Monday, August 12, 2013

Daily Blog #50: Sunday Funday 8/11/13 Winner!

Hello Reader,
        Wow, there are a lot of OSX and Timemachine loving DFIR people out there! I received a lot of submissions and they are all very good. I had to read over and compare the submissions but one was a clear standout. Congratulations to Sarah Edwards (@iamevltwin) who brought an answer so well written it had be in a PDF to include the figures she referenced!

Here was the Challenge:
This week on the forensic lunch we have been talking about OSX and timemachine forensics. So let's have a OSX/Timemachine Challenge!

You have been given a timemachine drive that had multiple systems backing up to it over the network. After imaging it you need to determine what has been done, answer the following questions:

1. What are the different types of backups you could find on a timemachine drive
2. How can you distinguish which hosts backup you are looking at
3. How would you extract a single backup for a specific date
4. What is the difference between a timemachine backup and a .mobilebackup

Here is Sarah's winning answer, 
Pdf link to read offline here:

So it would appear as the bar as been raised this week! Sarah let me know if which prize you prefer, you earned it.