in the root directory of the device MacLockPick is first launched from. Users can also use the MacLockPick Manager’s Choose Destination feature and to specify a different device to output the acquired data to.

Figure 9: Choosing an alternate volume to store your output folder.

If you have a specific need to determine an alternative output device in the field you can do so by holding down the control key during the launch of the MacLockPick application. You will be prompted to select a folder to create the output in. MacLockPick will only use this output folder for the duration of a single instance of the program, so if you need a more permanent selection then it is recommended you use the MacLockPick Manager program to do so.

b. Quick exit

When MacLockPick is launched it runs with no user interaction required until it completes it’s tasks. There may be times when a user needs to stop the MacLockPick process while it is running. To stop MacLockPick in the middle of operation, simple hold down the ‘Shift‘ key until it exits.

c. Changing the order that the plugins are executed

MacLockPick 3 allows a user to change the order that the plugins are executed by changing the alphabetical order of the plug-in folders. For example, adding an ‘A’ in front of the Safari plugin folder (changing it to ASafari), the plugin will be executed right after the Adium plugin. Similarly, by adding a character ‘Z’ in front of Apple Mobile, the idevice plugin will be executed right at the end, before the last module (OS X KeyChain Extractor). When enabled, the OS X – KeyChain Extractor will be executed last and the order cannot be altered.

5. Ejecting a Device

To ensure data integrity on the flash device it is important to “eject” the flash device before you physically remove it from your suspect’s system. This procedure is slightly different depending on what operating system is being used and what version of that operating system is installed. This documentation shows you an example of how to do this in the latest versions of the main operating systems. There are subtle difference relating to each version of the operating system but the basic concept is the same.

a. Ejecting the flash device from a Microsoft Vista machine

There are several steps required to safely remove a flash device from a system that is using Microsoft Vista. Step 1: Use the “start” menu (found at the bottom left of the screen. Use this menu to show the devices on your computer by selecting “computer” or “my computer”.

Figure 10: Using the start menu to show the devices on Microsoft Windows Vista

You should be presented with a window showing all of the devices currently connected to your computer. Step 2: Select the “MACLOCKPICK” device and right click on it to bring up the menu. Use this menu to select “safely remove” (or if you cannot locate that option, select “eject”).

Figure 11: Selecting the “MACLOCKPICK” device on Microsoft Windows Vista


Figure 12: Using the menu to safely remove a device on Microsoft Windows Vista

Once you have selected this option, Microsoft Windows Vista will ensure that all data remaining is “flushed” from any caches, that all files are closed, and that it is safe to remove the device. If all has gone well you should see the following message at the bottom right hand side of the screen.

Figure 13: Microsoft Windows Vista says it is safe to remove the flash device

Step 3/ Unplug your MacLockPick 3 from the suspect’s computer and move on to your next task.

b. Ejecting the device from an Apple Mac OS X system

The first step to eject a device on an Apple Mac OS X system is to switch to the “Finder” program. This program manages all the files, folders, and volumes used on an OS X system and is similar to Microsoft Explorer. Step 1: Select the Finder from the dock menu at the bottom of the screen (some users configure the dock to show up on other edges of the screen, such as the bottom, or the left hand side, but the bottom is the default). This menu may be set to “hide”, if this is the case you can expose it simply by moving the mouse to the bottom of the screen. The icon for the finder is almost always found on the bottom left of the dock.

Figure 14: Selecting the “Finder” on an Apple Mac OS X system

Step 2: Hide other applications. This step is not always necessary, but it will simplify the task of locating the “MACLOCKPICK” device on your desktop. If there are no other applications then the option will be grayed out (and is redundant). You can hide the other applications by using the “Finder” menu found at the top left hand side of the screen.

Figure 15: Using the “Finder” menu to hide other applications on an Apple Mac OS X system

Step 3: Locate the “MACLOCKPICK” icon or the “MacLockPick (OS X) icon on the desktop. Your MacLockPick 3 should look like the one shown in figure 15. Generally this will be found near the top right hand side of the screen. If this area is obscured by other windows then close them.

Figure 16: Locating the “MACLOCKPICK” on an Apple Mac OS X system

Step 4: Hold control key down and click on either “MACLOCKPICK” or “MacLockPick (OS X)” to bring up a menu. Systems that have more than one mouse button can use the control key, or the the right click button on the mouse. Once the menu is exposed select the “Eject MACLOCKPICK” option to safely remove the device from the system.

Figure 17: Ejecting a flash device from an Apple Mac OS X system

Step 5: The Finder will prompt if you would like to remove both the Mac and the Windows partitions. Click the “Eject All” button to safely remove the device from the system.

Figure 18: Ejecting both MacLockPick partitions from Apple Mac OS X system

Once the icon has disappeared from your desktop it will be safe to physically disconnect the flash device from the OS X system and move on to your next task of the day.

c. Ejecting the device from a Linux system

To eject a device on a Linux system, right click on the device and select ‘Safely Remove Drive’ from the menu.

Figure 19: Removing MacLockPick safely from Linux system

IV. How to operate MacLockPick 3 in the lab

The investigator or eDiscovery professional in the lab will find MacLockPick 3 simple to use. The basic steps involve opening and reading the MacLockPick output files and then creating a report from relevant user data acquired by MacLockPick. Users can also use the MacLockPick Manager application to customize MacLockPick for specific needs.

1. MacLockPick Manager – Logs

The MacLockPick Manager’s Logs function is your primary tool for viewing and analyzing the data collected in the field. You can use it to open MacLockPick database files, search through the data for items of interest, and to create customized reports.

a. Analyzing data from the field

Once back in the lab, the data collected by MacLockPick from a suspects system can be analyzed with the use of the Logs function within the MacLockPick Manager. Versions of MacLockPick Manager for Mac OS X and Microsoft Windows are included on the MacLockPick USB device and stored in the folder corresponding to their respective operating systems. Simply launch the MacLockPick Manager and click the ‘Logs‘ button. An open dialog will prompt you to select the log file you would like to read.

Figure 20: Use MacLockPick Manager to read the log file

Keylog files are stored in the MacLockPick Output Folder on your MacLockPick destination device. Each keylog file is stored in an individual folder titled with the suspect systems logged-in username followed by the date and time MacLockPick was run on the suspect system. Within that folder you will the keylog file titled ‘Log Database’. Open it to display the contents.

Figure 21: A MacLockPick Reader log file view on Apple Mac OS X Showing the Firefox bookmarks of a user

Important Note: MacLockPick 3 removes the reliance on any particular operating system. The investigator can use Microsoft Windows computers to analyze data captured from an Apple Mac OS X computer. Conversely an Apple Mac OS X computer can be used to analyze data captured from a Microsoft Windows computer. The same is also true with Linux systems. Keylog data is sorted in several ways.

  • Index – chronological index of data as it was acquired with MacLockPick
  • Category – shows the plugin that obtained the data
  • Data – displays the information acquired by MacLockPick. More data may be available and is displayed in the lower window area when an entry is clicked on
  • Source – location where the data was found
  • Date – the date the file or resource was created on the suspect system

MacLockPick Reader displays keylog data in chronological order sorted by category by default. Click the Index, Category, Data, Source, and Data labels across the top of the window to sort by those criteria.

Users can search the suspect keylog data for specific data of interest using the search bar at the top of the screen. You may also narrow results to specific date ranges using the date search bar at the top of the screen.

b. Creating reports

The user can generate professionally formatted reports using userselected data from the keylog. Creating a report is simple and only requires a few clicks. To create a report you must first select the keylog items that you would like to have included in the report. Click on an item to highlight it. You can hold shift and click and drag to select multiple simultaneous items. To select multiple items out of order on a Mac hold the Command key and the Control key on Windows while clicking entries. To select all items in the keylog press Command-A on a Mac and Control-A on a Windows machine.

MacLockPick Reader Generating A Report Figure 22: Choosing a report file format

Once you have selected the keylog entries you want to include in your report simply click the ‘Export’ button. A window will appear asking the user to choose to generate an HTML or Plaintext report. Selecting the HTML report will generate a formatted and customizable formal report. Selecting Plaintext will result in the selected data being outputted to a standard text file in raw form. Once you have chosen the desired report type click the OK button and you will be prompted to select where you would like the report to be saved to. The newly generated report will automatically be opened once completed. You may customize the report for your department or agency by editing the index.html file and pictures within the images folder located in the MacLockPick Report Template folder in the Shared Resources folder on the MacLockPick USB device.

c. View the Report

Since an HTML report was selected in the example, a browser launches showing the report. All items highlighted and exported are hyperlinked under the “Table of Contents” located to the right.

d. Reviewing the Hyperlinks

The examiner can select any hyperlink and be taken directly to that portion of the report.

e. Export as Plaintext

You can also choose to output the audit information as plaintext.

2. MacLockPick Manager – Setup Plugins

We understand that not every agency, department, or user will have the same needs for the data acquired through the use of MacLockPick. MacLockPick is highly customizable for each users case requirements and allows the user to acquire only the target data important to their investigation.

Figure 23: MacLockPick Setup Plugins function running in Microsoft Windows Vista
Figure 24: MacLockPick Setup Plugins function running on Apple Mac OS X

The MacLockPick Manager function labeled Setup Plugins is used to customize the plugins MacLockPick executes when run. From the Setup Plugins function a user can:

  • Enable and disable plugins
  • Create new plugins including file and folder copy routines, execute terminal commands and run CLI based commands.
  • Import and export new 3rd party plugins
  • Select the destination device for MacLockPick to save the output files to.

a. Showing or hiding plugins for different operating systems.

To show only plugins that are compatible with a specific operating system, simply check or uncheck the operating system boxes at the top of the screen. Only plugins that will run under the checked OS’ will be displayed.

b. Enabling and disabling plugins

The investigator can choose to run all the plugins To manage this process there are two different methods;

  1. Users can enable or disable all plugins by clicking the ‘Enable All’ or ‘Disable All’ buttons.
  2. Enable or disable single plugins by clicking the check boxes to the right of the plugin description.

c. Custom plugins

MacLockPick allows the user the ability to create their own custom plugins. These plugins can copy specific files or folders on a suspect system, execute a terminal line command and record the results, or execute a user-made CLI. Adding your own plugins allows the user to be able to fully customize MacLockPick for all of their needs and makes it an even more powerful tool for digital forensics professionals and eDiscovery experts. To create a custom plugin for MacLockPick, click the ‘+’ button within MacLockPick Setup Plugins function. Enter a unique name for your new plugin, select the type of plugin you would like to create from the drop down menu then click ‘Create’.

Figure 25: Creating a new plugin on Mac OS X
i. Copy Files or Folders
Custom File or Folder Copy Plugin Figure 26: Creating a custom plugin on Mac OS X. This example is set to copy only files that have “.jpg”, “.png”, or “.gif” in the file name, bigger than 400 KB, modified within the past 30 days, and are found in the Desktop folder for the currently active user.

The ‘Filter’ panel allows the user to configure criteria for finding and copying files. Available filters include:

  • File name
  • Meta tag
  • Data size bigger than (KB)
  • Data size smaller than (KB)
  • Last modified (days)

Clicking the (+) button underneath the ‘Filter’ pane will bring up the filter list, after which you can select and enter the filter details. To remove an individual filter, select the respective item and then press the (-) button. Clearing an entire list is equally simple; just click the (clear) button under the Filter panel. This will, without warning, remove all the items from the list. Use the ‘File’ and ‘Folder’ buttons under the Type section to select the type of data you would like to copy. ‘File’ will copy only a specific file while ‘Folder’ will copy a folder and all of it’s contents. The ‘Relative to’ section allows the user to specify if MacLockPick should look for the file or folder at the specified path from the root of the drive or from the user folder of the active user account. In the ‘Type’ section, click the ‘Select’ button and choose the file you would like to copy (if copying files) or the folder (if copying folders). Click the ‘Save’ button to add the custom plugin to MacLockPick and enable it.

ii. Terminal commands
Custom Terminal Command Plugin Figure 27: Creating a custom plugin on Microsoft Windows Vista. This example is set to execute the windows command-line tool “tasklist” with “/svc” as a parameter. The result from this command will be recorded in the log.

