Imperfect Mac Analysis Using Windows

What exactly are you missing? Is what you've found good enough?

We've received a number of calls from customers (or soon-to-be customers in many cases), asking why other Windows-based products or solutions they have been using do not produce expected results. Unfortunately, there are many reasons for this, but the single biggest reason is that when using a Windows based product, you are inherently limited by the Windows Operating System's interpretation of Mac files, and usually not by the forensic product itself. We encourage all of our clients to perform native-to-native analysis as often as possible meaning Windows-to-Windows and Mac-to-Mac. Now we understand that budgets are limited and it's not always possible to have multiple analysis platforms; however, if you are running Windows, here are a few limitations to be aware of:

1. .dmg files. These flexible "containers" are prominently employed by Mac users to share and store large files. Unfortunately, Windows has a tough time with these formats and therefore any files within a .dmg format will be misread / completely missed as important data by Windows.

2. Native Mac applications such as Keynote, Pages or Numbers. These formats are interpreted by Windows as thousands of small files instead of the single file you'll see on a Mac. While not nearly as prevalent in Corporate America as the Microsoft Suite (PowerPoint, Word or Excel), they are gaining traction, especially on iOS devices such as the iPad. Completely missing this user-generated content could be damaging to any case.

3. Intel Macintosh computers oftentimes have FAT or NTFS partitions on the drive (mostly to virtualize Windows environments using tools like Bootcamp and Parallels). When connecting a Windows analysis computer to a Mac in FireWire Disk mode for imaging, the metadata can be changed, and of course that represents the last thing you're trying to accomplish as a forensic examiner.

Again, we understand that hardware is not unlimited and budgets are finite. It's why our own forensic analysis product, BlackLight, will soon ship in a Windows version. Unfortunately, even our product will be limited by some of the interpretation of Windows. If you have the opportunity to buy a Mac, we encourage you to do so. If not, be aware of some of the difficulties of performing non-native analysis and do your best to work a case with these limitations in mind.

Leave a Reply

Sorry, you must be logged in to post a comment.