Feb 11, 2009 Mac OS X is a Unix-based operatng system, built on technology developed at NeXT between the second half of the 1980s and Apple's purchase of the company in early 1996. It received UNIX 03 certfcaton following its 10.5 version on Intel processors – Mac OS X “Leopard”. Jan 24, 2018 RECON for Mac OS X. The power of RECON for Mac OS X combined with the power of PALADIN Forensic Suite on a Samsung T3 250GB SSD USB 3.1 external micro drive with 450 MB/s read-write speeds! Designed for both the novice and advanced forensic examiner and/or investigator. RECON for Mac OS X contains powerful features in a simplistic interface.
1.Introduction#
RECON Lab was developed for forensic examiners to have full control over their forensic examinations on a Mac platform that truly harnesses the power of the Mac. For decades, examiners have had to perform Mac analyses on a Windows machine that did not fully interpret the unique system artifacts associated with HFS+, CoreStorage, Fusion, FileVault, and APFS Macs. RECON Lab resolves these issues for the forensic community. RECON Lab will interpret Mac OS artifacts in its native environment, and present its findings in a user-friendly interface that simplifies the examination process for the forensic investigator.
RECON Lab is dongle based software that requires the dongle to be plugged into your forensic Mac to run the software. RECON Lab will provide the functionality to obtain an iOS backup from an attached iOS device. RECON Lab possesses the ability to analyze forensic images of RAM, Mac forensic images, iOS forensic images, and Windows forensic images. To date, most forensic tools either do not parse out Apple Extended Metadata or they display string based output that compels the forensic examiner to decipher the forensic tool’s interpretation of the data. RECON Lab parses out all Apple Extended Metadata and allows examiners to filter and sort artifacts based upon Apple Extended Metadata; no forensic tool on the market supports Apple Extended Metadata to the depths that RECON Lab computes.
Report creation within RECON Lab can be of the standard template or the more advance Story Mode function that allows for report customization as an examiner bookmarks key artifacts. RECON Lab was designed by former law enforcement forensic examiners for forensic examiners in corporate and law enforcement environments.
Was this helpful? Yes No
2.Installation#
RECON LAB can only be installed on a Intel Mac-based computer (i.e. iMac, MacBook Pro).
Although RECON LAB will run on any Intel Mac we recommend the following minimum requirements when using RECON LAB:
You can find information about your Mac’s specifications from the Apple Menu in the upper left hand corner:
Apple Menu -> About this Mac
Go to the following link to ensure you have the latest version of RECON LAB: //goo.gl/wWm2qi
The downloaded file will be in your Downloads folder.
The downloaded file will be labeled RECON_LAB_VersionNumber.dmg (i.e. RECON_LAB_1.0.9.dmg). Please confirm the downloaded file by verifying the MD5 and/or SHA1 of the downloaded DMG file.
Double-click on the DMG file to mount the DMG file, the RECON_LAB_INSTALLER.app will be located within the mounted DMG file.
Drag the RECON_LAB_INSTALLER.app to your Desktop.
Open a terminal window with terminal.app and run the following command:
xattr -c ~/Desktop/RECON_LAB_INSTALLER.app
Then right-click and select Open on the RECON_LAB_INSTALLER.app. A Mac Window Prompt will appear that asks “Are you sure you want to open it?” Select Open.
You will presented with the following RECON Lab Installer Splash Screen.
Select Install if you are updating from a previous version of RECON Lab. Select Clean Install to completely overwrite the previous versions of RECON LAB. And lastly, select Uninstall to remove the latest version of RECON LAB from your Mac. Upon completion of the installation, the bottom left hand corner will state Done!!! Click on the Red X icon in the top left hand corner to close the window.
Grant RECON LAB Full Disk Access by performing the following:
Starting RECON LAB:
The main splash screen will then appear with a message regarding the privacy prompts when processing Mac data. Click OK to acknowledge the notification and continue.
Select the checkbox “Don’t show this message again” if you prefer not to see the notification again.
The registered owner information, purchase date, and expiration date will be displayed in the bottom right hand corner of the screen (see the image below).
Was this helpful? Yes No
3.Configuration#
On your initial screen, select RECON Config to configure your case environment (see figure below).
Mcculloch mac 3200 chainsaw manual. In the customization wizard, select each field to customize your RECON LAB environment:
Was this helpful? Yes No
4.Overview - Interface of RECON LAB#
RECON LAB allows examiners to manually navigate through the attached evidence file while the processes are running. Automated plugins will run concurrently and routinely finish prior to indexing and Apple Extended Metadata processing. See the image below for the layout of the main screen within RECON LAB.
The examiner can then drill down through the file system either on the left hand sidebar or within the center screen by double-clicking on the directory of interest. Within the center screen, the examiner can search the immediate directory, sort by filter, or view the current JPG & PNG files. Underneath the center screen is the detailed information window that displays the highlighted file in HEX view, Text view, Strings, Exif Metadata, Apple Metadata, Maps, and a media file preview (if available).
The Detailed Information Tab will display key information about the highlighted file/directory. The detailed information can consist of:
The Hex View Tab will display the content of the file in hexadecimal format. The examiner has the ability to do the following in the Hex View Tab:
The Text View Tab will display the content of the file in text format. The examiner can search through the file and toggle between ASCII and Unicode encoding. Any text values of importance can be highlighted and tagged for reporting purposes or the examiner can right-click within the Text window and click “select all”.
The Strings Tab allows an examiner to look for Strings within a particular file. Strings are identified as four or more printable (commonly ASCII) characters that’s then immediately followed by an unprintable character. Any String output identified can be selected and tagged for reporting as well as the ability to “select all”.
The EXIF Metadata Tab displays the accessible EXIF information to the examiner. The EXIF data recovered within RECON LAB is predominately the author, GPS coordinates, and the Make & Model of the associated device.
The Apple Extended Metadata Tab displays all available Apple Extended Metadata for the selected file to include any third-party Apple Extended Metadata Attributes. This tab will output the recovered Apple Extended Metadata associated with the selected file.
The Maps Tab depicts the GPS location of the file’s origin and displays the off-line output to a 1:2 million scale map. In the event the examiner’s Mac is online, it will link directly to a Google Maps webpage. The latitude and longitude will also be presented in this tab.
Items of evidentiary value can be bookmarked or tagged. An item can be bookmarked by hitting the B key. Files can also be viewed using the Quicklook function which is the eye icon or by pressing the Space bar. When an examiner right-clicks on an item in the center screen a menu with multiple options will appear (see figure below). Examiners will be able to perform the following:
Was this helpful? Yes No
5.Acquire iOS Devices with RECON LAB#
In the initial Splash screen, examiners have the ability to acquire an iOS image from an iPhone, iPod, or iPad that is connected to their forensic Mac. The examiner will need the login credentials for the iOS device and the ability to interact with the iOS display (i.e. a functioning screen). iTunes must be installed on the Mac and it has to be up to date.
The examiner will select Acquire iOS Device button (see image below).
The examiner can plug the iOS device into the Mac before selecting Acquire iOS Device. Once it is plugged in, ensure you select Trust on the iOS device during the “Trust This Computer?” prompt. iTunes will also prompt “Do you want to allow this computer to access information on “user’s iPhone”? Select Continue.
You’ll then be instructed to enter the login credentials for the iOS device. If the iOS device is not visible, click on the Refresh button to retry accessing the iOS device.
Once the iOS device’s information is displayed, you can obtain key information such as the phone number, International Mobile Equipment Identifier (IMEI) and the International Mobile Subscriber Identity (IMSI) in the lower window.
Once the examiner confirms the attached iOS device is the intended acquisition target, click on Acquire. Then select the output directory for the iOS data acquisition. Once the extraction is complete, you can load the iOS backup into RECON LAB by navigating to the manifest.db found within the acquisition folder.
Was this helpful? Yes No
6.Start a New Case#
From the initial splash screen, the examiner has five (5) options:
To begin a new investigation, select New Case (see figure below).
Enter the appropriate Case and examiner information; keep in mind that Case number (Case No.), Case Name, and Examiner are required to be completed to select Next.
Please keep in mind that your evidence must either reside on your forensic Mac or directly attached via USB, USB-C, Thunderbolt, or Firewire. The evidence should also reside on a HFS+, APFS, or a Mac-initialized ExFAT formatted drive.
In the event that the evidence file is of a Mac File Vault physical image, the examiner should select File Vault Image. Any other physical image should be added under Forensics Image. Keep in mind that a File Vault image can be an E01, DMG, or S01 file; it is up to the examiner to identify whether the evidence file is of a File Vault Mac image.
Keep in mind that T2 Chipsets in newer Macs are functioning similar to a Trusted Platform Module (TPM) and when a full physical forensic image is obtained, you are not able to mount that forensic image. The examiner must obtain a logical data extraction from a T2 Chipset Mac and load the evidence as a folder.
The next screen will allow an examiner to add evidence to be analyzed (see image below).
Once an image is added, select Next. Then select the destination directory, prior to selecting Next. The next portion is to select the Date & Time format, which can be UTC, the machine time zone, or the examiner selected time zone to include the preferred date format; then click on Next.
The next process portion is to configure the Filesystem modules; the modules can either use the default configurations made within RECON Config or adjust the modules to the specific case. Once the Apple Metadata (only applies to Mac images), Mime types, Signature Analysis, Exif Metadata, Hashset, and Index Files are configured, the examiner will then click on Next. Lastly, the examiner will pick the desired plugins to parse, and select Start (see figure below).
RECON LAB will immediately start to parse through artifacts and the screen will look similar to the image below.
At this time, RECON LAB is running through the automated plugins and running the more complex actions such as indexing and extracting Apple Extended Metadata as separate threads. This ensures that RECON LAB can simultaneously allow examiners to obtain low hanging fruit evidence and still conduct a more detailed forensic examination. The examiner will also have the ability to navigate through the write-protected mounted forensic images, so the examiner can drill down to specific directories of interest.
Depending on Plugins selected, your Mac might prompt access to calendar, contacts, reminders, and photos. RECON LAB is not accessing the contents of the Forensic Mac, but the prompt will be displayed due to the nature of Mac OS and interaction with those protected files (see image below). RECON LAB might also prompt you for a volume unlock passcode if it is a FileVault image; you can select Cancel since the passcode was previously entered.
In the event that an examiner no longer desires to run a particular plugin, the examiner can select the “X” icon to the right of the Plugin name to stop that plugin. The only process in the bottom right hand corner that cannot be abruptly stopped is adding evidence items to the case. Evidence items can be removed once its been fully added. The examiner will select the Processing Status icon in the upper toolbar to access the function of removing evidence from a case (see the image below).
Was this helpful? Yes No
7.Automated Analysis with RECON LAB#
The best functionalities in RECON for Mac OS X are built into RECON LAB. The automated Mac plugins extract artifacts from known locations within the operating systems and present the findings to the examiner. The plugins run at the start of case processing and finish promptly; this allows the examiner to start working on a case right away and obtain low-hanging fruit evidence.
The Artifacts plugin initiates the automated analysis that contains 128 unique plugins across the Mac OS X, Windows, and iOS platforms. The examiner has the option to select/deselect all or filter the plugins by OS platform. The examiner can expand every artifact plugin and be selective in the elements retrieved from the highlighted artifact (see image below).
Here is the listing of all the supported plugins:
Was this helpful? Yes No
7.1.Automated Plugins#
Mac OS Automated Plugins
Messaging Application
WiFi
File Sharing Application
Anti-Forensics
Anti-Forensics
Web Browser
Anti Forensics
Cloud Services
File Systems Events
Show Recent Calls
Windows Artifacts
Messaging App
Social Media App
Web Browser
Web Browser
Web Browser
Messaging Application
Cloud Storage
Web Browser
Web Browser
Email Client
Email Client
Virtualization
Windows Artifacts
Messaging
Windows Artifacts
Remote Desktop
Messaging
Email Client
Web Browser
Web Browser
Media Player
Virtualization
Messaging
Virtualization
Torrent Sharing
Messaging
Media Player
Torrent Sharing
Torrent Sharing
Torrent Sharing
Torrent Sharing
Was this helpful? Yes No
8.Load a Case#
To open a previously created case, select Load Case from the initial splash screen.
The popup window instructs the examiner to navigate to the desired case folder and click Open.
The naming structure of the folder will consist of the Case Name-YYYY-MTH-DYTHH-MM-SC (i.e. Fraud_Investigation_2018-SEP-19T13-25-44)
The following screen will inquire to the examiner if they want the original forensic image mounted.
It is highly recommended that the examiners mount the forensic image(s), otherwise the exporting function might not perform correctly.
The examiner will confirm the file path to the forensic image prior to selecting OK.
Was this helpful? Yes No
9.Browsing through Evidence#
Automated plugins, Apple Metadata, Hashsets, EXIF, and Apple Timestamps parsing will begin during a case’s initial processing. These actions can take place concurrently while an examiner is reviewing the content of the forensic image, but an examiner will have to wait to add an additional evidence item until the plugins are completed.
Once an evidence source is completely added to a case, the examiner can immediately begin navigating through the file structure in the Source section of the side bar and/or within the main window.
The left hand side of the main window in RECON LAB is identified as the Side Bar. Towards the top of the sidebar is the Source Section. There is an arrow to the immediate left of the artifact’s title. The examiner can click on the triangle to expand and shorten the artifact’s directory (i.e. drill down into the file system of the suspect’s forensic image).
To access a directory, the examiner simply must double-click on the directory of interest from the main window or from the sidebar. The files within the directory will be visible in the main window.
From the main window, there are functions such as:
Lastly, the Detailed Information Window resides directly underneath the main window which displays an abundance of data about any highlighted file or directory.
Was this helpful? Yes No
9.1.Main Window Functions#
The Main Window provides the following functions:
Search – Allows the examiner to search through the artifacts displayed in the main window by simple keyword searches.
Sort – Allow the examiner to display the artifacts in the main window either numerical, alphabetical, or chronological order; the listing can be displayed in ascending or descending order.
Filter – Artifacts in the main window can be displayed in accordance with filtering restrictions set by the examiner. The examiner will natively have the following filter options available:
The examiner can right-click on any of the table header items above and select the column that they want to see/hide in the main window.
Quickbooks mac 2016 instruction manual. Export As CSV – The option allows the examiner to generate a CSV report of all the files and directories in the current view of the main window. This will be discussed in detail in the Reporting section of this manual.
View Recursively – This function will show all the contents of directories in the current window. This allows an examiner to see all the nested files and folders within a specific location. This function does not expand compound files. This feature is accessed by clicking on the black square icon to the right of the Export As CSV button on the upper right hand corner of the main window.
Gallery View – Towards the top of the main window is the Table View and Gallery View Tabs. By default, examiners will review artifacts in the Table View. The Table View displays the information about the particular files, while the Gallery View tab shows all interpretable media images within the current view. Examiners can scroll continuously through the media files and bookmark items as desired.
In the event that the examiner would like to go back to the previous view, the examiner can click on the back arrow to left the search window.
The Show All button returns all artifacts after keyword searches might have limited the current view of artifacts.
Was this helpful? Yes No
9.2.Detailed Information #
The Detailed Information section is located at the bottom of the RECON LAB window. The information in this section will change to the information associated with the highlighted file, directory, or artifacts in the main window. The information in the Detailed Information section contains the following:
Was this helpful? Yes No
10.Bookmark & Tag Evidence#Tagging & Bookmarking Evidence
Items that are deemed important to the examiner can either be tagged or bookmarked within the case folder. Bookmarking a file is beneficial for annotating files of importance; bookmarking can be done from the main screen with the icon column to the far left. The examiner can also bookmark a file by right-clicking on the file and selecting “Bookmark”. The fastest method of bookmarking a file is to hit the “B” button. The shift button and the up/down arrows can highlight multiple files for simultaneous bookmarking. To select an entire window the examiner will need to highlight the first file, then hold down the shift button, scroll to the last file and click on the last file. All files in the window will then be selected and the examiner can right-click to bookmark, note, tag, etc.
Tagging a file allows an examiner to highlight a specific portion of a file or differentiate between evidentiary items (i.e. known bad files, possible bad files, certain good files). The examiner can either tag a file by right-clicking, and select Tag, then select the tag name and pick one of the 15 available colors. Values in Hex or in Plist can be tagged or inclusion into the final examination report.
Examiners can add notes to a specific file or directory. Once the intended file is highlighted, right-click and select Add Note. Type the desired annotation into the window that pops up, and click on Save.
Other key evidence review efforts include marking files as Seen, screenshots, and Quick Look. The small eye icon next to the Tagging column allows for files to be marked as “seen” so the examiner can identify files already reviewed and exclude them from continuous viewing. An examiner can also mark a file as Seen/Unseen within the right-click menu. Files marked as seen will turn the text color to the color blue. Quick Look at a file can be performed by selecting the file and clicking on the Eye icon in the top toolbar. The fastest method for accessing Quick Look is by hitting the Space Bar. Screenshots are a means of taking a picture of what is currently visible on the examiner’s screen, to include content outside of the RECON LAB software window (see the image below).
Was this helpful? Yes No
11.Advance Analysis #
RECON LAB provides examiners with the ability to perform automated forensics through the use of plugins, and the functionality to do manual analysis of the forensic images. The examiner will also have the capability to analyze artifacts with industry standard tools built into the software.
Hex Viewer
RECON LAB has a built-in Hex Viewer that breaks down large files into multiple pages. The Hex Viewer allows for direct movement to a predetermined page or offset. The examiner also has the option to search by Hex value or by ASCII for items of interest. Items deemed important can be tagged and exported within the Hex Viewer. Hex values can be interpreted signed, unsigned, little endian, and big endian. In the event the examiner is reviewing a Plist or a SQLite file, then there will be an option in the bottom right hand corner to open the file is its respective viewer (see image below).
Plist Viewer
RECON LAB has a built in Plist Viewer that will parse out data from a Plist file. Examiners can manually expand and analyze the Plist attributes, export the content, add notes, bookmark/tag content, and copy the content of a cell or row into the clipboard (see image below).
Windows Registry Viewer
RECON LAB has a built-in Windows Registry Viewer so examiners can perform manual analysis on Windows Registry Artifacts. Many registry artifacts are automatically parsed through the Automated Analysis plugins, but the Registry Viewer allows examiners to dig deeper into Windows Registry files without depending on a third-party tool. The examiner simply has to right-click on a Windows Registry file and select Open With > Registry Viewer.
Content discovered within the Registry Viewer can be tagged, bookmarked, or copied to the clipboard.
SQLite Browser
The built-in SQLite Browser allows for examiners to remain inside the tool and analyze recovered SQLite databases. Each table will open in a new tab so the examiner can review multiple SQLite tables at once. The execute SQL tab permits examiners to run SQLite commands against the database file(s). Anything discovered within the SQLite browser can be exported within the report generator for that specific viewer.
Bucket
During an investigation, an examiner might find multiple Plist, database files, or numerous other files that need to reviewed within a Plist viewer, Hex Viewer, or SQLite Browser. RECON LAB permits examiners to mark these files for analysis at a later time. The examiner can highlight a file of importance, right-click and select Send To Bucket; this function allows examiners to review multiple Plist files all at once during a forensic exam instead of one-by-one (see image below). The Bucket can also be accessed on the left hand sidebar towards the bottom of the screen, so the examiner can see what files are currently stored in the Bucket.
External Application
Some artifacts within an forensic image might not be interpreted by RECON LAB, so the added capability to link third-party applications assists examiners in using all resources available on their Mac to finish the examination. The examiner has to add the external applications to the software either within the RECON CONFIG window on the initial splash screen or by selecting the Configuration icon in the top toolbar. When there is a file of importance, highlight the file, right-click on the file and select Open With External Application. Finally select the application that you desire to open the highlighted file (see image below).
Email Analysis
RECON LAB will parse out any email files that it identifies and place them into the Email Files section on the left sidebar. The recovered IMAP and POP email artifacts will be sorted by email accounts. The far right window will display the emails stored in the highlighted folder. Email files of importance can be bookmarked, tagged, or noted for reports. The lower window will depict the natural interpretation of the email (human readable format), the email attachments, and the raw data within the .emlx file. A search and filter bar is at the top of the window to include a Show All button (see image below).
Hashset
A key functionality within forensic examinations is the ability to hash files of importance, search the remaining image file for a specific hash value, or filter search results in accordance with a specific hash set. Hash sets can be addressed within RECON CONFIG or within the Configuration icon in the top toolbar. The examiner can select Hashset within the FileSystem Module, check the Analyze Hashes box, then click on the + icon to create a new hash set. The examiner will then add the initial MD5 hash value and file title. The file will be saved as a .sqlite file and can be edited as any standard SQLite file. Results of hash sets hits will be saved over on the left hand sidebar.
Indexing
RECON LAB can perform directory specific indexing as well as the entire image file. The examiner will select the root directory of the mounted image file or folder, right-click and select Add to Text Indexing Queue (see images below).
Once the desired directories are indexed, then the examiner can go to the Content Search icon to insert the desired search terms. The search terms can be words, phrases, boolean, GREP, fuzzy searching, or Regular expressions. The keywords can be added and removed individually or added in mass using the Clipboard icon. The search query can then be named at the bottom of the window prior to selecting Start. Once the search is complete, a window prompt will notify you that the search is complete and will ask if you want to review the results right away. The search results will be located underneath the content search tab on the sidebar. From those results, items can be sorted, tagged, and bookmarked from additional analysis.
