Can anyone help me ...
 
Notifications
Clear all

Can anyone help me understand this? (Mac Forensics)

2 Posts
2 Users
0 Likes
263 Views
(@sizzy)
Posts: 2
New Member
Topic starter
 

Hi, I don't usually ask for help on my first post but anyway, I'm new to Mac forensics and this bit of evidence was on the DiskUtility.log though I don't actually understand what it's telling me (

2011-12-02 221002 +0000 Disk Utility started.

2011-12-02 221103 +0000 Attach Image originals.dmg
2011-12-02 221104 +0000 Initializing
2011-12-02 221106 +0000 Attaching
2011-12-02 221107 +0000 Mounting
2011-12-02 221107 +0000 Attaching
2011-12-02 221107 +0000 Finishing
2011-12-02 221108 +0000 Unable to attach originals.dmg. (no
mountable file systems)
2011-12-02 221108 +0000
2011-12-02 221143 +0000 Preparing to erase banknotes
2011-12-02 221143 +0000 Partition Scheme GUID Partition Table
2011-12-02 221143 +0000 1 volume will be created
2011-12-02 221143 +0000 Name banknotes
2011-12-02 221143 +0000 Size 104.9 MB
2011-12-02 221143 +0000 Filesystem Mac OS Extended (Journaled)

2011-12-02 221143 +0000 Unmounting disk
2011-12-02 221143 +0000 Creating partition map
2011-12-02 221144 +0000 Waiting for disks to reappear
2011-12-02 221144 +0000 Formatting disk1s1 as Mac OS Extended
(Journaled) with name banknotes
2011-12-02 221144 +0000 Erase complete.
2011-12-02 221144 +0000

originals.dmg was made in terminal with a predetermined size of 100mb (-size 100) if this helps.

Thank you for any advice given!

 
Posted : 13/11/2014 12:16 am
(@redman)
Posts: 4
New Member
 

Hi, The first thing I am noticing is the dates are reporting 3 years ago. Is that the timeframe for which you are investigating?

the DMG file is a disk image file. It appears the person had an image called Originals.dmg that s/he tried to mount but did not successfully mount because it had no file system. This would make me wonder if it was instead a .rar or .zip type of archive that was renamed as DMG. Do you have Originals.dmg on the drive?

I believe the 104.9 MB disk1s5 partition is just a standard partition created by Microsoft. It would have the name of the hard drive. So if the drive named Banknotes was a 2 TB drive it would show these other partitions under Mac OS. While there's normally nothing there, I'd still look.

So what I would determine from that is someone took a hard drive (possibly an external drive) originally formatted for windows and plugged it into the Mac. Then formatted the drive so it could be used as an additional drive on the Mac.

 
Posted : 23/11/2014 2:14 am
Share: