Join Us!

Disabling USB, Fire...
 
Notifications
Clear all

Disabling USB, Firewire ports and CD/DVD drive at boot time  

  RSS
ttcobadan
(@ttcobadan)
New Member

Hello,

Yesterday I was doing some forensic job stuf. A mac machine, macbook pro(2009) for imaging.

I tried to image by both usb and firewire of blackbag maquision. It did not work. After that I tried CAINE live bootable cd and it did not work again.

I wonder, is it possible to disable firewire, USB ports and CD/DVD drive at boot time. is it possible to disable these ports at the time pressing option key.

is there a way for doing this?

Thanks

Quote
Posted : 14/02/2013 1:39 pm
lars
 lars
(@lars)
Junior Member

You can block the use of other bootable devices by setting a firmware password

http//support.apple.com/kb/HT1352

You may be able to remove the password by adding or removing a DIMM and then following the rest of the procedure explained here under the 'Force Removing Password Protection' heading

http//www.securemac.com/openfirmwarepasswordprotection.php

ReplyQuote
Posted : 15/02/2013 3:58 am
ttcobadan
(@ttcobadan)
New Member

Hello

Thank you for your reply but I didn't mean that.

I am trying to image that macbook pro(not my macboot pro it is). I will do some forensic examination.

Lots of way I tried to take image but I did not remove harddisk yet.

is it possible to disable USB/Firewire ports or CD drive by firmware like bios.

OR is there a way disabling these ports.

When I press the opion key there is only Machintosh harddisk. Macbook pro does not see blackbak or other live forensic tools.

In the future I may come across this kind of mac computer. May be I haven't got much time to remove hardisk.

roll ?

ReplyQuote
Posted : 15/02/2013 12:42 pm
TuckerHST
(@tuckerhst)
Active Member

Thank you for your reply but I didn't mean that.

Lars described a scenario that could result in what you're experiencing. He also described a way it could be circumvented so you can boot a forensic OS. It seems to me that Lars's response was a direct answer to your questions.

If that's not what you meant, then what do you mean?

ReplyQuote
Posted : 15/02/2013 8:23 pm
jaclaz
(@jaclaz)
Community Legend

@ttcobadan
Maybe you asked the question the other way round.

From your second reply I guess that you don't want to disable anything, you have this thingy which already has these ports/devices disabled and you want to re-enable them.

Is this correct?

If yes, it may mean that someone before you most probably disabled them by applying a setting in the firmware, as lars posted.

According to the given resource, when you press the option key, you should be prompted for a password.

As well if you try to access the firmware Option+O+F, you should be asked a password.

If this doesn't happen, then *something else* has been done to that Mac.

The procedure to reset the password is a bit more complex than described on the mentioned page, however
http//tinyapps.org/blog/mac/200605110700_open_firmware_password_hack.html

jaclaz

ReplyQuote
Posted : 15/02/2013 10:56 pm
ttcobadan
(@ttcobadan)
New Member

Thanks for all replay,

And yes I want to enable the ports again(My terrible english, so sorry)

Macbook pro did not ask any firmware password when I tried from starting USB/Firewire ports. Firstly I was searching the way that the suspicious person take an extra precoution on his macbook pro. May be I missed something. In the future I may come across these kind of stuations (can't take image via usb/firewire or something else)

As I understand so far there is no way like bios architecture that we can enable or disable the ports in mac systems. We can not disable or enable the ports from firmware. so than I can reach a result, my tools for imaging does not support this macbook pro.

ReplyQuote
Posted : 18/02/2013 1:31 pm
jaclaz
(@jaclaz)
Community Legend

As I understand so far there is no way like bios architecture that we can enable or disable the ports in mac systems. We can not disable or enable the ports from firmware. so than I can reach a result, my tools for imaging does not support this macbook pro.

NO.
It is possible. (otherwise you wouldn't have the situation you describe wink ).
It is done by a setting in the firmware.
The known way (cited) is through a proprietary Apple program that modifies these settings in the firmware AND sets a password to change them.
It is possible that OTHER ways exist (provided that you actually tried to access the frimware and you were not prompted to enter a password).
Since the (known) way to reset this password is to change the physical amount of memory (which implies opening the thingy) it is useless, as if you open up the device you can then get the hard disk and image it attached to a write blocker "normally".
So, unfortunately, you are stuck anyway. (

jaclaz

ReplyQuote
Posted : 18/02/2013 3:40 pm
ttcobadan
(@ttcobadan)
New Member

Thank you jaclaz,

yes, unfortunately as you said I am stuck.

it is better way to image by getting harddisk.

Thanks again everybody.

ReplyQuote
Posted : 18/02/2013 7:23 pm
Bulldawg
(@bulldawg)
Active Member

Since the (known) way to reset this password is to change the physical amount of memory (which implies opening the thingy) it is useless, as if you open up the device you can then get the hard disk and image it attached to a write blocker "normally".
So, unfortunately, you are stuck anyway. (

True, except in the case of the newest MacBook Pro and Air computers with the SSD and RAM both soldered onto the motherboard. I wonder how to reset the firmware password on such a computer. Time for some testing.

Even some older model Macs use proprietary connectors for the SSD or HDD that are difficult or even impossible to find adapters for. My default for Macs if they're not easy to open is to boot into target disk mode or single user mode and image from there.

ReplyQuote
Posted : 18/02/2013 9:36 pm
Share: