Mac Forensics Part 2 (Acquisition)

Method 1: Remove harddisk and image harddisk using forensic equipments/software.

  • Advantage: This is generally accepted method for all systems. Imaging using this method can be applied using all common forensic equipments/software.
  • Drawback: Require to disassemble the system. Apple are using custom screws on some of their models. To add on, Apple is using a different SSD connector for it’s MacBook Air model [Link].

Method 2: Forensic Linux Boot CD.

  • Advantage: Many options are available (eg Sumuri’s Paladin). Typically, Read-only are enable on boot for all storage media.
  • Drawback: Remember to test (and retest) before using it. Some Linux CDs are not updated frequently or lack drivers supports. One limitation is that some Linux CD do not provide imaging to a NTFS or HFS partition.

Method 3: Target Disk Mode

  • Advantage:Allow a Mac to turn into an external harddisk. Quick and easy way to image the harddisk without opening the system. Allow ‘field mode’ or instantly view artifacts on a Mac before imaging.
  • Drawback: FireWire Target Disk Mode works on internal PATA or SATA drives only. Target Disk Mode only connects to the master PATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI, or SCSI drives [Link]. Remember to put device into write-block mode!!

Method 4: Commercial Mac Imaging Tool

  • Advantage: Most tools are generally work well for most models. Supports and bug-fix are usually promptly.
  • Drawback: Remember to test these tools on the latest Mac you can lay your hands on. Usually take awhile before upgrades are available.

As a rule of thumb, a good forensic examiner must be armed with more than one method to image a system, especially when you are on the field. This is also important to monitor upgrades, test (retest) and keep on open mind to try out new methods/tools. Do let me know if you have new methods. Thanks!!

Mac OS X Start up command

  • Available Startup Option: (Hold) Option
  • Boot from CD: (Hold) C
  • Target Disk Mode: (Hold) T
  • Start in Hardware Test Mode: (Hold) D
  • Force Mac to startup: (Hold) X
  • Safe Boot Mode: (Hold) Shift
  • Network Boot: (Hold) N
  • Bypass primary startup volume: Option + Command + Shift + Delete
  • Reset PRAM and NVRAM: Option + Command + P + R
  • Verbose Boot: (Hold) Command + V
  • Single User Mode: (Hold) Command + S
  • Start in Recovery: (Hold) Command + R
  • Eject CD: Hold mouse button, or Fn + F12, Eject button

Common Shortcut in Mac OS X system

  • Right Click: Control + Mouse Click
  • Switch applications: Command + Tab
  • Screen Capture (Full): Command + Shift + 3
  • Screen Capture (Selective): Command + Shift + 4
  • Screen Capture (Windows): Command + Shift + 4 + spacebar
  • Close Window: Command + W
  • Hide Finder: Command + H
  • Save: Command + S
  • Print: Command + P
  • Show Info: Command + I
  • Connect to Server: Command + K
  • Copy: Command + C
  • Paste: Command + V
  • Quit Application: Command + Q

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s