Taking forensic ima...
 
Notifications
Clear all

Taking forensic image of a live (open) MAC computer  

  RSS
ttcobadan
(@ttcobadan)
New Member

Hello,

I am searching a way for taking image of an open-live MAC computer (hardisk). But this job needs root password. is there a way bypass root password or learning root password. is there a way taking image of MAC computer. any source or advice will be good

Thanks any replay.

Quote
Posted : 30/10/2012 6:13 pm
sgware
(@sgware)
Junior Member

What is the goal in this exercise? Are you conducting and investigation? Are you helping a friend with password recovery?

About the machine. What type of MAC is it? What OS version? Is there a reason is has to remain running in the current state? (assumed running but password protected). If you were able to power it off and boot in target disk mode, more options are available to you.

In reference to the password, you have to be able to access the password hash before using a tool like jtr to crack it. So, you need access to the file system for that.

Disabling disk arbitration, mounting the device in target disk mode, acquiring an image, verifying the image (hash the media and image file), making a copy of the image to play with is the best option I have.

Note connecting the two machines with a firewire, disk arbitration disabled, will not provide you with a target drive to mount. you will have to shut down the "other" machine and boot in target disk mode. Then, you will be able to see the /dev/rdisk and /dev/disk block devices to manually mount.

Scott

ReplyQuote
Posted : 30/10/2012 10:10 pm
ttcobadan
(@ttcobadan)
New Member

Sorry my mistake. I had to clear the subject. This is for a project and i am searching a way or method for any kind of mac machine. The problem is mac machine opened and i want to take image without shut-down. That's the main goal of the project.
there are some programs or just using dd command for image job MAC system wants root password.

Unfortunately i have no deep mac info to getting a way for this project. But target disk mode needs shut-down or restart.
i will search jtr.

Thanks.

ReplyQuote
Posted : 31/10/2012 11:37 am
sgware
(@sgware)
Junior Member

It appears my assumption that the screen is locked isn't so. Then, you have many options. Here is a link to get you started.

About the password, there are lots of articles on the web. Some are good reads. My advice is to just do a lot of reading and experimenting.

Good luck,

This one is a bit out of date, but, directionally correct

http//www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf

ReplyQuote
Posted : 31/10/2012 3:18 pm
ttcobadan
(@ttcobadan)
New Member

Thank you

I think, There are a lot of work to do.

Let's read something. roll

ReplyQuote
Posted : 31/10/2012 4:17 pm
Adam10541
(@adam10541)
Senior Member

Can you not just use FTK imager CLI for Mac?

Unless you need root password to run programs as well…

ReplyQuote
Posted : 02/11/2012 4:31 am
ttcobadan
(@ttcobadan)
New Member

FTK Imager is ok to image for mac but when i try to take image all of the harddrive it needs root password.

There are a few more programs like ftk but i think the main focus of my problem must be learning root password.

The direction might be this way. Disk level process or commands needs root password???

sory for english. it is weak.

ReplyQuote
Posted : 02/11/2012 4:24 pm
sgware
(@sgware)
Junior Member

Have you done the basic research to understand how user account ID/passwords work on a MAC, or, a BSD variant? Once you have, I think the path will be apparent.

I could come straight out with the answer, but, knowing the answer without knowing how isn't of much value.

ReplyQuote
Posted : 02/11/2012 4:35 pm
ttcobadan
(@ttcobadan)
New Member

Thanx sgware, I will search user account ID and password subject first. Also the file system, too.

I am googling.

ReplyQuote
Posted : 02/11/2012 5:39 pm
pmow
 pmow
(@pmow)
New Member

Most Macs have a DMA-capable Firewire or Thunderbolt port. Although there are exceptions, I would think this resource would work for the cost of a cable and maybe the adapter

http//www.breaknenter.org/projects/inception/

ReplyQuote
Posted : 13/11/2012 12:08 am
ttcobadan
(@ttcobadan)
New Member

Woow this is great thing.

I like it. Thank you very much. That is the way I follow.

ReplyQuote
Posted : 13/11/2012 2:56 pm
Share: