There’s a growing legion of users who know that Mac Marshal is a great tool for Mac OS X evidence acquisition and analysis. Now, ATC-NY’s Mac Marshal 3.0, just released, adds important new features including:
Full support for Mac OS X 10.7 (“Lion”)
iCloud configuration analysis
Improved Bluetooth device history
Runs on Microsoft Windows
Mac Marshal now runs on Microsoft Windows as well as Mac OS X, so you can analyze Macs from a Windows forensic workstation.
Mac Marshal Forensic Edition v3.0 is the standard version of Mac Marshal, installable on Mac OS X 10.4 or newer and Microsoft Windows XP or newer. (Spotlight and FileVault analysis require Mac OS X.) The Forensic Edition is sold commercially but is free to US law enforcement.
Mac Marshal Field Edition v3.0 runs directly on a Mac target machine from a USB drive for live analysis, extracting volatile system state data including a snapshot of physical RAM. The drive contains both Mac and Windows versions of Mac Marshal for use back at the lab as well. U.S. law enforcement may order the Field Edition USB drive directly from ATC-NY for $199.
Mac Marshal is part of ATC-NY’s Cyber Marshal forensics products, including P2P Marshal and Live Marshal, that are currently being used by local, state, federal and international law enforcement to investigate cyber crimes. Without automated tools, a forensic investigator’s job to find evidence of illegal distribution of contraband and other crimes is manually intensive and time consuming. These forensic tools greatly help investigators reduce the time required for the analysis process. These tools are also useful to private corporations for compliance checking. For example, a company that prohibits peer-to-peer software on its corporate systems could use P2P Marshal to confirm such compliance.