hello, i have acquired an image of a mac using guymager live.now i have to see the files but i have a windows machine with ftk,i tried to use virtualbox to start a yosemite machine,but it crashes.how can i do?
hello, i have acquired an image of a mac using guymager live.now i have to see the files but i have a windows machine with ftk,i tried to use virtualbox to start a yosemite machine,but it crashes.how can i do?
Why do you need to run the machine? Why not analyze it as a dead box?
thank you, what do you mean with 'dead box'?
thank you, what do you mean with 'dead box'?
I mean investigation of a machine without switching it on.
never did it.but in this particular case i don't have the machine anymore.i just have the image obtained with ftk in e01
never did it.but in this particular case i don't have the machine anymore.i just have the image obtained with ftk in e01
You can perfectly analyze e01 in many tools including FTK itself. We at Belkasoft can also mount and analyze such images.
never did it.but in this particular case i don't have the machine anymore.i just have the image obtained with ftk in e01
You could just examine in FTK
Some good articles on mac forensic http//
Some OS X artifacts
https://
Also you could restore image to disk allowing a live investigation in another mac machine if you want a hands on.
You could also just mount the image in Linux and i think log2timeline may work
just ideas sorry.
I think it would be a good question as to what utilities and programs you currently have access to. Encase does a reasonably good job of analyzing mac data, though for some aspects a good workflow and knowledge of mac file types and locations are necessary. The mentions of AppleExaminer.com above are really helpful. I would ask though, when you created your mac in virtualbox, did you use these directions? (http//
Running a Mac VM on a Windows machine (past 10.6 I think) is a bit flakey.
When I need to do it I would either restore the image to disc and boot from it using a Mac of the same type if you have one.