I would definitely consider myself a Windows person with little experience with Mac. Sarah Edwards gave a great presentation on Analysis & Correlation of Mac Logs. The presentation touched upon where you could find basic logs, system logs, audit logs, volume information, network information, location data, user activity, backup data, software data, system information, printing data, temporal changes, and Bluetooth information. I now have a list of places to start when examining a Mac computer because of this presentation.
This year was my second time going to the SSD Forensics session. The presentation, presented by Jeff Hedlesky from Guidance Software, Chris Bross from DriveSavers, and David Sun and Leo Costello from S34A, explained some problems that arise with SSD. Problem 1 is that hashing is made more difficult with SSDs. When LBA is used to image a HDD it includes unallocated space, but with SSDs, the data that is in the LBA can change under certain situations. Below is a slide from the presentation that explains Problem 1.
Problem 1 Explanation |
Problem 2 Explanation |
Thank you Champlain College and Guidance Software for giving me the opportunity to attend CEIC.
Sources:
Analysis and Correlation of Mac Logs, by Sarah Edwards
CEIC 2014 Advancements in SSD Forensics, by Jeff Hedlesky, David Sun, Chris Bross, Leo Costello