Mac Marshal Field Edition™

Examine running machines "live" with the Mac Marshal Field Edition™!  The Field Edition is available on a USB drive and requires no installation to run. With all of the features of the Forensic Edition, the Field Edition can also be used on an investigator's workstation in the lab to examine disk images.

Additional Features

  • Physical Memory acquisition gathers a snapshot of RAM before you shut the computer down
  • Live State acquisition tools allow  you to examine  the volatile state of a live machine, such as running processes, current screenshot, and list of active network connections, before seizing it


  • Live investigation: suspect machine running Mac OS X 10.4 through 10.7 (PowerPC G4 or newer, or any Intel processor)
  • In-lab investigation: Mac OS X 10.4 through 10.7, or Microsoft Windows XP or newer.  (Spotlight searches and FileVault home directory analysis require Mac OS X.)
  • A separate USB disk for acquired data storage is recommended


Click on the headings and images below to view Mac Marshal Field Edition in action. It offers all features of the Forensic Edition and can examine live system state.

Mac OS X Application Analysis

Mac Marshal analyzes files written by the operating system and many common Mac OS X applications; in this screenshot, the investigator examines recently-opened applications and documents.

Partition Analysis

Shows detailed information for an HFS+ partition and offers instant access to Spotlight search and Spotlight Images search.

Selecting a Target Disk to Analyze

Mac Marshal can analyze attached disks or partitions directly, or can operate on dd, Guidance Software EnCase, AccessData FTK, and AFF format images.

Spotlight Images

Example Spotlight Images analysis, which shows all images on the target drive, including EXIF metadata such as camera make and model.

Running Processes Listing

Mac Marshal Field Edition shows live system state information, such as running processes, network connections, open files, etc.