While we try to build as much functionality as possible into our main products, we occasionally develop one-off tools to help with casework. These tools are very narrow in functionality, but can save hours of frustrating time. They are available free of charge to anyone who has ever bought a product from us. Simply log in to your customer account and select Free Software. Enjoy.
Mount troublesome DMG image files
DMG Assist mounts disk images that won’t mount with the traditional double-click method. This tool utilizes an enhanced shadow mounting process that mounts DMGs as read-only, allowing the user to shadow mount a disk image without the negative effects of date changes that occur with the normal shadow mounting process.
Mount acquired iPhone forensic images
Some iPhone imaging tools image the whole device, leaving the resultant DMG in a state where it cannot be mounted. This tool corrects the partitioning structure, allowing both the system and data partitions to be mounted. DMG Correct should only be used on a copy of the original whole device DMG, as the DMG will be modified for mounting purposes. Additionally, the tool will lock DMGs.
Rename RAW image files to a .dmg extension
DMG Rename renames image files from imaging tools that do not support the .dmg (Mac OS) naming convention. Using this utility, the user is able to automatically rename raw .001 segmented files to the correct .dmg convention, which is necessary to mount an image on a Mac system. In addition, DMG Rename also permits the user to take .dmg files and rename them to raw .001 files.
Convert raw timestamp integers to human-readable local and UTC timestamps
Epoch times can be very confusing on Macs, since there are so many of them to consider: Mac OS, Unix, Webkit, Google Chrome, Mozilla Firefox, Microsoft, and more. This utility allows the conversion to and from many common epoch times so that the investigator can easily navigate between epochs and real times in both local and UTC.
Display the Mac OS X Input/Output Registry
IOReg Info displays the output of the IORegistryKit, which describes all items connected to the computer (e.g., SATA drives, USB drives, FireWire drives, software RAID sets, etc.). This tool can be used to locate partition information, including sizes, types, and the bus to which the device is connected. Additionally, it has the ability to display any one of 22 different media class types, as well as all the information available via IOReg. Results may be saved to a report, which the user can then search for desired information.
Lock and unlock multiple files simultaneously
LockMaster simultaneously locks multiple files using the HFS+ locked flag. Normally on a Mac, the user has the ability to either lock individual items or select an entire folder and lock all the items within that folder. This utility is a highly successful tool for concurrently locking numerous items when they are nested within various folders, and it automates the laborious process of accessing the “Get Info” window for each file and then having to manually choose the “Locked” option.
Display a device's partition map
PMAP Info displays the physical partitioning of the specified device. This tool can be used to map out all the drive information, accounting for all used sectors.