• Recon For Mac Os X Manual 2
• Mac Os X Download
• Recon For Mac Os X Manual Guide

1. RECON LAB Automated Analysis
2. BROWSING THROUGH EVIDENCE

• Aug 27, 2013  Ghost Recon on Mac OS X 10.7 (Lion) and later (incl. MacOS 10.13 High Sierra) Introduction As Mac OS X 10.7 and later no longer support legacy PPC applications like Tom Clancys Ghost Recon, an easy solution for playing PPC games on modern Macs is a Wineskin wrapper to run the Windows/PC version.
• The second reporting option within RECON LAB is the Global Report which most RECON for Mac OS X customers are familiar with. The Global Report function allows an examiner to select items two output options: Tags – Artifacts that were bookmarked and/or tagged; Full.

1.Introduction#

RECON for Mac OS X is a single distribution that works in the field on live systems and also back at the lab to allow analysis of all popular forensic image formats. Forensodigital in association with SUMURI LLC, USA have developed MAC OS X based Forensic tool RECON for digital triage. Jan 24, 2018  RECON for Mac OS X. The power of RECON for Mac OS X combined with the power of PALADIN Forensic Suite on a Samsung T3 250GB SSD USB 3.1 external micro drive with 450 MB/s read-write speeds! Designed for both the novice and advanced forensic examiner and/or investigator. RECON for Mac OS X contains powerful features in a simplistic interface. Manage licenses automatically using Recon Suite. License Management: Technical Notes The Recon Suite is easy to install on Apple hardware running Mac OS X 10.5, 10.6, 10.7, or 10.8. The JAMF Software Server (JSS) is the server component for the Recon Suite. The JSS is easy to install and maintain on a variety of server platforms.

RECON Lab was developed for forensic examiners to have full control over their forensic examinations on a Mac platform that truly harnesses the power of the Mac. For decades, examiners have had to perform Mac analyses on a Windows machine that did not fully interpret the unique system artifacts associated with HFS+, CoreStorage, Fusion, FileVault, and APFS Macs. RECON Lab resolves these issues for the forensic community. RECON Lab will interpret Mac OS artifacts in its native environment, and present its findings in a user-friendly interface that simplifies the examination process for the forensic investigator.

RECON Lab is dongle based software that requires the dongle to be plugged into your forensic Mac to run the software. RECON Lab will provide the functionality to obtain an iOS backup from an attached iOS device. RECON Lab possesses the ability to analyze forensic images of RAM, Mac forensic images, iOS forensic images, and Windows forensic images. To date, most forensic tools either do not parse out Apple Extended Metadata or they display string based output that compels the forensic examiner to decipher the forensic tool’s interpretation of the data. RECON Lab parses out all Apple Extended Metadata and allows examiners to filter and sort artifacts based upon Apple Extended Metadata; no forensic tool on the market supports Apple Extended Metadata to the depths that RECON Lab computes.

Report creation within RECON Lab can be of the standard template or the more advance Story Mode function that allows for report customization as an examiner bookmarks key artifacts. RECON Lab was designed by former law enforcement forensic examiners for forensic examiners in corporate and law enforcement environments.

2.Installation#

RECON LAB can only be installed on a Intel Mac-based computer (i.e. iMac, MacBook Pro).

Although RECON LAB will run on any Intel Mac we recommend the following minimum requirements when using RECON LAB:

• Intel i7 Quad-Core Processor
• 16 GB of RAM
• macOS Operating System – macOS High Sierra (macOS Version 10.13) or newer
• Current version of Xcode with Command Line Tools installed
• Current version of FUSE for macOS installed (Go to System Preferences > Security > General and allow FUSE for macOS)

You can find information about your Mac’s specifications from the Apple Menu in the upper left hand corner:

Apple Menu -> About this Mac

Go to the following link to ensure you have the latest version of RECON LAB: //goo.gl/wWm2qi

The downloaded file will be in your Downloads folder.

The downloaded file will be labeled RECON_LAB_VersionNumber.dmg (i.e. RECON_LAB_1.0.9.dmg). Please confirm the downloaded file by verifying the MD5 and/or SHA1 of the downloaded DMG file.

Double-click on the DMG file to mount the DMG file, the RECON_LAB_INSTALLER.app will be located within the mounted DMG file.

Drag the RECON_LAB_INSTALLER.app to your Desktop.

Open a terminal window with terminal.app and run the following command:

xattr -c ~/Desktop/RECON_LAB_INSTALLER.app

Then right-click and select Open on the RECON_LAB_INSTALLER.app. A Mac Window Prompt will appear that asks “Are you sure you want to open it?” Select Open.

You will presented with the following RECON Lab Installer Splash Screen.

Select Install if you are updating from a previous version of RECON Lab. Select Clean Install to completely overwrite the previous versions of RECON LAB. And lastly, select Uninstall to remove the latest version of RECON LAB from your Mac. Upon completion of the installation, the bottom left hand corner will state Done!!! Click on the Red X icon in the top left hand corner to close the window.

Grant RECON LAB Full Disk Access by performing the following:

1. Go to the Apple icon in the top left hand corner of the screen, and select System Preferences…
2. Then click on Security & Privacy. To make any changes on your Mac, you must click on the Lock icon and enter your administrator passcode.
3. On the following screen select Full Disk Access. You will click on the + icon, then navigate to the newly installed RECON_LAB.app located in the /Applications folder.

Starting RECON LAB:

1. Plug in the RECON LAB USB to your Mac.
2. Click on the LaunchPad icon within your Apple Dock .
3. Navigate to the RECON LAB icon , then double-click on the RECON_LAB application icon to start the software.
4. A message will appear asking for the location of your RECON LAB license file. The file will be on the RECON LAB USB or may have been emailed to you if you have upgraded or requested a demo license. Select your license file.

The main splash screen will then appear with a message regarding the privacy prompts when processing Mac data. Click OK to acknowledge the notification and continue.

Select the checkbox “Don’t show this message again” if you prefer not to see the notification again.

The registered owner information, purchase date, and expiration date will be displayed in the bottom right hand corner of the screen (see the image below).

3.Configuration#

On your initial screen, select RECON Config to configure your case environment (see figure below).

In the customization wizard, select each field to customize your RECON LAB environment:

• Examiner Details – Change name, agency, address, etc. To change the image, click on the “…” button where you’ll navigate to your agency icon that is either a JPG or PNG file.
• Artifacts – Identify & select automated plugins that you prefer to have as default or custom selections; click on Save Template, create a name for the list, and click Add to add a custom artifacts template.
• User Defined Extensions – Create custom file extensions that can be parsed within a case.
• User Defined File Signatures – Create custom file headers/signatures that can be parsed within a case.
• Hashset – Add a custom hashset to a case; the hashset must be in .sqlite format.
• Keyword List – Add custom keyword(s) to a case; RECON LAB can accept GREP and Regex entries as keywords.
• Apple Metadata Filters – Select your default Apple Metadata filters for searching and sorting through recovered Mac and iOS artifacts. There are 95 different Apple Extended Metadata Attributes that RECON LAB offers here for display, searching, and filtering of evidence files. This function does not impact RECON Lab’s ability to parse third-party Apple Extended Metadata Attributes; that data will be displayed under the Apple Extended Metadata tab on the highlighted evidence file. The examiner can check the box under the D column if they want the Metadata displayed on left sidebar. The examiner will check the R column if they would like the desired Apple Extended Metadata to be inputted into the final report.

• Exif Metadata Filters – Select your default Exif metadata filters for searching through recovered Windows, Mac, and iOS artifacts.
• Volatility Path – Navigate to the location of the vol.py file so Volatility can be used within RECON LAB to parse through RAM artifacts. Volatility is an open source tool used for RAM analysis. RECON LAB has created a GUI wrapper for this command-line tool. If you would like to use Volatility with RECON LAB, you can download the Volatility Source Code (Volatility-Master) folder from www.volatilityfoundation.org.

• System Password – Enter your Mac password in the event that a particular RECON LAB process or script requires admin privileges. Once entered RECON LAB will remember the password. If you change your password, you will need to re-enter the password in this tab.
• Text View – Configure the maximum file size of text view section; the default size is 20 MB.
• External Applications – Select preferred third party applications (i.e VLC, File Juicer) for continued analysis of evidence (see figure below). Most .app files can be found in your Applications folder.

4.Overview - Interface of RECON LAB#

RECON LAB allows examiners to manually navigate through the attached evidence file while the processes are running. Automated plugins will run concurrently and routinely finish prior to indexing and Apple Extended Metadata processing. See the image below for the layout of the main screen within RECON LAB.

The examiner can then drill down through the file system either on the left hand sidebar or within the center screen by double-clicking on the directory of interest. Within the center screen, the examiner can search the immediate directory, sort by filter, or view the current JPG & PNG files. Underneath the center screen is the detailed information window that displays the highlighted file in HEX view, Text view, Strings, Exif Metadata, Apple Metadata, Maps, and a media file preview (if available).

The Detailed Information Tab will display key information about the highlighted file/directory. The detailed information can consist of:

• File Name
• File Size
• File Path
• File Inode number
• File MIME type
• Tag and notes produced by the examiner
• File Modified, Accessed, Created timestamps

The Hex View Tab will display the content of the file in hexadecimal format. The examiner has the ability to do the following in the Hex View Tab:

• Copy Hex values to the clipboard
• Display the bytes in four different layouts (8, 16, 32, and 48) across their screen
• Navigate to a specific page of the file
• Toggle the byte address area between decimal and Hex
• Select All Hex values present
• Tag highlighted bytes

The Text View Tab will display the content of the file in text format. The examiner can search through the file and toggle between ASCII and Unicode encoding. Any text values of importance can be highlighted and tagged for reporting purposes or the examiner can right-click within the Text window and click “select all”.

The Strings Tab allows an examiner to look for Strings within a particular file. Strings are identified as four or more printable (commonly ASCII) characters that’s then immediately followed by an unprintable character. Any String output identified can be selected and tagged for reporting as well as the ability to “select all”.

The EXIF Metadata Tab displays the accessible EXIF information to the examiner. The EXIF data recovered within RECON LAB is predominately the author, GPS coordinates, and the Make & Model of the associated device.

The Apple Extended Metadata Tab displays all available Apple Extended Metadata for the selected file to include any third-party Apple Extended Metadata Attributes. This tab will output the recovered Apple Extended Metadata associated with the selected file.

The Maps Tab depicts the GPS location of the file’s origin and displays the off-line output to a 1:2 million scale map. In the event the examiner’s Mac is online, it will link directly to a Google Maps webpage. The latitude and longitude will also be presented in this tab.

Items of evidentiary value can be bookmarked or tagged. An item can be bookmarked by hitting the B key. Files can also be viewed using the Quicklook function which is the eye icon or by pressing the Space bar. When an examiner right-clicks on an item in the center screen a menu with multiple options will appear (see figure below). Examiners will be able to perform the following:

• Add/remove bookmark
• Add/remove note
• Send to bucket
• Tag
• Search for files with the same hash
• Export
• Quick look
• Open with Hex viewer/Plist viewer/Sqlite browser
• Open with external application
• Add to text indexing queue
• Add file to hashset database
• Search file with same hash
• Copy to Clipboard
• Carve Files
• Mark as Seen/Unseen
• Show/Hide Seen Files
• Open Detailed Information (in a detached window)

5.Acquire iOS Devices with RECON LAB#

In the initial Splash screen, examiners have the ability to acquire an iOS image from an iPhone, iPod, or iPad that is connected to their forensic Mac. The examiner will need the login credentials for the iOS device and the ability to interact with the iOS display (i.e. a functioning screen). iTunes must be installed on the Mac and it has to be up to date.

The examiner will select Acquire iOS Device button (see image below).

The examiner can plug the iOS device into the Mac before selecting Acquire iOS Device. Once it is plugged in, ensure you select Trust on the iOS device during the “Trust This Computer?” prompt. iTunes will also prompt “Do you want to allow this computer to access information on “user’s iPhone”? Select Continue.

You’ll then be instructed to enter the login credentials for the iOS device. If the iOS device is not visible, click on the Refresh button to retry accessing the iOS device.

Once the iOS device’s information is displayed, you can obtain key information such as the phone number, International Mobile Equipment Identifier (IMEI) and the International Mobile Subscriber Identity (IMSI) in the lower window.

Once the examiner confirms the attached iOS device is the intended acquisition target, click on Acquire. Then select the output directory for the iOS data acquisition. Once the extraction is complete, you can load the iOS backup into RECON LAB by navigating to the manifest.db found within the acquisition folder.

6.Start a New Case#

From the initial splash screen, the examiner has five (5) options:

• About RECON – Display the End-User Agreement, software licensing, change logs, known issues, and license expiration date.
• RECON Config – Displays configuration settings for RECON LAB.
• Acquire iOS Device – Obtain a iOS backup image of an attached iPhone, iPod, or iPad device.
• New Case – Initiate a new case within RECON LAB.
• Load Case – Open a previously generate RECON LAB case by navigating to the RECON folder, not the result.recon file.

To begin a new investigation, select New Case (see figure below).

Enter the appropriate Case and examiner information; keep in mind that Case number (Case No.), Case Name, and Examiner are required to be completed to select Next.

Please keep in mind that your evidence must either reside on your forensic Mac or directly attached via USB, USB-C, Thunderbolt, or Firewire. The evidence should also reside on a HFS+, APFS, or a Mac-initialized ExFAT formatted drive.

In the event that the evidence file is of a Mac File Vault physical image, the examiner should select File Vault Image. Any other physical image should be added under Forensics Image. Keep in mind that a File Vault image can be an E01, DMG, or S01 file; it is up to the examiner to identify whether the evidence file is of a File Vault Mac image.

Keep in mind that T2 Chipsets in newer Macs are functioning similar to a Trusted Platform Module (TPM) and when a full physical forensic image is obtained, you are not able to mount that forensic image. The examiner must obtain a logical data extraction from a T2 Chipset Mac and load the evidence as a folder.

The next screen will allow an examiner to add evidence to be analyzed (see image below).