Artifacts Timeline
An examiner can sort out recovered artifacts in graphical layout by specific timestamps. The artifacts timeline function is located in the top toolbar. The examiner will select the desired plugin, the time artifacts of importance, and the time frame in question. A bar or pie chart will be displayed in the main screen to provide the examiner a graphical representation of the artifacts frequency and/or time activity. The sections within the graphs can be selected to display the actual recovered artifacts that were annotated in the search.
The Super Time Line Analysis functions includes every recognized time stamps on the forensic image between the defined time frames. The function is extremely detailed to include access time to system files, not just user files. The findings can be exportedinto a CSV file or a SQLite file.
RAM Analysis
Examiners can perform 3 different RAM analysis functions: File Carving, Volatility plugin parsing, and Password Carving (LE Only)
Examiners can right-click on the raw RAM file and select Carve Files.
The examiner can select specific file formats between the four categories: images, office documents, miscellaneous files, and audio/videos files. The examiner can then label the carving label, prior to clicking on Start.
Saved results will be accessible in the bottom left hand corner of the RECON LAB sidebar under the title Carved Files. A new window will also pop-up with the self-made label name on your desktop the will contain the carved files sorted by file type.
Volatility configuration can be performed prior to a case initialization under RECON Config on the main splash screen or the Configuration icon within an active case. Ensure the profiles necessary for the RAM build you expect to analyze are stored in the volatility-master/volatility/plugins/overlays folder(s).
Click on the RAM Analysis icon to access the RAM Analysis module. Under Source, your RAM dump will automatically be loaded unless your case has multiple RAM dumps. You can select the refresh icon to the right of the Source drop-down box to refresh the available RAM dump files. Under Operating System, elect the appropriate OS for the RAM dump you are analyzing (i.e. Windows/winOS, macOS). The next drop-down box titled Build Version will consist of all the accessible RAM Build Versions; select the one that matches the RAM dump currently in your case. This information is normally obtained during the RAM acquisition phase. Lastly under the Artifacts field, select the desired artifacts plugin (i.e. List Process Threads) and click on Execute. The results of the Volatility RAM query will be presented in the Command Output’s display. The results can be saved or exported from the Command Output screen.
The Carve Password function is a function that is only enabled for vetted law enforcement personnel. The Carve Password icon to the right of the Source field will run numerous proprietary algorithms to identify possible login and keychain passwords located within the RAM extraction.
Was this helpful? Yes No
12.Reporting#
Examiners will have the ability to export content that is deemed relevant from forensic images or the automated plugins in the style of their choosing. RECON LAB allows examiners to generate report findings in the 3 following ways:
Clinger List
The examiner that wants to export the file listing and relevant metadata associated with the files only needs to select the Export as CSV button on the upper right hand portion of the screen (see image below). To display all the allocated files residing within folders on the main screen, the examiner must check the box that says recursive or select the black square icon to the right of the Export as CSV button.
Global Report
The second reporting option within RECON LAB is the Global Report which most RECON for Mac OS X customers are familiar with. The Global Report function allows an examiner to select items two output options:
The examiner can select to generate the report in any of the following formats:
The examiner can also check the Export Files box to ensure all the accessible files are exported with the report. The examiner will select the Global Report icon to initiate the automated report (see image below).
The examiner will confirm that case information and select Next. Then select either a Tags or Full report, the report type, export files checkbox, confirm that the report name and report path. It should be noted that the Report Name and Report Path can be edited. Once all of those items are addressed, the examiner will click on Report to complete the report generating process.
Once the report completes generating, the software will display a notification that states the report is finish. There will be a finder icon to the right of Report title that will take the examiner directly to the finished report.
StoryBoard Mode Report
StoryBoard Mode contains a built-in Word Processor and the ability to add evidence items that were either bookmarked or tagged during the analysis portion of the forensic investigation. Artifacts from the automated plugins, manual navigation of the image files, or from the built-in data viewers (i.e. hex viewer, plist viewer, sqlite browser) can be tagged or bookmarked. The examiner can add images to the report, make periodical saves of the report, insert evidence file details or the actual evidence files. The examiner can export the final report as a PDF file or a ODF file.
The examiner will need to click on the Story icon in the main toolbar. A secondary drop-down window will appear; that is where the examiner will give the report a name and then click on Create (see image below).
The examiner can then start writing the narrative report and injecting evidence artifacts as needed. The evidence items are displayed in the upper window along with the timeline of the bookmarked items in the event the examiner wants to add them in chronological order of discovery. When the examiner highlights the file of importance and right-clicks on the file, the following options are displayed:
To update the bookmarks/tags upon your return to Story Mode, click on Show All icon to refresh the screen. Refer to the image below for the layout of the Story Mode’s functions.
Mac Os X 10.9
After all the desired screenshots, tags, bookmarks, noted files, and written narrative are added to the StoryBoard report, you save the report and export it in HTML, ODT, or PDF format. The default location of the StoryBoard report is the Story_Board folder located within the case folder/Lab_Features/Story_Board. The examiner can relocate the Report folder to the directory of their choosing.
Was this helpful? Yes No
13.Shutdown RECON LAB#
To close RECON LAB you can close the window by clicking on the red X in the top left hand corner of the application window. Another means of shutting down RECON LAB is to select the RECON LAB window, then go to the top Finder toolbar and select RECON_LAB; then select Quit RECON_LAB.
In the event that the software becomes unresponsive, you can go to the Apple icon in the top left hand corner and select Force Quit. Once you select Force Quit, a secondary window will pop up where you can select RECON LAB to Force Quit to close it abruptly.
Was this helpful? Yes No
14.Updating RECON LAB#
RECON LAB comes with one full year of updates. After your license has expired you will be required to purchase an additional year in order to continue to receive updates. RECON LAB will not allow for continuous usage once your license expires.
You can find your license expiration date by looking in the bottom right hand corner of the initial splash screen during software startup (see image below).
RECON LAB updates can be found here:
Please following the instructions below EXACTLY in order to properly update RECON LAB.
Was this helpful? Yes No
15.Customer Support#
For support and troubleshooting please fill out a support ticket at SUMURI’s Help Desk:
SUMURI is located in Delaware, USA and our offices are open 0900 – 1700 EST (9AM – 5 PM). SUMURI offices are closed during US Federal Holidays.
Help Tickets are typically handled during regularly scheduled business hours.
For comments or feature requests please email us at:
Was this helpful? Yes No
16.Training#
Training on critical Macintosh Forensics best practices can be available to scheduled participants for the following training courses:
SUMURI also provides professional services to corporate, government, & law enforcement entities worldwide for the following needs:
Was this helpful? Yes No
17.End User License Agreement#
RECON LAB is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This RECON LAB is licensed, not sold.
End User License Agreement
This End User License Agreement (‘EULA’) is a legal agreement between you (either an individual or a single entity) and SUMURI LLC with regard to the copyrighted software (herein referred to as RECON LAB or ‘software’) provided with this EULA. The RECON LAB includes computer software, the associated media, any printed materials, and any ‘online’ or electronic documentation. Use of any software and related documentation (‘software’) provided to you by RECON LAB in whatever form or media, will constitute your acceptance of these terms, unless separate terms are provided by the software supplier, in which case certain additional or different terms may apply. If you do not agree with the terms of this EULA, do not download, install, copy or use the software. By installing, copying or otherwise using RECON LAB, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, SUMURI LLC is unwilling to license RECON LAB to you.
Eligible License – This software is available for license solely to software owners, with no right of duplication or further distribution, licensing, or sub-licensing.
License Grant – SUMURI LLC grants to you a personal, non-transferable and non-exclusive right to use the copy of the software provided with this EULA. You agree you will not copy or duplicate the software. You agree that you may not copy the written materials accompanying the software. Modifying, translating, renting, copying, transferring or assigning all or part of the software, or any rights granted hereunder, to any other persons and removing any proprietary notices, labels or marks from the software is strictly prohibited. Furthermore, you hereby agree not to create derivative works based on the software. You may not transfer this software.
Copyright – The software is licensed, not sold. You acknowledge that no title to the intellectual property in the software is transferred to you. You further acknowledge that title and full ownership rights to the software will remain the exclusive property of SUMURI LLC and/or its suppliers, and you will not acquire any rights to the software, except as expressly set forth above. All copies of the software will contain the same proprietary notices as contained in or on the software. All title and copyrights in and to RECON LAB (including but not limited to any images, photographs, animations, video, audio, music, text and ”applets,” incorporated into RECON LAB), the accompanying printed materials, and any copies of RECON LAB, are owned by SUMURI LLC. RECON LAB is protected by copyright laws and international treaty provisions. You may not copy the printed materials accompanying RECON LAB.
Reverse Engineering – You agree that you will not attempt, and if you are a corporation, you will use your best efforts to prevent your employees and contractors from attempting to reverse compile, modify, translate or disassemble the software in whole or in part. Any failure to comply with the above or any other terms and conditions contained herein will result in the automatic termination of this license and the reversion of the rights granted hereunder to SUMURI LLC.
Disclaimer of Warranty – The software is provided ‘AS IS’ without warranty of any kind. SUMURI LLC and its suppliers disclaim and make no express or implied warranties and specifically disclaim the warranties of merchantability, fitness for a particular purpose, and non-infringement of third-party rights. The entire risk as to the quality and performance of the software is with you. Neither SUMURI LLC nor its suppliers warrant that the functions contained in the software will meet your requirements or that the operation of the software will be uninterrupted or error-free. SUMURI LLC is not obligated to provide any updates to the software for any user who does not have a software maintenance subscription.
Limitation of Liability – SUMURI LLC’s entire liability and your exclusive remedy under this EULA shall not exceed the price paid for the software, if any. In no event shall SUMURI LLC or its suppliers be liable to you for any consequential, special, incidental or indirect damages of any kind arising out of the use or inability to use the software, even if SUMURI LLC or its supplier has been advised of the possibility of such damages, or any claim by a third party.
Rental – You may not loan, rent, or lease the software.
Transfer – You may not transfer the software to a third party, without written consent from SUMURI LLC and written acceptance of the terms of this Agreement by the transferee. Your license is automatically terminated if you transfer the software without the written consent of SUMURI LLC. You are to ensure that the software is not made available in any form to anyone not subject to this Agreement. A transfer fee of $150 USD will be charged to transfer the software (not applicable to transfers associated with orders from distributors, or resellers or intra-company transfers).
Upgrades – If the software is an upgrade from an earlier release or previously released version, you now may use that upgraded product only in accordance with this EULA. If RECON LAB is an upgrade of a software program which you licensed as a single product, then RECON LAB may be used only as part of that single product package and may not be separated for use on more than one computer.
OEM Product Support – Product support for RECON LAB is provided by SUMURI LLC. For product support, please call SUMURI LLC. Should you have any questions concerning this, please refer to the address provided in the documentation.
No Liability for Consequential Damages – In no event shall SUMURI LLC or its suppliers be liable for any damages whatsoever (including, without limitation, incidental, direct, indirect special and consequential damages, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use or inability to use this ‘SUMURI LLC’ product, even if SUMURI LLC has been advised of the possibility of such damages. Because some states/countries do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
Indemnification By You – If you distribute the software in violation of this Agreement, you agree to indemnify, hold harmless and defend SUMURI LLC and its suppliers from and against any claims or lawsuits, including attorney’s fees that arise or result from the use or distribution of the software in violation of this Agreement.
Jurisdiction – The parties consent to the exclusive jurisdiction and venue of the federal and state courts located in the State of Delaware, USA, in any action arising out of or relating to this Agreement. The parties waive any other venue to which either party might be entitled by domicile or otherwise.
Was this helpful? Yes No
RECON for Mac OS X is a single distribution that works in the field on live systems and also back at the lab to allow analysis of all popular forensic image formats
Forensodigital in association with SUMURI LLC, USA have developed MAC OS X based Forensic tool RECON for digital triage. RECON is a tool which can be used by both novice and expert forensic examiners. It can be used for live systems and mounted media analysis. With minimum user interaction RECON extract artifacts and produce hundreds of reports in different formats.
Key Features:-
- Support MAC OS x 10.7, 10.8, 10.9 and 10.10
- Reporting formats – HTML, PDF, XML and CSV
- Artifact timeline
- File timeline
- Global Search, Metadata and Media preview
- Bookmarking option
- Export files
- Identify virtual Machine and export them
Chat timeline
Keychain password extraction
RAM imaging
Get RECON for Mac OS X combined with 10 hours of online and on demand training. Learn to harness the power of automated Mac Forensics. Successful completion of the training course leads to certification in RECON for Mac OS X. Students receive lifetime access to the curriculum for version 1, including future updates on new features and forensic plugins.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |