Daily Blog #49: Sunday Funday 8/11/13 - OSX/Timemachine Challenge

Sunday Funday time by David Cowen - HECF Blog

Hello Reader,
           It's that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week I am changing things up and letting the winner pick their choice of prizes!

The Prize:

·         Winner's Choice A year license of Accessdata Triage or a Advanced Training Track ticket to PFIC

The Rules:


1.     You must post your answer before Midnight PST (GMT -7)

2.     The most complete answer wins

3.     You are allowed to edit your answer after posting

4.     If two answers are too similar for one to win, the one with the earlier posting time wins

5.     Be specific and be thoughtful 

6.     Anonymous entries are allowed, please email them to dcowen@g-cpartners.com

7.     In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:


This week on the forensic lunch we have been talking about OSX and timemachine forensics. So let's have a OSX/Timemachine Challenge!

You have been given a timemachine drive that had multiple systems backing up to it over the network. After imaging it you need to determine what has been done, answer the following questions:

1. What are the different types of backups you could find on a timemachine drive.


2. How can you distinguish which hosts backup you are looking at.


3. How would you extract a single backup for a specific date.


4. What is the difference between a timemachine backup and a .mobilebackup.


There, thats not too bad now is it? I look forward to your answers!

Also Read: Daily Blog #48

Post a Comment