Once an image is added, select Next. Then select the destination directory, prior to selecting Next. The next portion is to select the Date & Time format, which can be UTC, the machine time zone, or the examiner selected time zone to include the preferred date format; then click on Next.

The next process portion is to configure the Filesystem modules; the modules can either use the default configurations made within RECON Config or adjust the modules to the specific case. Once the Apple Metadata (only applies to Mac images), Mime types, Signature Analysis, Exif Metadata, Hashset, and Index Files are configured, the examiner will then click on Next. Lastly, the examiner will pick the desired plugins to parse, and select Start (see figure below).

RECON LAB will immediately start to parse through artifacts and the screen will look similar to the image below.

At this time, RECON LAB is running through the automated plugins and running the more complex actions such as indexing and extracting Apple Extended Metadata as separate threads. This ensures that RECON LAB can simultaneously allow examiners to obtain low hanging fruit evidence and still conduct a more detailed forensic examination. The examiner will also have the ability to navigate through the write-protected mounted forensic images, so the examiner can drill down to specific directories of interest.

Depending on Plugins selected, your Mac might prompt access to calendar, contacts, reminders, and photos. RECON LAB is not accessing the contents of the Forensic Mac, but the prompt will be displayed due to the nature of Mac OS and interaction with those protected files (see image below). RECON LAB might also prompt you for a volume unlock passcode if it is a FileVault image; you can select Cancel since the passcode was previously entered.

In the event that an examiner no longer desires to run a particular plugin, the examiner can select the “X” icon to the right of the Plugin name to stop that plugin. The only process in the bottom right hand corner that cannot be abruptly stopped is adding evidence items to the case. Evidence items can be removed once its been fully added. The examiner will select the Processing Status icon in the upper toolbar to access the function of removing evidence from a case (see the image below).

7.Automated Analysis with RECON LAB#

The best functionalities in RECON for Mac OS X are built into RECON LAB. The automated Mac plugins extract artifacts from known locations within the operating systems and present the findings to the examiner. The plugins run at the start of case processing and finish promptly; this allows the examiner to start working on a case right away and obtain low-hanging fruit evidence.

The Artifacts plugin initiates the automated analysis that contains 128 unique plugins across the Mac OS X, Windows, and iOS platforms. The examiner has the option to select/deselect all or filter the plugins by OS platform. The examiner can expand every artifact plugin and be selective in the elements retrieved from the highlighted artifact (see image below).

Here is the listing of all the supported plugins:

7.1.Automated Plugins#

Mac OS Automated Plugins

• Displays IPv4 addresses
• Displays IPv6 addresse
• Inet Socket
• Unix Socket
• Event Socket
• Control Socket
• Statistics

Messaging Application

• Display User Account Info
• Display User Account Preferences
• Display User Contacts
• Display Adium Messages
• Display File Transfers
• Display Status

WiFi

• Display wireless networks
• Display Preferences
• Display Network List
• Display Wireless Network Information

• Display Apple Dock items

• Display Applications
• Display User Applications
• Display Installer History
• Display App Store Downloads
• Display App Store Software Updates

• Displays Wake Reasons
• Display USB Attached List
• Displays HFS Device List

• Display Apple Mail Accounts
• Extract Apple Mail Accounts

• Display command line history

File Sharing Application

• Display torrent downloads
• Display current torrents
• Display all Torrent Files

Anti-Forensics

• Display Activity Logs
• Display Applications
• Display Dictionary
• Display File Rules
• Display Recent files
• Display Volumes
• Display software status
• Display preferences

• Display Bluetooth devices

Anti-Forensics

• Display Status
• Display Preferences

• Display Calendar
• Display Database Events
• Display ICS Events
• Display Attachments
• Display User subscriptions
• Display calendar publish
• Display Calendar accounts
• Show Calendar Preferences

Web Browser

• Show Web History
• Show Web Bookmarks
• Show Web Downloads
• Show Web Search Items
• Show Website Logins
• Show Website Shortcuts
• Show Website Topsites
• Show Website Cookies
• Show Website Autofill
• Show Autofill Profiles
• Show Browser Extensions
• Display Browser sessions
• Show browser cached data
• Show browser cache files

Anti Forensics

• Display Application Status
• Display software preferences
• Show Ignore List

• Display clipboard content

• Displays iOS Devices that were connected to the system

• Show DB Contacts
• Show vCard Contacts
• Show vCard Contacts Files
• Show Contact Groups
• Show Contacts Last Import
• Show My Cards
• Display Contacts’ Accounts
• Display Smart Groups
• Display Preferences

• Display Bookmarks
• Display History
• Display Transfers
• Display Preferences

• Show Cleaner Applications
• Display executed command line
• Display Recent Applications
• Show Secure Erase

• Show Deleted Users

• Show Devices
• Show Disk Images
• Display Device Information
• Show all partitions
• Identify usage of Secure Erase
• Locate Secure Erase Free Space
• Display Miscellaneous information
• Disk Utility Saved List
• Display list of disk images used in disk utility

Cloud Services

• Show Dropbox Folder Files
• Display Uploaded Files
• Display Dropbox Preferences

• Display System Logs
• Display Bash History

File Systems Events

• Display File System (FS) events

Show Recent Calls

• Show Video Recent Calls
• Show Audio Recent Calls
• Show Favorite Contacts
• Show Last Used FaceTime activity
• Show FaceTime account
• Display Blocked Addresses
• Display known contacts
• Show NAT Cache
• Show FaceTime Preferences

• Display Recent Open Folder
• Display Open Tabs
• Show Finder Preferences

• Display Folder
• Display Attached Internal HDD/SSD
• Display Attached External HDD/SSD
• Display Attached USB Flash Drives
• Display Special Access Devices
• Display Connected Servers
• Display Disk Images and DVDs

• Display Downloads

• Display All Files
• Display Torrents
• Show Torrents Data
• Show Transfers
• Show Preferences

• Show Shared Folders
• Show Downloads
• Display Preferences

• Display History
• Display Downloads
• Display Topsites
• Show Search Items
• Show Logins
• Show Shortcuts
• Display Autofill
• List Autofill Profiles
• Display Credit Cards
• Show Favicons
• List Search Engines
• Shows Extensions
• Display Synced Data
• Show Cookies
• List Chrome Settings
• Display Bookmarks
• Display Persons
• Show Sessions
• List Bookmark Folders
• Show Local Storage
• Display Synced Accounts
• Show Preferences
• Display Network Predictor
• Display Cached Data

• Show sync configurations
• Show Uploaded Files
• Show Google Doc Files
• Display Preferences

• Display hardware

• Display History
• Display Downloads
• Display Bookmarks
• Show Typed URLs
• Show Cookies
• Show Homepage
• List Application Information
• Display RSS feeds
• Show DOMStore data
• Display Cache

Windows Artifacts

• Show Automatic Destinations
• Show Custom Destinations

• Display Words List

• List Keychain Items

Messaging App

• Show Line Messages
• Show Attachments
• Show Group Messages
• Display Line Calls
• Display Group Calls
• Display Group Attachments
• Show Groups
• Show Chat Snippets
• Display Line Contacts
• Show Account
• Show Contacts List
• List Preferences

• Display Applications
• Display Widgets

Social Media App

• Show LinkedIn Messages
• Display Attachments
• Show Contact List
• Display Sticker Events
• Show Sticker Packs
• List Preferences
• Show Account Information

• Show Login history

• Display Banner Information

• Show Accounts
• Display Contacts List
• List VIP Contacts
• Display Messages
• Show All Attachments
• Show Open Attachments
• View Signatures
• List Smart Mailboxes
• Display Rules
• Show Received Attachments
• Display Recent emails
• Display Mail Data
• List Appointments
• Reveal Call History
• List Preferences

• Display Locations Bookmarked
• Discover Recent Searches
• Reveal Recent Directions
• Display Bookmarked Directions
• Show Last Closed Window

• Show Devices
• Reveal User Connected Devices
• List Portable Devices
• Display Printers

Web Browser

• Exhibit Internet History
• Show Bookmarks
• List Downloads
• Show Cookies
• Display Reading List
• Disport Blocked Advertisements
• Produce Shared History
• List Speed Dials
• Show Search Engines
• List Themes
• Display Preferences

• Show Accounts
• Display Contact List
• List DB Messages
• Reveal Archived Chats
• Reveal Recent Chats
• Reveal Group Chats
• Show Attachments
• Display Blocked Address
• Show Preferences

Web Browser

• Display History
• Show Downloads
• List Bookmarks
• Reveal Pinned URLs
• Display Reading List
• Show Cookies
• Show DOMStore data
• Display Typed URLs
• List Application Information
• Display Cache

• Display SONY PC Companion
• Show Samsung Kies

• List Volumes

Web Browser

• List History
• List Bookmarks
• Display Downloads
• Show Topsites
• Display Form History
• Show Logins
• Show Reading List
• Display Opened Tabs
• View Last Closed Tabs
• Display Last Closed Tabs with Windows
• View Saved Pages Locations
• Display Saved Snapshots
• Show Saved Sessions
• Display Local Storage
• List Favicons
• List Extensions
• List Addons
• Show Hosts
• Display Web Apps Store
• Show Allowed Sites-Pop-Ups
• Display Cookies
• Show Cache
• Display Thumbnail List
• Show Preferences

• Display Network Information
• List Last Connected Networks
• View Wireless Network Information
• List Network Devices
• Show Other Connected Networks
• List Connected Bluetooth Devices

• Display Network Interfaces
• Display Bluetooth Network Interfaces
• Show Ethernet Interfaces
• Show FireWire Interfaces
• Show ThunderBolt Bridge Interfaces
• Display WiFi Interfaces

• Display Mapped Network
• Display Network Mapped History

• Display Preferences
• List SMB Server

Messaging Application

• Display Nimbuzz Messages
• Show Account
• Display Nimbuzz Calls
• Display Nimbuzz Contacts
• See Attachments
• Group Messages
• List Groups
• Display Preferences
• Show Group Attachments
• View Sticker Packs
• Display Chat Rooms
• Display Suggested Contacts

• Show Notes
• Show Folders
• Show Attachments
• Display Active Attachments
• Show Documents
• Display Photos and Videos
• Display Audios
• List Maps
• Show Orphan Attachments
• Show Previews
• Show Websites
• Display Preferences

Cloud Storage

• Display DB Files
• Show Logs
• Show Preferences
• Display OneDrive Folder Files

• Display Accounts

Web Browser

• Show History
• Display Bookmarks
• Display Speed Dial
• Show Downloads
• View Search Items
• Display Cookies
• Show Logins
• Display Autofill
• List Autofill Profiles
• List Credit Cards
• Reveal Extensions
• Display Extensions
• Show Session
• List Cached Files
• Exhibit Topsites

Web Browser

• Reveal History
• Display Cookies
• Show Bookmarks
• Show saved offline pages
• Reveal synchronisation
• Display Bookmarks Folders
• List Preferences

Email Client

• Display emails
• Show attachments

Email Client

• Display emails
• Show attachments
• List Outlook contacts
• Show tasks
• List notes
• Exhibit accounts
• Show exchange account

Virtualization

• List Virtual Machines
• Display Timestamp Log
• Exhibit Recent VM

• Display Recent Images
• Show All Images
• List Recent Movies
• Show All Movies
• Annotate Preferences

• Show All photos
• Exhibit Faces
• List Projects
• Display SlideShow
• List People
• Display Audio-Video
• Show Albums
• Display Folders
• Reveal Camera Captures
• Annotate Preferences
• Display Moments
• Show Shared Albums
• List Memories
• Display Thumbnails List

Windows Artifacts

• Display Prefetch Information
• Reveal Parameters

• List Quarantine Events

• Display Recent Files
• Display Recent Hosts
• Show Recent Login Apps
• Show Recent Windows Files
• Display Last Logout Reason
• Show Search Recents
• Reveal Regedit Last Key
• List Registry Recents
• Show Recent MRU
• Exhibit Run Recents

• List DB Reminders
• List ICS Reminders
• Display Reminders List
• Show Shared Lists
• Display Accounts
• Show Preferences

• Exhibit Remote Connections
• Show Remote Servers

• Display SSH connections

• Show history
• Show Bookmarks
• Display downloads
• Exhibit local storage
• Show recent items
• Display Last Session
• Show Topsites
• List Cookies
• Display Reading List
• Show Opened Tabs
• List Extensions
• Reveal Push Notifications
• List RSS Feeds
• Show Cache
• List Webpage
• Show URLs
• Display Preferences

• List scheduled jobs
• Show tasks logs

Messaging

• List messages
• Show file transfers
• Display contacts
• Exhibit blocked accounts
• Show SMS
• Reveal pending request
• Show Call Members

• Display Search Results Category
• Display shortcuts
• Show Saved Searches

Windows Artifacts

• List Start Menu Programs
• Display User Start Menu Programs
• Exhibit Auto Start Programs
• List Startup Applications
• Show Users Startup Applications

• Reveal Stocks Data

• Display System Information
• List System Timezone Information

Remote Desktop

• Show Outgoing Connections
• Show Incoming Connections
• Display Recent History
• Show Last File Transfer Path
• Show last check in
• Display logs
• Show Recorded session

Messaging

• Display TextMe Messages
• Show Account
• Show TextMe Contacts
• Show TextMe Calls
• Display Attachments
• Display chat snippets
• Show sticker packs
• List shared locations
• Exhibit preferences
• Display wallpaper and voicemail announce
• List shared audios
• List shared videos

• Show Thumb Cache
• Show deleted file thumbs

Email Client

• Show Accounts
• Display contacts
• Show chats
• Display attachments
• List emails
• Show events
• List tasks
• Display blocklist
• Show Folder locations
• Display preferences
• List preference tree

• List Time Machine Info
• Display Time Machine Disks

Web Browser

• Display history
• Display bookmarks
• Display downloads
• Show cookies
• List form history
• Show extensions
• Show favicons
• List saved pages locations
• List saved sessions
• Exhibit hosts
• List cached files
• Show thumbnails list
• Display preferences

• List Trash items

• Show Words list

Web Browser

• Display history
• List cookies
• Show synced Tabs
• Display Preferences

• List USB Attached List
• Display HFS Device list

• Show local users
• Show domain users
• Display account information

• List UserAssist programs

Media Player

• List Media Library
• Display playlists
• Exhibit Album art
• Show Recent
• Display Podcasts
• Show Recently Played

Virtualization

• Display Virtual Machines

Messaging

• Show Viber Messages
• Show contacts synced
• List media messages
• Show Viber contacts
• Show Viber calls
• Display location messages
• List Account
• Display preferences
• Show groups
• Display contacts list
• List chat snippets

Virtualization

• Display Box Configuration
• Show Machines
• Display Preferences

• Display Memos

Torrent Sharing

• List downloads
• List torrents
• Show all files

• List wake reasons

• Display locations
• List local weather
• Display preferences

Messaging

• Display account
• List contacts
• Show WhatsApp Messages
• Display media messages
• Show groups
• List favorites
• Show Chat statistics
• List preferences

Media Player

• Show last played
• Display playlists
• Show recents
• Display shared folders
• Exhibit proxy settings
• List preferences

• Show Installed Applications 64-Bit
• Show Installed Applications 32-Bit
• Show Uninstall Applications
• List Registered Applications
• Display Metro Applications
• Show Previously Executed Applications
• Display third party applications
• Show Hidden Desktop applications

Torrent Sharing

• Display properties
• Show incomplete downloads
• Show complete downloads
• List shared files

• Display offline saved videos
• List uploaded videos
• Show cookies
• Reveal preferences

Torrent Sharing

• List Servers
• Display Shared Files
• Display Message
• Show Clients
• Show Downloads
• Exhibit Preferences
• Show logs
• Display incomplete downloads

Torrent Sharing

• List servers
• Show Search items
• Display complete downloads
• Display incomplete downloads
• Show messages

• Display Services
• Show documents
• Exhibit bundle contents
• Show previews
• List clients
• Display miscellaneous content
• List account

• List devices
• Show backup detail
• Show backup status
• List applications

• Show list view

• Show devices
• List recent searches
• Reveal preferences
• Show accounts
• Display media lists
• Show Audio tracks
• Show Video tracks
• Display playlists
• Display stores purchased media
• Show incomplete downloads
• List podcasts
• Display iTunes U content

Torrent Sharing

• Display downloads
• Display torrents
• Show all files

8.Load a Case#

To open a previously created case, select Load Case from the initial splash screen.

The popup window instructs the examiner to navigate to the desired case folder and click Open.

The naming structure of the folder will consist of the Case Name-YYYY-MTH-DYTHH-MM-SC (i.e. Fraud_Investigation_2018-SEP-19T13-25-44)

The following screen will inquire to the examiner if they want the original forensic image mounted.

It is highly recommended that the examiners mount the forensic image(s), otherwise the exporting function might not perform correctly.

The examiner will confirm the file path to the forensic image prior to selecting OK.

9.Browsing through Evidence#

Automated plugins, Apple Metadata, Hashsets, EXIF, and Apple Timestamps parsing will begin during a case’s initial processing. These actions can take place concurrently while an examiner is reviewing the content of the forensic image, but an examiner will have to wait to add an additional evidence item until the plugins are completed.

Once an evidence source is completely added to a case, the examiner can immediately begin navigating through the file structure in the Source section of the side bar and/or within the main window.

The left hand side of the main window in RECON LAB is identified as the Side Bar. Towards the top of the sidebar is the Source Section. There is an arrow to the immediate left of the artifact’s title. The examiner can click on the triangle to expand and shorten the artifact’s directory (i.e. drill down into the file system of the suspect’s forensic image).

To access a directory, the examiner simply must double-click on the directory of interest from the main window or from the sidebar. The files within the directory will be visible in the main window.

From the main window, there are functions such as:

• Search
• Sort
• Filter
• Export As CSV
• View Recursively
• Gallery View

Lastly, the Detailed Information Window resides directly underneath the main window which displays an abundance of data about any highlighted file or directory.

9.1.Main Window Functions#

The Main Window provides the following functions:

• Search
• Sort
• Filter
• Export As CSV
• View Recursively
• Gallery View

Search – Allows the examiner to search through the artifacts displayed in the main window by simple keyword searches.

Sort – Allow the examiner to display the artifacts in the main window either numerical, alphabetical, or chronological order; the listing can be displayed in ascending or descending order.

Filter – Artifacts in the main window can be displayed in accordance with filtering restrictions set by the examiner. The examiner will natively have the following filter options available:

Recon For Mac Os X Manual 2

• Record No.
• Inode No./File ID
• File Name
• Extension
• File Path
• File Size
• Mime Type
• Hashset Name
• MD5
• SHA1
• Date Modified
• Date Change
• Date Accessed
• Date Added
• Content Creating Date
• Content Modification Date
• Last Used Date
• Use Count

The examiner can right-click on any of the table header items above and select the column that they want to see/hide in the main window.

Export As CSV – The option allows the examiner to generate a CSV report of all the files and directories in the current view of the main window. This will be discussed in detail in the Reporting section of this manual.

View Recursively – This function will show all the contents of directories in the current window. This allows an examiner to see all the nested files and folders within a specific location. This function does not expand compound files. This feature is accessed by clicking on the black square icon to the right of the Export As CSV button on the upper right hand corner of the main window.

Gallery View – Towards the top of the main window is the Table View and Gallery View Tabs. By default, examiners will review artifacts in the Table View. The Table View displays the information about the particular files, while the Gallery View tab shows all interpretable media images within the current view. Examiners can scroll continuously through the media files and bookmark items as desired.

Step 4 – Now go to Andy’s home page and select the Garageband icon to kick start your musical abilities.All the above- mentioned methods described to 10,8, 7 are free and completely compatible. Step 2 – Once it is installed, go to its search bar and type Garageband. Step 3 – From the displayed results, select Garageband to install it. These methods have so far been extremely reliable and have given their users no complaints whatsoever.GarageBand – UpdatedGarageBand though is a software designed for the Mac, has become immensely popular in Windows PC. Step 1– Click o n to download Andy on your PC. Garageband apple.

In the event that the examiner would like to go back to the previous view, the examiner can click on the back arrow to left the search window.

The Show All button returns all artifacts after keyword searches might have limited the current view of artifacts.

9.2.Detailed Information #

The Detailed Information section is located at the bottom of the RECON LAB window. The information in this section will change to the information associated with the highlighted file, directory, or artifacts in the main window. The information in the Detailed Information section contains the following:

• Detailed Information – Displays the file name, size, path, record number, MIME type, tags, notes, and file timestamps, and possible use count.
• Hex View – Shows the content of the file in hexadecimal. The hex content can be displayed across multiple pages as well as tagged & copied.
• Text View – View the content of the file in text; the examiner can select either ASCII or Unicode encoding. Areas of importance can be highlighted and tagged.
• Strings – Identify any printable characters that are four or more in quantity, and contain a non-printable character immediately afterwards. Evidentiary items can them be tagged.
• EXIF Metadata – Present Exchangeable image file information that is specific to digital cameras, scanners, etc.; EXIF metadata is extremely beneficial for timestamps, make & model of devices taking the images, and possible GPS coordinates for the time the picture or video was captured.
• Apple Extended Metadata – Uncover all Apple Extended Metadata for a particular file. And Mainer can check the box to the left of the attribute to ensure that attribute is included in the final examination report.
• Maps – Reveal the GPS location of the file’s origin in both offline and online maps. If the examiner is offline, then OpenStreetMaps will present the GPS coordinates. When RECON LAB is connected to the internet, the examiner can display online maps by selecting “Open with Google” or checking the “Use Online Maps” checkbox.
• Preview – To the far right, there is a preview window for media files, primarily images, audio, and video files. Towards the bottom of the preview window is a slider that will allow an examiner to zoom in on the selected file.

10.Bookmark & Tag Evidence#

Tagging & Bookmarking Evidence

Items that are deemed important to the examiner can either be tagged or bookmarked within the case folder. Bookmarking a file is beneficial for annotating files of importance; bookmarking can be done from the main screen with the icon column to the far left. The examiner can also bookmark a file by right-clicking on the file and selecting “Bookmark”. The fastest method of bookmarking a file is to hit the “B” button. The shift button and the up/down arrows can highlight multiple files for simultaneous bookmarking. To select an entire window the examiner will need to highlight the first file, then hold down the shift button, scroll to the last file and click on the last file. All files in the window will then be selected and the examiner can right-click to bookmark, note, tag, etc.

Tagging a file allows an examiner to highlight a specific portion of a file or differentiate between evidentiary items (i.e. known bad files, possible bad files, certain good files). The examiner can either tag a file by right-clicking, and select Tag, then select the tag name and pick one of the 15 available colors. Values in Hex or in Plist can be tagged or inclusion into the final examination report.

Examiners can add notes to a specific file or directory. Once the intended file is highlighted, right-click and select Add Note. Type the desired annotation into the window that pops up, and click on Save.

Other key evidence review efforts include marking files as Seen, screenshots, and Quick Look. The small eye icon next to the Tagging column allows for files to be marked as “seen” so the examiner can identify files already reviewed and exclude them from continuous viewing. An examiner can also mark a file as Seen/Unseen within the right-click menu. Files marked as seen will turn the text color to the color blue. Quick Look at a file can be performed by selecting the file and clicking on the Eye icon in the top toolbar. The fastest method for accessing Quick Look is by hitting the Space Bar. Screenshots are a means of taking a picture of what is currently visible on the examiner’s screen, to include content outside of the RECON LAB software window (see the image below).

11.Advance Analysis #

RECON LAB provides examiners with the ability to perform automated forensics through the use of plugins, and the functionality to do manual analysis of the forensic images. The examiner will also have the capability to analyze artifacts with industry standard tools built into the software.

Hex Viewer

RECON LAB has a built-in Hex Viewer that breaks down large files into multiple pages. The Hex Viewer allows for direct movement to a predetermined page or offset. The examiner also has the option to search by Hex value or by ASCII for items of interest. Items deemed important can be tagged and exported within the Hex Viewer. Hex values can be interpreted signed, unsigned, little endian, and big endian. In the event the examiner is reviewing a Plist or a SQLite file, then there will be an option in the bottom right hand corner to open the file is its respective viewer (see image below).

Plist Viewer

RECON LAB has a built in Plist Viewer that will parse out data from a Plist file. Examiners can manually expand and analyze the Plist attributes, export the content, add notes, bookmark/tag content, and copy the content of a cell or row into the clipboard (see image below).

Windows Registry Viewer

RECON LAB has a built-in Windows Registry Viewer so examiners can perform manual analysis on Windows Registry Artifacts. Many registry artifacts are automatically parsed through the Automated Analysis plugins, but the Registry Viewer allows examiners to dig deeper into Windows Registry files without depending on a third-party tool. The examiner simply has to right-click on a Windows Registry file and select Open With > Registry Viewer.

Content discovered within the Registry Viewer can be tagged, bookmarked, or copied to the clipboard.

SQLite Browser

The built-in SQLite Browser allows for examiners to remain inside the tool and analyze recovered SQLite databases. Each table will open in a new tab so the examiner can review multiple SQLite tables at once. The execute SQL tab permits examiners to run SQLite commands against the database file(s). Anything discovered within the SQLite browser can be exported within the report generator for that specific viewer.

Bucket

During an investigation, an examiner might find multiple Plist, database files, or numerous other files that need to reviewed within a Plist viewer, Hex Viewer, or SQLite Browser. RECON LAB permits examiners to mark these files for analysis at a later time. The examiner can highlight a file of importance, right-click and select Send To Bucket; this function allows examiners to review multiple Plist files all at once during a forensic exam instead of one-by-one (see image below). The Bucket can also be accessed on the left hand sidebar towards the bottom of the screen, so the examiner can see what files are currently stored in the Bucket.

External Application

Some artifacts within an forensic image might not be interpreted by RECON LAB, so the added capability to link third-party applications assists examiners in using all resources available on their Mac to finish the examination. The examiner has to add the external applications to the software either within the RECON CONFIG window on the initial splash screen or by selecting the Configuration icon in the top toolbar. When there is a file of importance, highlight the file, right-click on the file and select Open With External Application. Finally select the application that you desire to open the highlighted file (see image below).

Email Analysis

RECON LAB will parse out any email files that it identifies and place them into the Email Files section on the left sidebar. The recovered IMAP and POP email artifacts will be sorted by email accounts. The far right window will display the emails stored in the highlighted folder. Email files of importance can be bookmarked, tagged, or noted for reports. The lower window will depict the natural interpretation of the email (human readable format), the email attachments, and the raw data within the .emlx file. A search and filter bar is at the top of the window to include a Show All button (see image below).

Hashset

A key functionality within forensic examinations is the ability to hash files of importance, search the remaining image file for a specific hash value, or filter search results in accordance with a specific hash set. Hash sets can be addressed within RECON CONFIG or within the Configuration icon in the top toolbar. The examiner can select Hashset within the FileSystem Module, check the Analyze Hashes box, then click on the + icon to create a new hash set. The examiner will then add the initial MD5 hash value and file title. The file will be saved as a .sqlite file and can be edited as any standard SQLite file. Results of hash sets hits will be saved over on the left hand sidebar.

Indexing

RECON LAB can perform directory specific indexing as well as the entire image file. The examiner will select the root directory of the mounted image file or folder, right-click and select Add to Text Indexing Queue (see images below).

Once the desired directories are indexed, then the examiner can go to the Content Search icon to insert the desired search terms. The search terms can be words, phrases, boolean, GREP, fuzzy searching, or Regular expressions. The keywords can be added and removed individually or added in mass using the Clipboard icon. The search query can then be named at the bottom of the window prior to selecting Start. Once the search is complete, a window prompt will notify you that the search is complete and will ask if you want to review the results right away. The search results will be located underneath the content search tab on the sidebar. From those results, items can be sorted, tagged, and bookmarked from additional analysis.

Artifacts Timeline

An examiner can sort out recovered artifacts in graphical layout by specific timestamps. The artifacts timeline function is located in the top toolbar. The examiner will select the desired plugin, the time artifacts of importance, and the time frame in question. A bar or pie chart will be displayed in the main screen to provide the examiner a graphical representation of the artifacts frequency and/or time activity. The sections within the graphs can be selected to display the actual recovered artifacts that were annotated in the search.

The Super Time Line Analysis functions includes every recognized time stamps on the forensic image between the defined time frames. The function is extremely detailed to include access time to system files, not just user files. The findings can be exportedinto a CSV file or a SQLite file.

RAM Analysis

Examiners can perform 3 different RAM analysis functions: File Carving, Volatility plugin parsing, and Password Carving (LE Only)

Examiners can right-click on the raw RAM file and select Carve Files.

The examiner can select specific file formats between the four categories: images, office documents, miscellaneous files, and audio/videos files. The examiner can then label the carving label, prior to clicking on Start.

Saved results will be accessible in the bottom left hand corner of the RECON LAB sidebar under the title Carved Files. A new window will also pop-up with the self-made label name on your desktop the will contain the carved files sorted by file type.

Volatility configuration can be performed prior to a case initialization under RECON Config on the main splash screen or the Configuration icon within an active case. Ensure the profiles necessary for the RAM build you expect to analyze are stored in the volatility-master/volatility/plugins/overlays folder(s).

Click on the RAM Analysis icon to access the RAM Analysis module. Under Source, your RAM dump will automatically be loaded unless your case has multiple RAM dumps. You can select the refresh icon to the right of the Source drop-down box to refresh the available RAM dump files. Under Operating System, elect the appropriate OS for the RAM dump you are analyzing (i.e. Windows/winOS, macOS). The next drop-down box titled Build Version will consist of all the accessible RAM Build Versions; select the one that matches the RAM dump currently in your case. This information is normally obtained during the RAM acquisition phase. Lastly under the Artifacts field, select the desired artifacts plugin (i.e. List Process Threads) and click on Execute. The results of the Volatility RAM query will be presented in the Command Output’s display. The results can be saved or exported from the Command Output screen.

The Carve Password function is a function that is only enabled for vetted law enforcement personnel. The Carve Password icon to the right of the Source field will run numerous proprietary algorithms to identify possible login and keychain passwords located within the RAM extraction.

12.Reporting#

Examiners will have the ability to export content that is deemed relevant from forensic images or the automated plugins in the style of their choosing. RECON LAB allows examiners to generate report findings in the 3 following ways:

• File content of an image or a directory can be exported into a CSV file routinely known as the ClingerList report.
• Files that are bookmarked or tagged can then be added into Story Mode for a custom report.
• A report allows examiners to create a Global Report from the automated plugins that is similar to reports created in RECON for Mac OS X.

Clinger List

The examiner that wants to export the file listing and relevant metadata associated with the files only needs to select the Export as CSV button on the upper right hand portion of the screen (see image below). To display all the allocated files residing within folders on the main screen, the examiner must check the box that says recursive or select the black square icon to the right of the Export as CSV button.

Mac Os X Download

Global Report

The second reporting option within RECON LAB is the Global Report which most RECON for Mac OS X customers are familiar with. The Global Report function allows an examiner to select items two output options:

• Tags – Artifacts that were bookmarked and/or tagged
• Full – Particular automated plugin artifacts

The examiner can select to generate the report in any of the following formats:

• Advance HTML
• Standard HTML
• PDF
• CSV
• XML

The examiner can also check the Export Files box to ensure all the accessible files are exported with the report. The examiner will select the Global Report icon to initiate the automated report (see image below).

The examiner will confirm that case information and select Next. Then select either a Tags or Full report, the report type, export files checkbox, confirm that the report name and report path. It should be noted that the Report Name and Report Path can be edited. Once all of those items are addressed, the examiner will click on Report to complete the report generating process.

Once the report completes generating, the software will display a notification that states the report is finish. There will be a finder icon to the right of Report title that will take the examiner directly to the finished report.

StoryBoard Mode Report

StoryBoard Mode contains a built-in Word Processor and the ability to add evidence items that were either bookmarked or tagged during the analysis portion of the forensic investigation. Artifacts from the automated plugins, manual navigation of the image files, or from the built-in data viewers (i.e. hex viewer, plist viewer, sqlite browser) can be tagged or bookmarked. The examiner can add images to the report, make periodical saves of the report, insert evidence file details or the actual evidence files. The examiner can export the final report as a PDF file or a ODF file.

The examiner will need to click on the Story icon in the main toolbar. A secondary drop-down window will appear; that is where the examiner will give the report a name and then click on Create (see image below).

Recon For Mac Os X Manual Guide

The examiner can then start writing the narrative report and injecting evidence artifacts as needed. The evidence items are displayed in the upper window along with the timeline of the bookmarked items in the event the examiner wants to add them in chronological order of discovery. When the examiner highlights the file of importance and right-clicks on the file, the following options are displayed:

• Add Record to Story – Inserting the details of the evidence file into the report.
• Add File to Story – Inserting the actual evidence file into the report as a hyperlinked item.
• Copy to clipboard – Copying the contents of selected evidence item to your Mac’s clipboard; designed for highlighted text, hex, strings artifacts.
• Go to Record – Takes the examiner directly to the location of the specific bookmarked/tagged item.
• Quick Look – Utilizes Mac’s native Quick Look feature to open/review the selected file.

To update the bookmarks/tags upon your return to Story Mode, click on Show All icon to refresh the screen. Refer to the image below for the layout of the Story Mode’s functions.

After all the desired screenshots, tags, bookmarks, noted files, and written narrative are added to the StoryBoard report, you save the report and export it in HTML, ODT, or PDF format. The default location of the StoryBoard report is the Story_Board folder located within the case folder/Lab_Features/Story_Board. The examiner can relocate the Report folder to the directory of their choosing.

13.Shutdown RECON LAB#

To close RECON LAB you can close the window by clicking on the red X in the top left hand corner of the application window. Another means of shutting down RECON LAB is to select the RECON LAB window, then go to the top Finder toolbar and select RECON_LAB; then select Quit RECON_LAB.

In the event that the software becomes unresponsive, you can go to the Apple icon in the top left hand corner and select Force Quit. Once you select Force Quit, a secondary window will pop up where you can select RECON LAB to Force Quit to close it abruptly.

14.Updating RECON LAB#

RECON LAB comes with one full year of updates. After your license has expired you will be required to purchase an additional year in order to continue to receive updates. RECON LAB will not allow for continuous usage once your license expires.

You can find your license expiration date by looking in the bottom right hand corner of the initial splash screen during software startup (see image below).

RECON LAB updates can be found here:

Please following the instructions below EXACTLY in order to properly update RECON LAB.

