The MacLockPick, Live Forensics for Your Mac
This is one cool little USB drive, and I am currently looking for a Windows version, drop a comment if you know of one. The MacLockPick is a USB device that will allow you to perform live computer forensics on a suspects Mac OS X system, once the software is run, the drive will extract data from the Apple Keychain and system settings to give the examiner fast access to the suspect’s critical information with as little interaction or trace as possible.
MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep. It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers. Source: MacLockPick, live forensics for OS X via MacUser
Here is some of the data you will have after the software runs:
Files that have been viewed in the preview program.
Recent QuickTime file names.
Recent Applications, Documents, and Servers.
IM default login and buddy list.
Email account details, address book and opened attachments.
Complete web history, including search strings in the Google toolbar, cached bookmarks, current bookmarks, cookies, and browsing history, including the number of times visited and the date and time of the most recent visit!
Serial numbers of attached iPods.
Unfortunately, this device if for law enforcement only, you must provide proof that you are a licensed law enforcement professional and that the use of this technology is legal on federal, state and local levels.