Mac Marshal is a tool to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications.
Mac Marshal Forensic Edition runs on an investigator's workstation to analyze a Mac disk image.
Mac Marshal Field Edition runs on a Mac target machine from a USB drive. It extracts volatile system state data, including a snapshot of physical RAM.
Mac Marshal follows forensic best practices, maintains a detailed log file of all activities it performs, and produces reports in RTF, PDF, and HTML formats.
Version 1.0 was released in January 2009, available at no cost to US law enforcement, with a commercial version available to non-law enforcement. Version 2.0 was released in November 2010, adding live analysis in the Field Edition and the ability to take a snapshot of the target machine's physical RAM. Version 3.0 was released in November 2011 and can run on both Mac OS X and Windows XP and later.
Authors
Mac Marshal was developed by ATC-NY, supported in part by the US National Institute of Justice (NIJ). The project was originally named MEGA.