Hello everyone,
i'm dealing with an iMac, and since unassembling it for extracting the hard drive for acquisition is pretty complex, i was thinking of using a liveCD or liveUSB forensic distro like helix or DEFT to boot the system and image the internal drive using DD.
My lack of knowledge of EFI and apple systems in depth tho, drives me to some questions that i need an answer to before proceding.
one of these is the boot sequence modifier.
i've read that by holding the C key during while powering on the mac, you are presented with a boot device selection screen from wich you can chose wich device to boot from.
the problem is this boot sequence, is managed by the EFI, or by the bootloader on the internal hard drive?
couse if the bootloader is triggered, i'm actually modifying the evidence and i don't want it to happen.
can someone in this forum with more expoerience then me on macs (everyone i suppose )) give me some advice on how to procede?
thank you very much.
One way you could acquire the iMac would be to put it into Target Disk Mode (TDM).
TDM is accessed by holding down the T key on the keyboard when the unit is powered on.
You need to be careful with this (and when trying to boot off a CD) as there may be an open firmware password in place on the system that would prevent you from booting from a CD or putting the system into TDM.
You can check to see if this is active by holding down the ALT key on the keyboard when you power on the system. If no password is in place, you should see a disk icon appear on the screen. This might also give you an idea if a bootcamp (Windows) partition is present.
Assuming you see the available boot disks on the system you can either put the machine into TDM and acquire directly or insert a boot cd and hold down C at startup to boot from this disk. If you get the machine into TDM, you can then connect it to your forensic workstation using a firewire cable and the iMac hard disk will be available to image. You will want to have some kind of write protection in place prior to doing this though.
If you want to go down the boot CD root then Raptor from Forward Discovery would be a good option here.
i don't have a firewire write blocker, so i think that i'll boot from a forensic CD or a forensic USB thumbdrive and then acquire the internal disk using DD or air or adepto or any sort of gui for DCFLDD..
dhash from deft appears to be pretty good.
Use
If you don't have a Firewire write blocker you could use a software write blocker? Just a thought
This is a good guide for acquiring a Mac
thank you all very much for the help.