±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36312
New Yesterday: 0 Visitors: 194

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

New Macbook Air

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4, 5, 6  Next 
  

Beetle
Senior Member
 

New Macbook Air

Post Posted: Oct 21, 10 01:14

Looks like a new technique for imaging Macbook Airs may be warranted. They are now using flash memory directly attached to the MB for storage.  
 
  

Xennith
Senior Member
 

Re: New Macbook Air

Post Posted: Oct 21, 10 01:47

One of the standard techniques we use is a linux boot and network acquisition. Unless mac OS boot time interupt keys have changed that should be just as applicable.  
 
  

Beetle
Senior Member
 

Re: New Macbook Air

Post Posted: Oct 21, 10 01:59

No optical drive, no ethernet...
And there is no hard disk to take out.  
 
  

Xennith
Senior Member
 

Re: New Macbook Air

Post Posted: Oct 21, 10 02:03

USB boot?
edit: Or removable optical device.
unetbootin.sourceforge.net/ Allows you to burn an ISO to a usb device as a bootable device. Could then use a local HDD connected via a USB bridge to take the image.

Unless of course its not got USBs either ;P  
 
  

Beetle
Senior Member
 

Re: New Macbook Air

Post Posted: Oct 21, 10 02:11

- Xennith
USB boot?
edit: Or removable optical device.
unetbootin.sourceforge.net/ Allows you to burn an ISO to a usb device as a bootable device. Could then use a local HDD connected via a USB bridge to take the image.

Unless of course its not got USBs either ;P


We had tried USB boots using Helix (Pro) last year around this time and found that it was crushing the custom firmware that Apple used for it's USB port that could only be reset by removing the battery (diagnosed and confirmed by Apple engineering). Other boot disks work (Raptor comes to mind) but I am wondering what Apple may have done to the USB firmware this time. BTW there are now two USB ports on the Airs.  
 
  

Xennith
Senior Member
 

Re: New Macbook Air

Post Posted: Oct 21, 10 02:25

Backtrack springs to mind as a possible alternative to helix as it has a forensic boot option which loads everything into ram, I think ubuntu has the same capacity out of the box as well and IIRC both have DD as standard.

Backtrack of course is more fun (and has some forensic tools integrated). Smile

If USB presents problems you could try a compact flash boot (if the macbook has such a magical device). I've not heard of this particular USB issue until now but I'm glad you've brought it up, Linux based bootable USB devices are becoming almost standard issue in my place and I'd hate to be caught out on that.

(wonder if thats exploitable....)

edit: Interwebs shows that the macbook air is massively over expensive even for a mac, but does come with an SD card slot, so that is an option. Unetbootin can be used to create a bootable SD card in the same way that you create a bootable USB.  
 
  

96hz
Senior Member
 

Re: New Macbook Air

Post Posted: Oct 21, 10 02:42

I've had similar experiences to Beetle.
My understanding is that it is 'pseudo-usb', meaning that I would be suprised if there actually is a linux boot disk that supports it (off the bat), perhaps Raptor has a specific Mac centric driver that understands it is dealing with a super port (or whatever it is dubbed) not a bog standard USB.  
 

Page 1 of 6
Page 1, 2, 3, 4, 5, 6  Next