Mac Marshal (http://www.macmarshal.com), a tool for Mac OS X evidence acquisition and analysis, has been upgraded to version 3.0. The upgrade adds full support for Mac OS X 10.7 (“Lion”), iCloud configuration analysis and improved Bluetooth device history
Mac Marshal now runs on Microsoft Windows as well as Mac OS X, so you can analyze Macs from a Windows forensic workstation. Mac Marshal Forensic Edition is the standard version of Mac Marshal, installable on Mac OS X 10.4 or newer and Microsoft Windows XP or newer. (Spotlight and FileVault analysis require Mac OS X.) The Forensic Edition is sold commercially but is free to US law enforcement.
Mac Marshal Field Edition 3.0 runs directly on a Mac target machine from a USB drive for live analysis, extracting volatile system state data including a snapshot of physical RAM. The drive contains both Mac and Windows versions of Mac Marshal for use back at the lab as well. U.S. law enforcement may order the Field Edition USB drive directly from ATC-NY for US$199.