At some point, you may find yourself in a position where you need to do some heavy data recovery or other forensic related tasks that need to happen. With the exception of stuff limited to those in law enforcement, I have found that there are a number of great forensic tools available for the OS X platform.

In this article, I will be highlighting some fantastic forensic utilities that I think will yield the kind of results you might be looking for. As a reminder however, I don’t believe that these are applications that would be considered anything above enterprise grade. The law enforcement stuff is for just, law enforcement. So do ask for links to those items please. Wherever possible, free or open source solutions will be listed.

Disk Arbitrator – designed to basically act as a user interface to the Disk Arbitration framework; Disk Arbitrator provides its users with the ability to keep data intact on the target disk. While not really a software write blocker in the truest sense, it’s been compared to one more often than not.

AD Triage – I like to call AD Triage forensic software for newbies. If you have no idea what you’re doing, this would be a good place to start. Built on FTK technology, AD Triage allows its user to preserve evidence immediately without struggling with the normal learning curve associated with this sort thing.

Mac Marshal Forensic Edition – A very nice OS X solution for analyzing OS X partitions, log files and it will poke holes right through FileVault protected directories. Best suited for newer Macs, this will run on OS X going back more than a few releases.

Who needs forensic tools?

Most of us don’t need forensic utilities, to be honest. And in most regions, there are strict laws forbidding you from using this software on anyone’s computer without express permission. So common sense applies. If however, you own a small business and suspect that something has been going on with a PC you own, then one of these tools might be a good idea to put into play.