Part 3: Analyzing Evidence from Mac OS X Scenario

Part 3: Analyzing Evidence from Mac OS X Scenario


Two weeks ago, D&B Investigations was hired to conduct an incident response for a major oil company in North Dakota. The company’s senior management had reason to suspect that one or more company employees were looking to commit corporate espionage. The incident response team went on-site, began monitoring the network, and isolated several suspects. They captured forensic images from the machines the suspects used. Now, your team leader has asked you to examine a forensic image captured from a suspect’s computer, which runs the Mac OS X operating system. The suspect’s name is John Smith, and he is one of the company’s research engineers.



· Review the information on the Mac OS X file structure provided in the chapter titled “Macintosh Forensics” in the course textbook.

· Using Paraben P2 Commander, create a case file and add the image the incident response team captured (filename: Mac OS JSmith.img).

· Sort and review the various directories within the Mac OS X image. Look for evidence or indicators that John Smith was or was not committing corporate espionage. This may include direct evidence that John Smith took corporate property, as well as indirect evidence or indicators about who the suspect is and what his activities were during work hours. You can use the software features to help you keep track of the evidence you identify, for instance, by bookmarking sections of interest and exporting files.

· Write a report in which you:

o Document your investigation methods. o Document your findings. Explain what you found that may be relevant to the case, and

provide your rationale for each item you have identified as an indicator or evidence that

John Smith was or was not committing corporate espionage. o Analyze the potential implications of these findings for the company and for a legal case.


Required Resources

▪ Course textbook ▪ Mac OS JSmith.img

▪ Internet access


Submission Requirements

▪ Format: Microsoft Word (or compatible) ▪ Font: Arial, 12-point, double-space ▪ Citation Style: Follow your school’s preferred style guide ▪ Length: 2–4 pages


Self-Assessment Checklist

▪  I applied appropriate evidence collection and handling methods.

▪  I correctly identified and analyzed evidence that is relevant to the investigation.

▪  I analyzed business considerations associated with the scenario.

▪  I analyzed legal considerations associated with the scenario.

▪  I created a professional, well-developed report with proper documentation, grammar, spelling,

and punctuation.

Need Help With a Project on This or Another Topic?

Cooperate with seasoned experts directly — create your project now and start getting help in 2 minutes.

Order Now Free Inquiry