I can’t even begin to tell you how many people I tell that just because you dragged something to the Trash can on your Mac and emptied it, it’s not gone. Or how you deleted a bunch of e-mail in Mail.app. It’s not gone. How ’bout all your Internet History that you “cleared”? Not gone. Only the index marker is gone. The actual data is still there. Ask former CEO Kenneth Lay of Enron how that works. Worse yet, even your Keychain really isn’t safe from prying eyes.

SubRosaSoft.com Inc. of Union City, California, has just released a tool that will help forensic specialists get some interesting stuff off of any OS X computer. With the simple insertion of the MacLockPick to any USB port on a Mac, the MacLockPick starts digging into the operating system looking for gems and jewels. MacLockPick knows where to go for finding the large vein and thus starts cracking your Keychain for the real goodies. “Once the MacLockPick software is run it will extract data from the Apple Keychain and system settings to provide the examiner fast access to the suspect’s critical information with as little interaction or trace as possible,” so says SubRosaSoft’s press release. Wow! This is some heavy stuff. For the mind-blowing specifics, check out the list after the jump.

Now, don’t worry. SubRosaSoft is only selling this to “Licensed Investigators, State and Local law enforcement professionals, (as well as to) Federal law enforcement professionals.” Though, I just added one into my cart under PI and it hasn’t yet asked me for my license (though I suspect it does further into the purchase phase.) Pricing starts at $499.95 for PIs and the Feds get the best deal at $399.95. eBay buyers will most likely pay double.

Apple Keychain Passwords

• System - The user password of the logged in user. Often this is shared for root access and FileVault encryption.
• General - Includes (but is not limited to) passwords for encrypted disk images, wifi base stations, iTunes music store, iChat login, Apple Remote Desktop.
• Internet - Includes (but is not limited to) login and password details for web sites, email accounts, some peer to peer networks, online services and stores, auction sites, and .mac accounts.
• AppleShare - A list of login and password details for appleshare servers this mac has connected to.

Files and Folder details

• Folder Dates - A list of all the key user folders along with their creation date, date of last modification, date of first access, and date of the most recent access.
• Disk Images - Paths to the most recent disk images that have been mounted on this mac.
• Preview - Full paths to recent files that have been viewed in the preview program.
• QuickTime - File names for recently viewed movies for the QuickTime player applications
• Recent Applications, Documents, and Servers - Program names for the most recently used items on this Macintosh computer.

Instant Messaging

• Default Login - for iChat instant messenger system.
• Complete buddy list - including buddies who have since been deleted.

eMail

• Account Details - login names and server addresses used.
• Address Book - Address details for entries in the address book including contacts that have been deleted. This address book is used by most communication programs on the Mac and is used to synchronize with the iPod and other portable devices.
• Opened Attachments - Paths to files that have been received as an attachment then saved or opened including the date and time of opening.

Web History and Preferences

• Search Strings - The most recent items that the user has searched for using the google toolbar in safari.
• Cached Bookmarks - Sites that have been bookmarked in Safari including items that have been deleted.
• Current Bookmarks - Sites that are currently bookmarked in Safari.
• Cookies - A full list of cookies include the server address the cookie value and the date and time of assignment.
• History - Complete details of browsing history including the number of times visited and the date and time of the most recent visit.

Hardware Preferences

• iPod - Serial numbers of any iPod that have been connected to this Mac along with the date and time it was first used.
• Bluetooth Devices - hardware address of any Bluetooth devices that have been paired with this mac along with the most recent time these devices have been paired.
• Wi-Fi Connections - Listings for Wi-Fi base stations that have been used on this computer including the base address and the date and time of the first connection.
• Network Interfaces - MAC address for each integrated network interface on the suspect’s machine.

Print This Post Email This Post

Leave a Reply