Need Mac recovery a...
 
Notifications
Clear all

Need Mac recovery advice

8 Posts
4 Users
0 Likes
483 Views
(@kelash108)
Posts: 18
Active Member
Topic starter
 

Hi All,

Yesterday I recovered 92 files from a MacBook Pro SSD (via Thunderbolt and TDM) I'm now viewing them in EnCase.

I have no Mac experience whatsoever and I've not been in Forensics for long.

The files I found were;

- a folder called .fseventsd
- a folder called .Spotlight-V100 which contained two folders (Store-V1 and Store-V2) which both contained files.

I've read online about these files but I'm still don't feel as though I have a 100% understanding at the moment. Apart from these files, there was nothing else recovered at all.

Could someone please explain my findings a bit better to me please?

I am definitely planning to do some reading on Macs as I'm sure this wont be the last time I encounter one!!!

Thanks in advance!

 
Posted : 09/04/2015 3:36 pm
(@subujoseph)
Posts: 51
Trusted Member
 

Why did you decided to do the recovery? Was the hard disk formatted? More info please.

 
Posted : 09/04/2015 4:07 pm
(@kelash108)
Posts: 18
Active Member
Topic starter
 

Why did you decided to do the recovery? Was the hard disk formatted? More info please.

Hi,

The Mac came to my work place as part of a case, the person paying for the work wanted some evidence.

When I switched it on it there was a flashing folder with a question mark on it. I couldn't get it to boot, i tried a cd (using an external drive) and a USB boot with no joy. This is all I know about it.

Thanks

 
Posted : 09/04/2015 4:15 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

The flashing folder with a ? usually means the internal HDD can't be detected or there is no OS installed on the internal HD.

What model is the Mac? Can you open it up to get to the HDD and try a traditional physical acquisition?

When you say you recovered these files via TDM what software did you use to recover and how did you recover? By that I mean did you perform a disc image of the HD via TDM or did you simply copy out visible files?

If you could give us a breakdown of the software you used and exactly what you saw it would assist.

 
Posted : 10/04/2015 6:03 am
(@kelash108)
Posts: 18
Active Member
Topic starter
 

The flashing folder with a ? usually means the internal HDD can't be detected or there is no OS installed on the internal HD.

What model is the Mac? Can you open it up to get to the HDD and try a traditional physical acquisition?

When you say you recovered these files via TDM what software did you use to recover and how did you recover? By that I mean did you perform a disc image of the HD via TDM or did you simply copy out visible files?

If you could give us a breakdown of the software you used and exactly what you saw it would assist.

Morning,

Thanks for your reply, i really appreciate it.

I realised i said Macbook Pro, my mistake it's a Macbook Air A1466.

If all else fails, i think i will have to open it up providing our client agrees.

I used no software, i followed a video i saw online and using Disk Utilities i restored the drive to an external drive.

Thanks again for you reply, and any advice you may have for me

 
Posted : 10/04/2015 12:54 pm
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

you dont need to open it up you can use raptor or use it with kali i accuired mac book air
or try bootable windows usb and use ftk imager to acuire and perform raw recovery or someting to image

 
Posted : 10/04/2015 1:03 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

As nightworker suggested you can use raptor or Paladin is a favorite of mine…or even DEFT is quite good.

DVD or USB boot and image drive with one of them will likely be the go.

 
Posted : 13/04/2015 5:27 am
(@kelash108)
Posts: 18
Active Member
Topic starter
 

Thanks for the help guys, I appreciate it!

Looks like our client changed their mind though and the work isn't going ahead which is a shame, I was looking forward to learning something new.

Never mind, I'm sure there will be others )

 
Posted : 13/04/2015 8:48 pm
Share: