±Forensic Focus Partners
±Your Account
Site Members:
 New Today: 2
|
 Overall: 36290
|
 New Yesterday: 4
|
 Visitors: 149
|
±Latest Articles
±Latest Videos
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Remote wipe of Mac Airbook
Page 1, 2 Next
-
mscotgrove - Senior Member
Remote wipe of Mac Airbook
Posted: Feb 28, 13 21:18
I think I can answer my own question, but am not sure.
When a Mac Airbook is remotely wiped (after possible theft etc) are files wiped or deleted?
The airbook is all SSD so I presume it has some kind of trim process that will erase any deleted sectors.
The laptop will have been turned on for several hours since the event.
My question is, 'Is there any point trying to see if old files still exist?'
This is a general user inquiry, and not an investigation so ignore any data that might be in wear leveling locations etc. I think the answer is that all the data has gone, and will not return. Am I correct?
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk
When a Mac Airbook is remotely wiped (after possible theft etc) are files wiped or deleted?
The airbook is all SSD so I presume it has some kind of trim process that will erase any deleted sectors.
The laptop will have been turned on for several hours since the event.
My question is, 'Is there any point trying to see if old files still exist?'
This is a general user inquiry, and not an investigation so ignore any data that might be in wear leveling locations etc. I think the answer is that all the data has gone, and will not return. Am I correct?
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk
-
lars - Member
Re: Remote wipe of Mac Airbook
Posted: Mar 01, 13 01:25
After this happened to the writer Mat Honan, he documented how professional data recovery got him most of his data back - www.wired.com/gadgetla...data-back/
Cheers,
Lars
Cheers,
Lars
-
Bulldawg - Senior Member
Re: Remote wipe of Mac Airbook
Posted: Mar 01, 13 01:41
If I read between the lines in that article, it looks like he was able to stop the wipe before it was done. If he had booted the computer or allowed it to keep running, the wipe would have continued. His data still existed because of the interrupted wipe process.
So, it looks like it does attempt to wipe it, but if you interrupt the process and remove the drive, you may still get data.
Why he took it to Apple to re-install the OS before sending it to data recovery, I do not understand...
So, it looks like it does attempt to wipe it, but if you interrupt the process and remove the drive, you may still get data.
Why he took it to Apple to re-install the OS before sending it to data recovery, I do not understand...
-
zekituredi - Member
Re: Remote wipe of Mac Airbook
Posted: Mar 01, 13 02:53
I have a feeling I read somewhere that trim is not enabled on all models of the MacBook Air, only the newest models.
Anyway is it not best to always check, just in case?
Anyway is it not best to always check, just in case?
-
mscotgrove - Senior Member
Re: Remote wipe of Mac Airbook
Posted: Mar 01, 13 04:32
Bulldawg - on a Airbook, I think the 'disk drive' is soldered in
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk
-
Bulldawg - Senior Member
Re: Remote wipe of Mac Airbook
Posted: Mar 01, 13 05:43
You're thinking of recent MacBook Pro Retina models. Those have the SSD soldered on the board. Even the most recent MacBook Air models have a removable SSD module which can be seen here:
www.ifixit.com/Guide/I...ve/12351/1
They use proprietary connectors and adapters are difficult or impossible to find, so it's best to use alternative methods to image them rather than cracking the case open, but the drive can be removed.
www.ifixit.com/Guide/I...ve/12351/1
They use proprietary connectors and adapters are difficult or impossible to find, so it's best to use alternative methods to image them rather than cracking the case open, but the drive can be removed.
-
trewmte - Senior Member
Re: Remote wipe of Mac Airbook
Posted: Mar 01, 13 06:58
Michael,
Not sure if this helps; and you may have already been down this path.
Do you know if the locate my device found the device and that the "remote wipe" command actually reached the mac airbook?
I am thinking along the lines
(a) 'what if' the mac airbook gives an outward appearance of being wiped
or, alternatively,
(b) I know for a fact that remote wipe was used but a copy / back up may remain in the environment:
- Enterprise
- iCloud
I know (a) vaguely seeks to address your original question and (b) doesn't deal with your original question but sometimes these question I find have a habit of providing clues or answers that hadn't yet been considered.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
Not sure if this helps; and you may have already been down this path.
Do you know if the locate my device found the device and that the "remote wipe" command actually reached the mac airbook?
I am thinking along the lines
(a) 'what if' the mac airbook gives an outward appearance of being wiped
or, alternatively,
(b) I know for a fact that remote wipe was used but a copy / back up may remain in the environment:
- Enterprise
- iCloud
I know (a) vaguely seeks to address your original question and (b) doesn't deal with your original question but sometimes these question I find have a habit of providing clues or answers that hadn't yet been considered.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com