Time Capsule forens...
 
Notifications
Clear all

Time Capsule forensics

8 Posts
2 Users
0 Likes
1,689 Views
(@parabuser)
Posts: 9
Active Member
Topic starter
 

I have a case where I've already imaged the Macbook Pro hard drive and conducted the examination as requested by my client. Now he has given my a Time Capsule which will probably hold older and/or deleted emails/documents that could be of interest.

I have read some of the threads here, and have some ideas but would like to put this out here as those threads are somewhat dated.

Can I image the drive by removing it from the enclosure or should I use something like Lantern Imager in read-only mode and attach my Mac to it to create a .dmg image?

Once imaged can I process the drive in one of the modern tools (FTK, Encase, X-Ways, IEF) and recover documents and emails?

Or is it pretty much clone the drive and see what I can extract using Time Machine or a 3rd party solution?

Any advice or commentary on your experience with this topic would be appreciated.

 
Posted : 06/09/2016 12:02 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

By Airport Utility which firmware is running on the Time Capsule? As the internal design changed over time with different HDD manufacturerers and overheating problems (was an Apple exchange for older models, as power supply integrated and poor active cooling/fan inside) the model Axxx would help to advice.

 
Posted : 06/09/2016 12:55 am
(@parabuser)
Posts: 9
Active Member
Topic starter
 

By Airport Utility which firmware is running on the Time Capsule? As the internal design changed over time with different HDD manufacturerers and overheating problems (was an Apple exchange for older models, as power supply integrated and poor active cooling/fan inside) the model Axxx would help to advice.

Thank you for your prompt reply. I have not powered it up, mostly because I'd hoped to simply image the drive, but partly because a power cord was not provided. So I don't have a firmware version.

The Time Capsule model is A1355 and it is 1TB.

 
Posted : 06/09/2016 4:31 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Seems to be 3rd gen TC with still flat design (new ones towered). If you have NUIX, you can pull out the HDD and index for emails, contacts, etc.. The guys from BlackBagTech - ex Apple guys - for sure can help too.

https://www.youtube.com/watch?v=ATjKELezw9s

 
Posted : 06/09/2016 8:51 pm
(@parabuser)
Posts: 9
Active Member
Topic starter
 

Thank you Rolf. NUIX is well beyond my budget and I don't have the Blackbag tools. I can't spend the $3400 for a one-time case at this point.

But at least it seems that I can directly image the drive so that's a start.

 
Posted : 06/09/2016 9:04 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

No problem. I did get in touch with BlackBag and wait for response. They provide you with a free trial version (timely limited), so there is a way 😉

 
Posted : 06/09/2016 9:17 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

As Time Machine is using Algos for the incremental backup/compression and space optimization the running OS X version and the firmware on the TC for sure depends as Apple over time did optimize and change the process.

 
Posted : 06/09/2016 9:23 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Stuart Hutchinson
stuart@blackbagtech.com

told me that BlackLight can handle this perfect for you. So you can email him and request the trial version of BlackLight.

 
Posted : 07/09/2016 6:47 pm
Share: