Hello Reader,
Wow, there are a lot of OSX and Timemachine loving DFIR people out there! I received a lot of submissions and they are all very good. I had to read over and compare the submissions but one was a clear standout. Congratulations to Sarah Edwards (@iamevltwin) who brought an answer so well written it had be in a PDF to include the figures she referenced!
Here was the Challenge:
This week on the forensic lunch we have been talking about OSX and timemachine forensics. So let's have a OSX/Timemachine Challenge!
You have been given a timemachine drive that had multiple systems backing up to it over the network. After imaging it you need to determine what has been done, answer the following questions:
1. What are the different types of backups you could find on a timemachine drive
2. How can you distinguish which hosts backup you are looking at
3. How would you extract a single backup for a specific date
4. What is the difference between a timemachine backup and a .mobilebackup
Here is Sarah's winning answer,
Pdf link to read offline here: https://www.dropbox.com/s/lnlz9r6eerxlmhy/SundayFunday_TimeMachine.pdf
So it would appear as the bar as been raised this week! Sarah let me know if which prize you prefer, you earned it.
Wow, there are a lot of OSX and Timemachine loving DFIR people out there! I received a lot of submissions and they are all very good. I had to read over and compare the submissions but one was a clear standout. Congratulations to Sarah Edwards (@iamevltwin) who brought an answer so well written it had be in a PDF to include the figures she referenced!
Here was the Challenge:
This week on the forensic lunch we have been talking about OSX and timemachine forensics. So let's have a OSX/Timemachine Challenge!
You have been given a timemachine drive that had multiple systems backing up to it over the network. After imaging it you need to determine what has been done, answer the following questions:
1. What are the different types of backups you could find on a timemachine drive
2. How can you distinguish which hosts backup you are looking at
3. How would you extract a single backup for a specific date
4. What is the difference between a timemachine backup and a .mobilebackup
Here is Sarah's winning answer,
Pdf link to read offline here: https://www.dropbox.com/s/lnlz9r6eerxlmhy/SundayFunday_TimeMachine.pdf
So it would appear as the bar as been raised this week! Sarah let me know if which prize you prefer, you earned it.
