MacLockPick II (MLP) by SubRosaSoft (makers of MacForensicLab) takes a unique approach to forensic acquisition. The goal of MLP is to provide a cross platform forensic solution that performs a live acquisition of a suspect machine after inserting the USB device. The information is stored on the USB device and software is provided to analyze the results. The solution support plug-ins for many acquisition types however only the iPhone plug-ins were tested.

MLP does not work directly on the iPhone and instead targets the backup directory where the iPhone stored most files as MDBACKUP files. The following data is recoverable:

After familiarizing myself with MLP’s approach to forensic acquisition, the setup was quite simple. Initially, you must license the device by running a program to generate a key file and sending to SubRosaSoft. They will then send you an .inf file which must be placed on the root of the USB key. I had to follow this process at a later time (after I updated the MLP executables) but the device initially arrived licensed.

After you insert the device on a computer, you can explore the drive and run various programs. To configure the acquisition process, I ran MacLockPick Setup (OS X) on my Mac 10.5.6 computer. The program read the device configuration and allowed me to select what type of data I wanted to acquire from the target device. I chose Apple Mobile and Apple Mobile Pictures.

Figure 1.1. MacLockPick Setup

After quitting this application (which saved the settings but that was not initially from the interface) the device was ready to acquire data from target computers.

I did receive a few application updates from SubRosaSoft during the testing and, as mentioned above, I eventually had to complete the licensing process by running MacLockPick Authenticator and following the steps. This process was intuitive. However, afterwards I had trouble running the updated software on the original Windows XP target and eventually switched to a different computer. I also had several problems updating the software and finally moved the entire contents of the device to an “old” folder and extracted the contents of the updated .zip file from a Mac instead of a Window XP computer. This resolved some of the issues and eventually I was able to proceed running the updated software.

With the device licensed and software updated, the acquisition process was quite simple. After inserting the device into the target Windows XP computer and running the Autoplay, my entire screen was taken over the MLP.

Figure 1.2. MacLockPick Acquisition

The acquisition only took a few minutes and I removed the drive and placed it into an analysis computer (Mac) for review the results.

I ran the MacLockPick Reader on my Mac where I was prompted to open a keylog file.

Figure 1.3. MacLockPick Reader

After selecting the file from the MLP device output directory, I was presented with the main MLP window which allowed me to examine the results, search and export/report on the data.

Figure 1.4. MacLockPick User Interface

The user interface is simple and allows for quick searches but I found that I wanted access to more information such as the raw files recovered. The reports generated quickly but were basically text file representations of the analysis window. There was an option to export to HTML which I could tell would contain much more data if a full computer acquisition was performed.

Figure 1.5. MacLockPick Table of Contents

Finally, the latest version extracted the pictures found in the backup directory and placed them in a subdirectory for direct review. Below is a screenshot of the folder using Apple’s Cover Flow view in Finder.

Figure 1.6. MacLockPick Picture Viewer

The following are the results from the MacLockPick tests.

MacLockPick is a “triage” forensic tool targeted at first responders on-site at the scene of a crime or incident. It performs a fast, efficient acquisition of the target computer and is packaged as an easy to transport USB key device. However, without support for direct acquisition of the iPhone, much of the data is missing. The reporting interface is also designed for a fast analysis of the data and as such does not contain the sophistication found in other tools.

The following ranking establishes MacLockPick’s overall rating of 1.4 on the four criteria established at the beginning of this white paper.

Andrew Hoog, Chief Investigative Officer of viaForensics, is a recognized computer scientist and forensic analyst and former chief information officer of a $750 million multinational corporation. He has led investigations, contributed to policy development and lectured at corporations, attorneys’ associations and law enforcement agencies about the computer forensic discipline. He maintains a computer forensics and E-discovery glossary, authors computer/mobile forensic how-to guides and is now writing a book about Android forensics. He is the original author of this ground breaking white paper on iPhone Forensics that has gained recognition throughout the industry.

Kyle Gaffaney is a third year law student at Loyola University of Chicago School of Law. Kyle also has degrees in Accounting and Management Information Systems from the University of Minnesota Carlson School of Management. Prior to law school Kyle served as a staff accountant at a financial management firm.

viaForensics is an innovative computer/mobile forensic and e-discovery company providing expert consulting services to corporations, law firms, law enforcement and government agencies.

Beyond servicing our clients immediate needs, the company focuses on groundbreaking research in areas such as mobile forensics, SQLite forensics, data visualization and general education on forensics by regularly posting HOWTOs, glossary terms and the results of our research, accessible at viaforensics.com.

One key strategy to minimizing this risk is to implement computer forensic techniques. But the question is, why outsource? Often the initial response is that internal IT resources can perform these services in addition to their normal day to day tasks. But the reality is that there are significant burdens including: