Continue to hold down the t key until the target disk mode image appears on the screen (see photo below).Hold down the t key and turn the laptop to be imaged on. DISK ARBITRATOR MACImaging time! Leaving the computers alone during imaging.īegin by putting the Mac laptop you want to image into target disk mode: DISK ARBITRATOR SOFTWAREWe thus used software write-blocking instead, installing Aaron Burghardt’s Disk Arbitrator to protect the laptop. Tableau T9 Firewire Forensic Bridge is a hardware option that does accept both firewire input and output, but we didn’t have one on hand. Our WiebeTech Forensic ComboDock works well for most write-blocking purposes, but it doesn’t have the firewire input and output needed to work with a Mac in target disk mode. This wasn’t a major concern in our example as Larsen’s laptop has already been explored by researchers at MITH-but it’s good practice nonetheless, especially if you use a command-line imaging method, where a simple is-typing could accidentally erase your device. For either method, you’ll need a firewire and another Mac (with a firewire port) on which to image the laptop.įirst, we need to protect the laptop from having the connected machine write back to it during the imaging process. Opening up the computer is only necessary if none of these forensics imaging programs are right for you, your Mac laptop doesn’t have a firewire port, or if you prefer to do all your forensic work inside the BitCurator environment. We thus recommend you forensically image the laptop’s hard drive before opening it, or choose to create a forensics image with one of the non-BitCurator options discussed below and import the image into BitCurator. All computers fail eventually, and we’d rather have a good forensics disk image of the laptop now, than more years with the laptop working but no forensics image preserved. If you don’t have another way to gather a forensics disk image packaged with metadata about the imaging, though, opening the laptop up can be an acceptable risk. Opening up the laptop, removing the drive, and later trying to put everything back risks the laptop refusing to start or otherwise being damaged: maybe you break something, or can’t get things to fit back together. DISK ARBITRATOR HOW TOWe’ll walk you through how to first lessen the risk of tampering with a laptop’s insides by securing a forensic image outside of BitCurator. That leaves us with using either a Mac or Linux machine to create our backup of the Mac laptop in our example, I used a Mac to create the backups. It’s possible you could get around this issue by using other virtualization software, but VirtualBox is the best free/open-source option. I’ve read that commercial software called MacDrive (currently about $50 for use on one PC) will let you connect the a Mac in target disk mode to a PC, but this would not make the Mac drive also available in the Windows computer’s BitCurator VM unfortunately, VirtualBox is unable to take firewire input. Target disk mode works with other Macs (perhaps obviously) and Linux machines I wasn’t able to get a Windows machine to recognize the Mac laptop in target disk mode. Note that the issue complicating this imaging process is specific to Mac laptops Linux and Windows laptops wouldn’t require target disk mode and the trouble that causes. You can also opt to make a forensics image outside BitCurator and then import the image into BitCurator for exploration. In that case, you may want to open the laptop to temporarily remove the hard drive for forensic imaging within the BitCurator environment, which means you’ll need a cable that connects a hard drive to your imaging computer (probably a SATA cable). We recognize that you might not have the correct devices on hand to follow the instructions in the previous post. The Mac laptop we wanted to forensically image. DISK ARBITRATOR PCIf your workspace doesn’t have the necessary tools to follow that tutorial (a firewire cable, a firewire port on the Mac you’re imaging, and a firewire port on a PC partitioned with BitCurator), we offer an alternative in this post. Last week, I wrote about how to forensically image the internal hard drive on a Mac laptop without needing to physically remove the drive.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |