Time Machine Backup: Importing and Parsing in Oxygen Forensic® Detective

With the recent update, Oxygen Forensic® Detective v.14.4 now supports the import and analysis of macOS Time Machine backups.

What is Time Machine Backup?

The Time Machine is the built-in backup feature on macOS that allows users to automatically back up their data. This includes apps, music, photos, email, and documents.

The first Time Machine backup contains all the data, while later Time Machine backups have only the files that changed since the previous backup. The detailed instructions on how to create a Time Machine backup are available on the official Apple website.

Time Machine Backup Import and Parsing

In Oxygen Forensic® Detective v.14.4, we’ve added the ability to import and parse data from macOS Time Machine backups. This backup can be either found on external drives or created by digital forensic experts from macOS machine that they need to analyze.

To create a backup, you need to connect an external drive to a macOS machine and start a backup process. A backup is by default non-encrypted, but a password can optionally be set to encrypt backup data.

There are two options when choosing how to analyze the Time Machine backup  in Oxygen Forensic® Detective v.14.4.

  1. Desktop Extraction
  2. Analyze External Drive

 

Desktop Extraction

With third-party tools, investigators can create an image in a RAW or E01 format from a Time Machine backup. Once it is created, click the Desktop extractions option on the Home screen of Oxygen Forensic® Detective v.14.4 and then browse for an image:

Desktop Extraction option in Oxygen Forensic® Detective to analyze Time Machine backup

The selected image will be opened in Oxygen Forensic® KeyScout.

Searching for an image from Time Machine backup in Oxygen Forensic® KeyScout

Analyze External Drive

Another option is to analyze an entire external drive that contains a Time Machine backup. To do this, investigators need to connect this drive to a computer where Oxygen Forensic® Detective is installed and click the Acquire the external drive option on the software Home screen.

Home screen of Oxygen Forensic® Detective and the Oxygen Forensic® KeyScout tool to acquire the external drive of Time Machine backup

No matter which option is chosen, if a backup is protected with a password, users will be offered to enter it before a backup import. The password will be shown in the backup details.

In Oxygen Forensic® KeyScout choosing to parse all the data or particular artifacts from Time Machine backup

In the KeyScout settings, investigators can choose to parse all the data (user and system files) or particular artifacts using various filters. Once data is collected, it will be imported in Oxygen Forensic® Detective for analysis.

Data from Time Machine backup collected in Oxygen Forensic® Detective

Conclusion

Now that Oxygen Forensic® Detective v.14.4 has the ability to import and parse Time Machine backup data, investigators have two options when choosing how to analyze the data: desktop extraction and analyzing the external drive.

Interested in trying this feature? Contact us for more information or a free trial.

 

 

Leave a Reply

Your email address will not be published.