Enter the desired terminal command to have MacLockPick execute in the ‘Data’ field. Click the ‘Save’ button to add the custom plugin to MacLockPick and enable it.

iii. External commands
Custom CLI Plugin Figure 28: Creating a custom on Microsoft Windows Vista. This example shows the Microsoft tool called “uptime.exe” being added to the MacLockPick 3 plugins after the investigator has downloaded this tool from Microsoft’s web site

Adding in custom CLI plugins allows the investigator to make use of third party command-line tools. Many forensics professionals have a collection of open source tools that are taken on any investigation. These tools can be integrated into the MacLockPick 3 solution in order to automate their use.

Click the ‘Select’ button and select the CLI to have MacLockPick execute when run. Enter any additional parameters to the ‘Parameters’ field. Click the ‘Save’ button to add the custom plugin to MacLockPick and enable it.

d. Third party plugins

Third party plugins bring a whole new range of abilities to MacLockPick. Third party plugins are available from for all licensed MacLockPick users. Import new 3rd party plugins to MacLockPick by clicking the ‘Import’ button. You can then select the new plugin to add it to the plugin listing. Export plugins you have created by clicking on the plugin within the plugins window to highlight it and then clicking the ‘Export’ button and selecting a location to save it to.

3. Selecting an alternative output device

If your investigations will likely require more space than is available on the MacLockPick 3 flash device then it is recommended you configure it to write to an alternative device. Examples of alternative devices are as follows;

  • USB Flash Drives
  • External Hard Drives
  • Network Accessible Storage
  • Central File Servers
Figure 29: Choosing an alternative destination for output.

Before proceeding ensure your desired storage device is connected and available. Launch MacLockPick Manager and click on the “Choose Destination” button (shown above in figure 29). Select the device you wish to use as your storage and then click on the OK button to proceed. MacLockPick Setup will create a file at the root of the selected storage device called “MacLockPick.dat” that contains an encrypted code to match the copy of “MacLockPick.dat” found in the main MacLockPick 3 device. These codes are generated randomly to avoid tampering with this mechanism. MacLockPick will search for this file each time it is launched. If it is able to find a matching MacLockPick.dat file on any device currently connected to the system, it will create a folder called “MacLockPick Output Folder” at the root of that volume and store any of the data it finds on within that folder. By default, the “MacLockPick Output Folder” is stored on the MacLockPick device, within the Shared Resources folder.

V. References

1. Recommended Reading

CFFTPM – Computer Forensics Field Triage Process Model

The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for providing the identification, analysis and interpretation of digital evidence in a short time frame, without the requirement of having to take the system(s)/media back to the lab for an in-depth examination or acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic principles, and does not negate the ability that once the initial field triage is concluded, the system(s)/storage media be transported back to a lab environment for a more thorough examination and analysis. The CFFTPM has been successfully used in various real world cases, and its investigative importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence from these cases has not been challenged in the court proceedings where it has been introduced. The current article describes the CFFTPM in detail, discusses the model’s forensic soundness, investigative support capabilities and practical considerations.

VI. End-User Software License Agreement

End User License Agreement for MacLockPick – Click Here

VII. Copyright Notice Incorporated copyrights this software, the product design, and design concepts with all rights reserved. Your rights with regard to the software and manual are subject to the restrictions and limitations imposed by the copyright laws of the United States of America. Under the copyright laws, neither the programs nor the manual may be copied, reproduced, translated, transmitted or reduced to any printed or electronic medium or to any machine-readable form, in whole or in part, without the written consent of Inc. © Copyright 2004 – 2012 Inc. All Rights Reserved


MacForensicsLab and MacLockPick are trademarks of Inc. All other brand and product names are trademarks or registered trademarks of their respective holders.