Taking forensic image of a live (open) MAC computer
I am searching a way for taking image of an open-live MAC computer (hardisk). But this job needs root password. is there a way bypass root password or learning root password. is there a way taking image of MAC computer. any source or advice will be good
Thanks any replay.
What is the goal in this exercise? Are you conducting and investigation? Are you helping a friend with password recovery?
About the machine. What type of MAC is it? What OS version? Is there a reason is has to remain running in the current state? (assumed running but password protected). If you were able to power it off and boot in target disk mode, more options are available to you.
In reference to the password, you have to be able to access the password hash before using a tool like jtr to crack it. So, you need access to the file system for that.
Disabling disk arbitration, mounting the device in target disk mode, acquiring an image, verifying the image (hash the media and image file), making a copy of the image to play with is the best option I have.
Note connecting the two machines with a firewire, disk arbitration disabled, will not provide you with a target drive to mount. you will have to shut down the "other" machine and boot in target disk mode. Then, you will be able to see the /dev/rdisk and /dev/disk block devices to manually mount.
Sorry my mistake. I had to clear the subject. This is for a project and i am searching a way or method for any kind of mac machine. The problem is mac machine opened and i want to take image without shut-down. That's the main goal of the project.
there are some programs or just using dd command for image job MAC system wants root password.
Unfortunately i have no deep mac info to getting a way for this project. But target disk mode needs shut-down or restart.
i will search jtr.
It appears my assumption that the screen is locked isn't so. Then, you have many options. Here is a link to get you started.
About the password, there are lots of articles on the web. Some are good reads. My advice is to just do a lot of reading and experimenting.
This one is a bit out of date, but, directionally correct
I think, There are a lot of work to do.
Let's read something. roll
Can you not just use FTK imager CLI for Mac?
Unless you need root password to run programs as well…
FTK Imager is ok to image for mac but when i try to take image all of the harddrive it needs root password.
There are a few more programs like ftk but i think the main focus of my problem must be learning root password.
The direction might be this way. Disk level process or commands needs root password???
sory for english. it is weak.
Have you done the basic research to understand how user account ID/passwords work on a MAC, or, a BSD variant? Once you have, I think the path will be apparent.
I could come straight out with the answer, but, knowing the answer without knowing how isn't of much value.
Thanx sgware, I will search user account ID and password subject first. Also the file system, too.
I am googling.
Most Macs have a DMA-capable Firewire or Thunderbolt port. Although there are exceptions, I would think this resource would work for the cost of a cable and maybe the adapter
Woow this is great thing.
I like it. Thank you very much. That is the way I follow.