ATC-NY has just released two new versions of Mac Marshal ( to fight cyber crime. Mac Marshal 2.0 automates the forensics process for a cyber investigator.

It scans a Macintosh disk, automatically detects and displays Mac and Windows operating systems and virtual machine images, then runs a number of analysis tools to extract Mac OS X-specific forensic evidence written by the OS and common applications.

Mac Marshal Forensic Edition runs on an investigator’s Mac workstation to analyze a disk image. Mac Marshal Field Edition runs on a Mac target machine from a USB drive. It extracts volatile system state data, including a snapshot of physical RAM. The Field Edition also analyzes disk-based data, with the same capabilities as the Forensic Edition.

Highlights of the new features available in Mac Marshal 2.0 include:

° Streamlined analysis, including Spotlight searches, on E01-format disk images.

° New analysis tools including system configuration analysis and swap file/hibernation file acquisition. Investigators can now see, for instance, any prior Wi-Fi access points the computer was associated with and whether there is a Time Machine backup drive to be examined for evidence.

° New Live State and Physical Memory acquisition tools that let the user examine the volatile state of a live machine before seizing it. (This is for the Field Edition only).

° An integrated thumbnail browser for previewing large numbers of image files.

° Improved analysis of data from Apple’s Safari Web browser, including graphical previews of pages from Safari 4 and 5.
° Analysis of information from iPhone/iPad/iPod devices and support for creating or extracting backups of those devices.

Contact ATC-NY for pricing options.