Taking forensic ima...
 
Notifications
Clear all

Taking forensic image of a live (open) MAC computer

11 Posts
4 Users
0 Likes
1,064 Views
ttcobadan
(@ttcobadan)
Posts: 12
Active Member
Topic starter
 

Hello,

I am searching a way for taking image of an open-live MAC computer (hardisk). But this job needs root password. is there a way bypass root password or learning root password. is there a way taking image of MAC computer. any source or advice will be good

Thanks any replay.

 
Posted : 30/10/2012 6:13 pm
(@sgware)
Posts: 42
Eminent Member
 

What is the goal in this exercise? Are you conducting and investigation? Are you helping a friend with password recovery?

About the machine. What type of MAC is it? What OS version? Is there a reason is has to remain running in the current state? (assumed running but password protected). If you were able to power it off and boot in target disk mode, more options are available to you.

In reference to the password, you have to be able to access the password hash before using a tool like jtr to crack it. So, you need access to the file system for that.

Disabling disk arbitration, mounting the device in target disk mode, acquiring an image, verifying the image (hash the media and image file), making a copy of the image to play with is the best option I have.

Note connecting the two machines with a firewire, disk arbitration disabled, will not provide you with a target drive to mount. you will have to shut down the "other" machine and boot in target disk mode. Then, you will be able to see the /dev/rdisk and /dev/disk block devices to manually mount.

Scott

 
Posted : 30/10/2012 10:10 pm
ttcobadan
(@ttcobadan)
Posts: 12
Active Member
Topic starter
 

Sorry my mistake. I had to clear the subject. This is for a project and i am searching a way or method for any kind of mac machine. The problem is mac machine opened and i want to take image without shut-down. That's the main goal of the project.
there are some programs or just using dd command for image job MAC system wants root password.

Unfortunately i have no deep mac info to getting a way for this project. But target disk mode needs shut-down or restart.
i will search jtr.

Thanks.

 
Posted : 31/10/2012 11:37 am
(@sgware)
Posts: 42
Eminent Member
 

It appears my assumption that the screen is locked isn't so. Then, you have many options. Here is a link to get you started.

About the password, there are lots of articles on the web. Some are good reads. My advice is to just do a lot of reading and experimenting.

Good luck,

This one is a bit out of date, but, directionally correct

http//www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf

 
Posted : 31/10/2012 3:18 pm
ttcobadan
(@ttcobadan)
Posts: 12
Active Member
Topic starter
 

Thank you

I think, There are a lot of work to do.

Let's read something. roll

 
Posted : 31/10/2012 4:17 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Can you not just use FTK imager CLI for Mac?

Unless you need root password to run programs as well…

 
Posted : 02/11/2012 4:31 am
ttcobadan
(@ttcobadan)
Posts: 12
Active Member
Topic starter
 

FTK Imager is ok to image for mac but when i try to take image all of the harddrive it needs root password.

There are a few more programs like ftk but i think the main focus of my problem must be learning root password.

The direction might be this way. Disk level process or commands needs root password???

sory for english. it is weak.

 
Posted : 02/11/2012 4:24 pm
(@sgware)
Posts: 42
Eminent Member
 

Have you done the basic research to understand how user account ID/passwords work on a MAC, or, a BSD variant? Once you have, I think the path will be apparent.

I could come straight out with the answer, but, knowing the answer without knowing how isn't of much value.

 
Posted : 02/11/2012 4:35 pm
ttcobadan
(@ttcobadan)
Posts: 12
Active Member
Topic starter
 

Thanx sgware, I will search user account ID and password subject first. Also the file system, too.

I am googling.

 
Posted : 02/11/2012 5:39 pm
pmow
 pmow
(@pmow)
Posts: 12
Active Member
 

Most Macs have a DMA-capable Firewire or Thunderbolt port. Although there are exceptions, I would think this resource would work for the cost of a cable and maybe the adapter

http//www.breaknenter.org/projects/inception/

 
Posted : 13/11/2012 12:08 am
Page 1 / 2
Share: