Some combinations are unbeatable. Peanut butter and jelly, macaroni and cheese, Hall and Oates, pairings like these create something totally unique. When it comes to Mac forensics, we have our own iconic duo, RECON ITR and RECON LAB.
If you are doing macOS acquisitions with RECON ITR, that is only half the battle. RECON LAB along with RECON ITR, is the only way to perform a truly accurate analysis of macOS.
Transferring data acquired by RECON ITR over to Windows is wasting the potential of that image. Some data in the Mac environment is designed to be proprietary and can’t be properly interpreted by Windows tools. Included in this data are important timestamps that can completely change the way data is interpreted.
RECON ITR can’t be properly utilized unless RECON LAB is used for analysis. By leveraging native libraries, scripts, and utilities, RECON LAB has macOS processing capabilities that Windows tools could only dream of. By properly parsing and integrating Apple Extended Attribute Metadata, preserving timestamps when imaging logically, and supporting more macOS artifacts than anyone, RECON LAB has better support for macOS analysis than any other tool. All of this advanced analysis is only possible if data is properly preserved at the time of imaging. Without utilizing RECON LAB and ITR together, examiners are certain to miss data and could even draw incorrect conclusions.
Below you can see how RECON LAB parses some Apple Extended Attribute metadata, allowing examiners to see proper timestamps tied to user activity. The Use Count and Use Date metadata is used to track how many times a file was used and what days the file was opened. These kinds of dates and timestamps can’t be properly utilized in other forensic tools.
Some combinations are unbeatable. Peanut butter and jelly, macaroni and cheese, Hall and Oates, pairings like these create something totally unique. When it comes to Mac forensics, we have our own iconic duo, RECON ITR and RECON LAB.
Just because RECON LAB focuses on Apple’s metadata doesn’t mean it leaves behind traditional timestamps. Logical imaging is a common limitation in the Mac environment. One of the drawbacks of logical imaging is the loss of Modify, Access, and Create timestamps. While imaging with RECON ITR, a database is created of the correct timestamps and can be used by RECON LAB to show the accurate timestamps.
The screenshots below show how a logical image shows how the timestamps differ if the image isn’t properly loaded.
Regular Forensic Image:
RECON Logical Image:
Getting a truly accurate look at macOS images is only possible with RECON LAB and RECON ITR together. macOS isn’t the only thing that RECON LAB can process. All of the great automation and timelines features that RECON LAB utilizes in analysis can also be used for all your Windows, Linux, Google Takeout, iOS, and Android data. Make the switch and complete the iconic Mac forensics duo today!
Give RECON LAB a try by filling out a demo request form at: https://hitmusic247.com/software/recon-lab/#demo.