±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 17
Overall: 27344
Visitors: 63

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Taking forensic image of a live (open) MAC computer

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Taking forensic image of a live (open) MAC computer

Post Posted: Tue Oct 30, 2012 8:13 am

Hello,

I am searching a way for taking image of an open-live MAC computer (hardisk). But this job needs root password. is there a way bypass root password or learning root password. is there a way taking image of MAC computer. any source or advice will be good

Thanks any replay.  

ttcobadan
Member
 
 
  

Re: Taking forensic image of a live (open) MAC computer

Post Posted: Tue Oct 30, 2012 12:10 pm

What is the goal in this exercise? Are you conducting and investigation? Are you helping a friend with password recovery?

About the machine. What type of MAC is it? What OS version? Is there a reason is has to remain running in the current state? (assumed running but password protected). If you were able to power it off and boot in target disk mode, more options are available to you.

In reference to the password, you have to be able to access the password hash before using a tool like jtr to crack it. So, you need access to the file system for that.

Disabling disk arbitration, mounting the device in target disk mode, acquiring an image, verifying the image (hash the media and image file), making a copy of the image to play with is the best option I have.

Note: connecting the two machines with a firewire, disk arbitration disabled, will not provide you with a target drive to mount. you will have to shut down the "other" machine and boot in target disk mode. Then, you will be able to see the /dev/rdisk and /dev/disk block devices to manually mount.

Scott  

sgware
Member
 
 
  

Re: Taking forensic image of a live (open) MAC computer

Post Posted: Wed Oct 31, 2012 1:37 am

Sorry my mistake. I had to clear the subject. This is for a project and i am searching a way or method for any kind of mac machine. The problem is mac machine opened and i want to take image without shut-down. That's the main goal of the project.
there are some programs or just using dd command for image job MAC system wants root password.

Unfortunately i have no deep mac info to getting a way for this project. But target disk mode needs shut-down or restart.
i will search jtr.

Thanks.  

ttcobadan
Member
 
 
  

Re: Taking forensic image of a live (open) MAC computer

Post Posted: Wed Oct 31, 2012 5:18 am

It appears my assumption that the screen is locked isn't so. Then, you have many options. Here is a link to get you started.

About the password, there are lots of articles on the web. Some are good reads. My advice is to just do a lot of reading and experimenting.

Good luck,

This one is a bit out of date, but, directionally correct

www2.tech.purdue.edu/c...raiger.pdf  

sgware
Member
 
 
  

Re: Taking forensic image of a live (open) MAC computer

Post Posted: Wed Oct 31, 2012 6:17 am

Thank you

I think, There are a lot of work to do.

Let's read something. Rolling Eyes  

ttcobadan
Member
 
 
  

Re: Taking forensic image of a live (open) MAC computer

Post Posted: Thu Nov 01, 2012 6:31 pm

Can you not just use FTK imager CLI for Mac?

Unless you need root password to run programs as well...  

Adam10541
Senior Member
 
 
  

Re: Taking forensic image of a live (open) MAC computer

Post Posted: Fri Nov 02, 2012 6:24 am

FTK Imager is ok to image for mac but when i try to take image all of the harddrive it needs root password.

There are a few more programs like ftk but i think the main focus of my problem must be learning root password.

The direction might be this way. Disk level process or commands needs root password???

sory for english. it is weak.  

ttcobadan
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next