Hello All,
I am trying to verify a process for acquiring a forensically sound image of a MacBook Pro hard drive. I was looking for a open source solution. Here is what I have done
1. Found a copy of Ubuntu that has been modified to boot on an Intel Mac. The ISO can be found at http//
2. After booting this distribution on a test machine (20" iMac), I discovered that the distribution only had dd. So I added a copy of dcfldd from my Helix disk to my USB drive that will be used a destination drive for the image files.
3. I power on the Mac, insert the Ubuntu CD and hold down the option key on the Mac.
4. In a few seconds the Mac will show a list of the bootable devices. I select the CD and boot Ubuntu.
5. I mount the destination drive r/w. Leave the internal source drive un-mounted and image the internal HD using dcfldd.
Is this process forensically sound? Does this process in any way alter the internal HD?
Know of any better distro or methods? Taking the HD out a MacBook Pro is a darn near impossible for the average bear.
Thanks for you help.
–
Mark Hallman, CHFI, GCFA | Digital Works, LLC
Digital Forensic Analyst | 12860 Hillcrest
mhallman@digital-works.net | Suite G123
mobile 830.255.1551 | Dallas, TX 75230
office 972.774-1500
This should be sound. You can also get Mac imaging tools from BlackBag software. MacQuisition I believe …
With regard to removing the disk, I think that the guidance for that is available from the Apple website. If not, I know of a source book that I can point you at.
You could also start up the MBP in target disk mode by booting it while holding down the 't' key. Then attach the MBP to your acquisition workstation, mount it r– and image it that way.
Target disk is wonderful, isn't it? (to those not in the know, it boots a mac into an external firewire drive with direct access)
The issue I had with target mode on an intel mac was getting the resulting image recognised by older forensic apps - has anyone else had the same issue? It works fine on Encase 6, but Encase 4 wouldn't interpret it as anything but raw for me.
Oh, and if you're copying the file system, rather than making an image, use the -H switch in cp. I didn't once, and it just kept copying itself and the workstation over and over until it filled the disk.
sudo cp -R -P -H /Volumes/MacDisk /Volumes/blasko/osxdisk
The issue I had with target mode on an intel mac was getting the resulting image recognised by older forensic apps - has anyone else had the same issue? It works fine on Encase 6, but Encase 4 wouldn't interpret it as anything but raw for me.
In EnCase 4 and 5 you have to manually add the partitions. EnCase 6 automatically reads the GPT.
Thanks. Sorry to bug you, but how do I go about doing that? I've never needed to yet, but you never know…
Copied from Bill Siebert's post over at Encase
Use the Disk view in EnCase to manually add the partition information. Both the EFI partition and the HFS+ partition will be visible from within
EnCase, if you do the following
1) Search the Disk for "HFS"
2) Wait a few minutes and Refresh the "Search Hits"
3) In the Search Hits, find the HFS at the top of the "Search Hits" and click on it
4) Move to the Disk View, where the HFS keyword was found
5) Move back 2 sectors, right mouse click Add Partition (HFS+)
6) Let the file systems rebuild.
Regards Richard