Hi,

Any advice on how to acquire a mac machine?

Is it the same procedure as acquring a Windows machine?

BlueDragon,
Is it a laptop, Imac or desktop?

Laptop and Imac, you will have trouble pulling the drive, Apple does not make it easy for you. You could try, but you run the risk of breaking the machine. Connect the MAC via a firewire cable to your acquisition machine. When you turn the MAC on, hold down the "T" key, wait until you see the firewire symbol on the screen. From there you can connect to it as you would a normal drive and image it that way via the firewire cable, takes longer but works.

Desktop, you should be able to pull the drive out, if not, same thing.

You can also use a boot disk like helix.

Hope this helps.

blueDragon,

You will follow your forensic procedure for acquisition. Depending upon the target (specific model) you may need to adjust your approach. For example, not all Linux boot CDs boot all Macs. THE FARMER'S BOOT CD boots iMacs, Macbooks, and Macbook Pros with no problems.

You also may use the target disk mode as noted already.

You could pull the drive and attack to your acquisition system.

Without knowing more, the specific model and your acquisition system and process, we can really only speculate.

Cheers!

farmerdude

www.onlineforensictraining.com

www.forensicbootcd.com

Lots of solid advice thus far.

Honestly I've had the best results with the "T" target disk mode mentioned above, in fact I'm of the mindset it (and farmer's CD) are the only way to go with Apple Laptops. Taking them apart is often way too difficult/dangerous.

"Wait a minute.. why do I have a few screws left over?"

Is there no danger of writing to the drive if you are in Target Disk mode but aquiring to a Windows computer ?

Is there a registry edit for 1394 write blocking ?

Gotta say im more of an in for a penny in for a pound kinda guy and usually just whip the drive out.

I generally take out the HDD where I can or use Target Mode via Firewire. My words of experience for both methods are:

Removing HDD
The problem with taking out the HDD is that it isn't always an option. Not sure if the conditions of warranty are the same worldwide, but in Australia you always void the warranty when you open an Apple unless you are an approved technician which you can't get unless you are or work for an approved Apple dealer. The second thing problem is the latest iMacs are vaccuum sealed to prevent dust getting in behind the screen so they can only be opened in a clean room. I have in the past taken the iMac to a dealer and asked them to remove the HDD for me and then imaged it.

Target Mode
This method is slow since it only runs at Firewire 400 speed and the added difficulty is that most drives that ship with Apples are 150GB +. The other problem, as mentioned in a previous post, if there is a windows partition on the Apple and you are acquiring using a Windows system your PC will recognise it as an external USB device and start mounting it. This will modify the system but as far as I can tell it only results in modification to the System Volume information folder. This is generally okay as long you take notes to this effect and can explain why the modifications to the Apple hard drive occurred.

my two cents, hope it helps.

Regarding Firewire Target Disk Mode (FWTDM), I'd be hesitant to simply boot a mac while holding 'T' until you know a few things about the device.

One problem is that, if there's a open firmware/EFI password set, then it'll ignore your request for FWTDM and start to boot into the OS. Your best bet is to hold down the 'option' key first, as this will take you to a firmware screen that'll show you the bootable partitions available, and if there's a password set.

Your second problem comes if there's a FAT or NTFS partition on the hard drive, as when you connect that drive in FWTDM to a Windows machine, Windows will write to it. Windows can't natively write to an HFS or HFS+ partition though.

Myself, I'd rather remove the drive and hook it up to a tried and tested hardware write-blocker.

Hi blueDragon

Come imac, ibook or anyother type of mac, i've just taken out the disk and imaged it as usual. (through a write-blocker to either a DD or EO1 file set)

However i know quiet a few people who would use the Target Disk Mode, i think at the end of the day its usually down to the personal prefernce of the person doing the imaging. (i.e. what he/she feels most conforatble with).

I would usually prefer fighting with the mac to get the hard disk out, i get some sort of sad sense of acheivement out of it

Good morning to you all btw!

Hi blueDragon,

In my experience, if you can afford to spend the extra half an hour or an hour extracting the physical disk, do so. The first time you have to do this is a daunting experience but thereafter less so.
Booting Mac's to boot media is not always successfull and having had this method fail once, I think the time spent learning how to remove the physical disk is time well spent.
TDM is a great shortcut but if you find the firmware on the exhibit is password protected and you may be forced to perform a physical extraction of the disk in any case.
Intel based Macs may have an NTFS partition and TDM acquisition using a Windows workstation is then out of the question.
In this event if you normally use Windows based workstations, cant spare the time to extract the physical disk or do not wish to risk damaging the exhibit in the process, I have found the following method to be of use.
I have imaged the internal disk of an Intel based iMac (which had Boot Camp and WinXP installed on an NTFS partition) in TDM whilst connected via Firewire to a workstation booted to the Helix Live CD v1.89. Helix had been loaded into the workstations RAM and started in console mode. Using dcfldd an image of the disk was acquired that reported the correct number of sectors and was successfully reacquired as an E01 afterwards.

If its a Macbook or PowerMac laptop, you may be able to pull the Hard drive easily. Just needs a small screwdriver, and it comes out very simply. Most of the time you need to remove the battery, and a few screws to get to the hard drive. It all depends on the model.

iMacs & older units are a pain, so target disk mode is the best.