1. For best results, we recommend your forensic Mac is up to date with the latest version of macOS (10.13.x) and has an i7 Quad Core Processor (or greater) with 16GB (or greater) of RAM
2. Install the current version of Xcode with Command-Line Tools (Download from the Mac App Store)
3. Download and install the latest version of FUSE for macOS
4. Move the old RECON_LAB.app to the Trash and empty your Trash
5. Download the latest version of RECON LAB from //goo.gl/wWm2qi
6. Copy the new RECON_LAB.app to your Desktop; copy the license folder to the USB drive
7. Double-click on the RECON_LAB.app; you’ll be prompted to enter your license file. Navigate to the license file stored in your license folder on the USB drive
8. If you prefer to start RECON LAB from the LaunchPad, then you’ll need to move the RECON_LAB.app to the Applications folder; then run xattr -c /Applications/RECON_LAB.app in your Mac Terminal
9. Ensure your license file is still present on your RECON LAB USB and inserted into your Mac when starting RECON LAB

15.Customer Support#

For support and troubleshooting please fill out a support ticket at SUMURI’s Help Desk:

SUMURI is located in Delaware, USA and our offices are open 0900 – 1700 EST (9AM – 5 PM). SUMURI offices are closed during US Federal Holidays.

Help Tickets are typically handled during regularly scheduled business hours.

For comments or feature requests please email us at:

16.Training#

Training on critical Macintosh Forensics best practices can be available to scheduled participants for the following training courses:

SUMURI also provides professional services to corporate, government, & law enforcement entities worldwide for the following needs:

• eDiscovery
• Data Preservation
• Data Recovery
• Password Recovery
• Mobile Device Forensics
• Mac Forensics
• Computer Forensics
• Remote Services

17.End User License Agreement#

RECON LAB is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This RECON LAB is licensed, not sold.

End User License Agreement

This End User License Agreement (‘EULA’) is a legal agreement between you (either an individual or a single entity) and SUMURI LLC with regard to the copyrighted software (herein referred to as RECON LAB or ‘software’) provided with this EULA. The RECON LAB includes computer software, the associated media, any printed materials, and any ‘online’ or electronic documentation. Use of any software and related documentation (‘software’) provided to you by RECON LAB in whatever form or media, will constitute your acceptance of these terms, unless separate terms are provided by the software supplier, in which case certain additional or different terms may apply. If you do not agree with the terms of this EULA, do not download, install, copy or use the software. By installing, copying or otherwise using RECON LAB, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, SUMURI LLC is unwilling to license RECON LAB to you.

Eligible License – This software is available for license solely to software owners, with no right of duplication or further distribution, licensing, or sub-licensing.

License Grant – SUMURI LLC grants to you a personal, non-transferable and non-exclusive right to use the copy of the software provided with this EULA. You agree you will not copy or duplicate the software. You agree that you may not copy the written materials accompanying the software. Modifying, translating, renting, copying, transferring or assigning all or part of the software, or any rights granted hereunder, to any other persons and removing any proprietary notices, labels or marks from the software is strictly prohibited. Furthermore, you hereby agree not to create derivative works based on the software. You may not transfer this software.

Copyright – The software is licensed, not sold. You acknowledge that no title to the intellectual property in the software is transferred to you. You further acknowledge that title and full ownership rights to the software will remain the exclusive property of SUMURI LLC and/or its suppliers, and you will not acquire any rights to the software, except as expressly set forth above. All copies of the software will contain the same proprietary notices as contained in or on the software. All title and copyrights in and to RECON LAB (including but not limited to any images, photographs, animations, video, audio, music, text and ”applets,” incorporated into RECON LAB), the accompanying printed materials, and any copies of RECON LAB, are owned by SUMURI LLC. RECON LAB is protected by copyright laws and international treaty provisions. You may not copy the printed materials accompanying RECON LAB.

Reverse Engineering – You agree that you will not attempt, and if you are a corporation, you will use your best efforts to prevent your employees and contractors from attempting to reverse compile, modify, translate or disassemble the software in whole or in part. Any failure to comply with the above or any other terms and conditions contained herein will result in the automatic termination of this license and the reversion of the rights granted hereunder to SUMURI LLC.

Disclaimer of Warranty – The software is provided ‘AS IS’ without warranty of any kind. SUMURI LLC and its suppliers disclaim and make no express or implied warranties and specifically disclaim the warranties of merchantability, fitness for a particular purpose, and non-infringement of third-party rights. The entire risk as to the quality and performance of the software is with you. Neither SUMURI LLC nor its suppliers warrant that the functions contained in the software will meet your requirements or that the operation of the software will be uninterrupted or error-free. SUMURI LLC is not obligated to provide any updates to the software for any user who does not have a software maintenance subscription.

Limitation of Liability – SUMURI LLC’s entire liability and your exclusive remedy under this EULA shall not exceed the price paid for the software, if any. In no event shall SUMURI LLC or its suppliers be liable to you for any consequential, special, incidental or indirect damages of any kind arising out of the use or inability to use the software, even if SUMURI LLC or its supplier has been advised of the possibility of such damages, or any claim by a third party.

Rental – You may not loan, rent, or lease the software.

Transfer – You may not transfer the software to a third party, without written consent from SUMURI LLC and written acceptance of the terms of this Agreement by the transferee. Your license is automatically terminated if you transfer the software without the written consent of SUMURI LLC. You are to ensure that the software is not made available in any form to anyone not subject to this Agreement. A transfer fee of $150 USD will be charged to transfer the software (not applicable to transfers associated with orders from distributors, or resellers or intra-company transfers).

Upgrades – If the software is an upgrade from an earlier release or previously released version, you now may use that upgraded product only in accordance with this EULA. If RECON LAB is an upgrade of a software program which you licensed as a single product, then RECON LAB may be used only as part of that single product package and may not be separated for use on more than one computer.

OEM Product Support – Product support for RECON LAB is provided by SUMURI LLC. For product support, please call SUMURI LLC. Should you have any questions concerning this, please refer to the address provided in the documentation.

No Liability for Consequential Damages – In no event shall SUMURI LLC or its suppliers be liable for any damages whatsoever (including, without limitation, incidental, direct, indirect special and consequential damages, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use or inability to use this ‘SUMURI LLC’ product, even if SUMURI LLC has been advised of the possibility of such damages. Because some states/countries do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

Indemnification By You – If you distribute the software in violation of this Agreement, you agree to indemnify, hold harmless and defend SUMURI LLC and its suppliers from and against any claims or lawsuits, including attorney’s fees that arise or result from the use or distribution of the software in violation of this Agreement.

Jurisdiction – The parties consent to the exclusive jurisdiction and venue of the federal and state courts located in the State of Delaware, USA, in any action arising out of or relating to this Agreement. The parties waive any other venue to which either party might be entitled by domicile or otherwise.

Forensodigital in association with SUMURI LLC, USA have developed MAC OS X based Forensic tool RECON for digital triage. RECON is a tool which can be used by both novice and expert forensic examiners. It can be used for live systems and mounted media analysis. With minimum user interaction RECON extract artifacts and produce hundreds of reports in different formats.

Key Features:-

- Support MAC OS x 10.7, 10.8, 10.9 and 10.10

- Reporting formats – HTML, PDF, XML and CSV

- Artifact timeline

- File timeline

- Global Search, Metadata and Media preview

- Bookmarking option

- Export files

- Identify virtual Machine and export them

Chat timeline

Keychain password extraction

RAM imaging

Get RECON for Mac OS X combined with 10 hours of online and on demand training. Learn to harness the power of automated Mac Forensics. Successful completion of the training course leads to certification in RECON for Mac OS X. Students receive lifetime access to the curriculum for version 1, including future updates on new features and forensic plugins.