±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32595
New Yesterday: 5 Visitors: 112

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

New iMac (A1418) Imaging Issues

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

New iMac (A1418) Imaging Issues

Post Posted: Mon Oct 14, 2013 7:15 am

Anyone having any luck imaging these without disassembly or imaging live? Having no joy with Paladin v4 or v5 or MacQuisition.

Thanks.  

garybrevans
Member
 
 
  

Re: New iMac (A1418) Imaging Issues

Post Posted: Mon Oct 14, 2013 8:03 pm

When you say no joy... do you mean that none of those boot CDs work or they work and image but you get nothing?

Are you able to boot the imac with those CDs?
Are you pressing the OPTION key to get the boot menu and do you see the boot cd as an bootable option?

-=Art=-  

4n6art
Senior Member
 
 
  

Re: New iMac (A1418) Imaging Issues

Post Posted: Tue Oct 15, 2013 12:18 am

Try Kali-Linux. It has a forensic mode. Very easy to work with.  

clownboy
Member
 
 
  

Re: New iMac (A1418) Imaging Issues

Post Posted: Tue Oct 15, 2013 7:12 am

I mean that all boot CD's we have tried thus far hang at some point during the boot process.

I'm not that keen to take a heat gun to the screen and start taking them to bits. Last time I did that I had enough parts left over to make an iPhone 5.

The plan for today is to boot the suspect iMac in TDM.

Boot a second Mac (with Thunderbolt) with Paladin v5. Attach a target disk to this for the image files to go on.

Then, attach the suspect iMac to the second Mac via Thunderbolt. With any luck the suspect Mac will be seen as an external attached device in the second Mac and can then be imaged.  

garybrevans
Member
 
 
  

Re: New iMac (A1418) Imaging Issues

Post Posted: Tue Oct 15, 2013 10:01 am

Above did not work as the Thunderbolt connected suspect iMac was not recognised as an external storage device on the host Mac Sad  

garybrevans
Member
 
 
  

Re: New iMac (A1418) Imaging Issues

Post Posted: Tue Oct 15, 2013 6:38 pm

The last one we did had the Fusion drive in it, which is a separate SSD linked to the hard drive, installed in very separate locations.

We found this out after disassembly and trying to image the hard drive alone. The image from the hard drive alone was unrecognized by EnCase,, FTK and Blackbag.

BlackBags MacQuisition worked when we put it together, imaging from thumbdrive. It would not see the external hdd until we formatted it properly. Embarassed  

John_Smith
Member
 
 
  

Re: New iMac (A1418) Imaging Issues

Post Posted: Tue Oct 15, 2013 8:18 pm

Having read through the post here I did some playing around and a bit of research. Did you try the TDM with firewire?

Forgive me if I offer advice that you already know. You could do this.

1. Analysis machine is the same Mac, but, not booted from a forensic disk
2. In Terminal disable disk arbitration on the analysis machine using .. sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
After disabling disk arbitration you will not be able to mount or eject a disk.
3. in Terminal, type mount and note the results, then, type ls -l /dev/disk* noting the result
4. Next, connect the firewire cable to the target device and the analysis firewire port
5. Boot the target device while holding the "T" on the keyboard.
6. With the device booted, verify that it didn't mount on the analysis machine by repeating step 3. You should see the same mount information as before connecting the target device. However, when listing /dev/disk* you will see the target device, /dev/diskn
7. You can then acquire the target disk using dd or similar utility to a forensically sterile device attached to the analysis machine.

I tested this to make sure it worked.

To make it forensically sound, you run a firewire write-block inline to the target. And, using the dcfldd or similar command include hash verification of the target and image to ensure they match.

One more thing. I found this in an Apple support blog, "...Note: FireWire Target Disk Mode works on internal PATA or SATA drives only. Target Disk Mode only connects to the master PATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI, or SCSI drives..."

I didn't see where TDM supports Thunderbolt and I haven't tested it yet. So, if you have the fusion HD configuration and/or Thunderbolt connection for the TDM, I am not sure if you will be successful.

Good Luck,

Scott
_________________
Scott Ware
MSDF, CFCE 

sgware
Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 1 of 3
Go to page 1, 2, 3  Next