What's the best forensic examination platform? Mac or Windows? We asked our Director of Training, Bob Petrachek, for his expert advice.
This blog was updated on 6/1/18.
In the blog we released a few months back, the point was made that you may never need a Mac if you never:
- Have to examine a Mac or APFS formatted media
- Encounter very long paths and filenames
- Encounter case sensitive files systems
Well, that has gotten a bit more relevant lately, hasn’t it?
Now that GrayKey has changed the game with iPhones, Windows tools are hiccuping, or even choking on fully parsing the data from those APFS-formatted, case-sensitive iOS file systems. And you may not even realize it!
If you want to fully see the data from those GrayKey productions, go with the people who know Apple device forensics best – the folks you’ve long known and trusted – BlackBag!
Using BlackLight on GrayKey-produced file extractions from iOS devices yields a ton of OS artifacts for which many other tools frankly, have no clue. Those down-in-the-weeds items that make or break a case – the plists and databases, the unified logs and file system events that you learned about in our Essential Forensic Techniques classes – BlackLight provides those things and much, much more from the data GrayKey is now able to extract from iOS devices. And we’ve figured out how to properly do this even on Windows machines running BlackLight.
You need a Mac to properly examine a Mac or iOS device. It’s even more critical now. To learn more about analyzing GrayKey images in BlackLight or Mobilyze, visit our latest blog here.
We are often asked to recommend a hardware setup for a forensic workstation. And without fail, the follow-up question is: which makes a better forensic platform, Windows or Mac?
The short answer to both questions is the same: “It depends.”
Hardware technology changes rapidly. The latest, greatest gear available today is not necessarily compatible with that of last year, or even last month.
Therefore, we will defer the best hardware setup question – which heavily depends on your needs, environment and budget – to our partners, Silicon Forensics and Forensic Computers. Both firms have outstanding, reliable products supported by knowledgeable staff. And they’re nice people!
So, that brings us to what platform is better for forensics, Mac or Windows?
As a disclaimer, we do not sell computers or derive any compensation or benefit from the sale of either Macs or PC’s. Our previously mentioned partners are in that business and we leave that entirely to them. And we don’t get any Apple points or iTunes gift cards by sending customers to Apple. Nada. Zilch. Nothing.
With that said, it has been our consistent experience over many years of conducting computer forensic examinations in virtually every environment, the better platform is a Mac. Hands down.
Now, many will quit reading further as that may contradict their opinion and that’s fine. But, since you asked, and you’ve already read this far, ponder these points:
- Virtually everything you can do with Windows on a PC, you can do on a Mac. Macs run Microsoft Windows and run it very well. That includes Bootcamp, dual-booting and virtual machines. Think about that: Windows runs splendidly on a Mac. Can you run MacOS on a PC? Not so much.
- You may never need a Mac. In your forensic work, if you never encounter a Mac or a device with storage media formatted with HFS+ or the new Apple File System, APFS (per file encryption or case sensitivity, anyone?); if you never get Time Machines or Time capsules, never need to examine the Quarantine or spotlight databases, fseventsd or Unified Logs, then you likely will never need a Mac. But if Apple devices are a part of your daily challenges, you’ll need a Mac.
- Mac forensics examinations are best done on a Mac. Otherwise, you will very likely never see or unintentionally obliterate file system metadata and other artifacts that are not supported on NTFS or FAT file systems. And much of this data can be quite probative, such as a file’s source and how it has been managed by the file system.
- filenames.and.extensions and incredibly nested, complex paths, well beyond 255 characters, are everyday occurrences on a Mac. Exporting and presenting these files may well result in truncation and data loss if not done with a Mac. (That first text string in this paragraph is not a typo. It could easily be a valid filename on a Mac!)
- Macs have terrific utilities included with every system which allow a user to create encrypted volumes, archives and even RAIDs with multiple storage devices. Ever encounter a Fusion Drive? If you’ve handled an iMac or a Mac Mini, chances are you may have had a Fusion Drive. That thumb-drive or external disk that just “didn’t look right” on your PC might have been part of a Fusion drive system, a RAID, or was formatted with APFS. You may have thought it was wiped but perhaps it’s actually encrypted with FileVault. You’ll need a Mac to be sure.
- Speaking of utilities, the Disk Utility is quite useful and comes included with every Mac. Disk images can be created from attached disks, volumes, even folders without any third-party tools. It’s fairly easy to create a golden master image of your workstation host volume so you can restore that volume as needed, such as between examinations or otherwise.
- If your Mac media was imaged with a Windows solution, you may have pristine, perfectly-hashing forensic images of the media. But, what if that media consists of a Time Machine backup? Or the disk is one part of multiple components of a Fusion system? What can be done to properly see the fused volume, the special device that is created by the combination of the multiple parts? Reassembling and proper viewing of the volumes is possible. However, it requires working from Terminal, the Mac command line – on a Mac! We cover how to successfully handle these very conditions, by the way, in our Essential Forensic Techniques training classes.
- Macs manage memory better. Their components work together fabulously, right out of the box. Apple makes both the workstations, the operating system, has defined the file system and manages virtually all of the supply chain.
- There is this way-cool feature on MacOS called Quick Look, which allows one to select a file and preview its contents virtually identical to how it would display in a dedicated software client for that file type. Graphics, including videos, word processing files, e-mail, spreadsheets, text files, just about anything. Select the file, press the spacebar and the Mac will render the file for viewing.
- Ever need to process mobile devices? Tablets? Portable storage devices? Every component and peripheral connected to a PC and every mobile and storage device requires its own driver to interface with Windows. With a Mac, it’s almost a moot point. Rarely is a special driver needed for connectivity with a peripheral or device. You plug it in and it just works. Yes, it is true that iTunes (with its internal drivers) is required for proper connectivity with iOS devices on either a PC or a Mac. And iTunes must be at least as current as the iOS device and its software, but that’s a discussion for a different blog!
- And those iPhones where the handset can be unlocked but certain data types can’t be extracted because it’s inaccessible or protected on the device (e-mail, for example)? Connect them to a Mac, run the free QuickTime Player application and create screenshots or videos documenting the actual display of the live device. Makes a great evidentiary presentation of the content, seen exactly as the user would see it on the device. We blogged about this QuickTime technique before. See how to do it here.
- Speaking of screenshots, they are incredibly easy to create with a couple of keystrokes on a Mac. Capture the entire screen, the open window or select whatever is desired. Then print to PDF, which is internally supported on a Mac.
- Apple displays are incredible. Spending your days staring at a computer screen looking at text and graphics, attempting to discern fine details and differences is extremely taxing on your vision. (This activity was once described as similar to sorting insect excrement from ground pepper!) It wears down your eyes! A quality display is essential. Have you seen the new iMac Pro?
- Macs cost more. No argument there. But they also last longer, a lot longer than comparably equipped PC’s. You can easily get five to seven years or more of forensic use out of a Mac. Something to factor when considering equipment and replacement costs.
- You get professional-grade gear with a Mac. The Mac you purchase is likely identical to the one Apple’s employees use, including their forensic folks.
The list goes on. But, you asked us for our opinion and we answered. The main thing is to get quality, reliable gear which you can trust. Your business, even your reputation may very well depend upon it.
About Bob Petracheck
Before joining the BlackBag team in 2013, Bob spent 36 years in law enforcement at the local, state and federal levels. The majority of that time was working as an investigator and Bob has handled virtually all types of criminal and intelligence cases. Working full-time in computer forensics since 1995, Bob is a founding member of both the first Regional Computer Forensics Laboratory (San Diego) and the HTCIA San Diego Chapter. Bob has worked with digital evidence on cases such as local homicides, political corruption, the 9-11 attack investigations, political executions in the middle east and highly classified military cases. Now that he is retired from LE, Bob is thrilled to be able to continue working as an ally for digital evidence investigators with BlackBag Technologies.