Mac Marshal Field Edition™
Examine running machines "live" with the Mac Marshal Field Edition™! The Field Edition is available on a USB drive and requires no installation to run. With all of the features of the Forensic Edition, the Field Edition can also be used on an investigator's workstation in the lab to examine disk images.
- Physical Memory acquisition gathers a snapshot of RAM before you shut the computer down
- Live State acquisition tools allow you to examine the volatile state of a live machine, such as running processes, current screenshot, and list of active network connections, before seizing it
- Live investigation: suspect machine running Mac OS X 10.4 through 10.7 (PowerPC G4 or newer, or any Intel processor)
- In-lab investigation: Mac OS X 10.4 through 10.7, or Microsoft Windows XP or newer. (Spotlight searches and FileVault home directory analysis require Mac OS X.)
- A separate USB disk for acquired data storage is recommended
Click on the headings and images below to view Mac Marshal Field Edition in action. It offers all features of the Forensic Edition and can examine live system state.
Mac Marshal Field Edition shows live system state information, such as running processes, network connections, open files, etc.