What software do &q...
 
Notifications
Clear all

What software do "you" use for Computer Forensics?

32 Posts
18 Users
0 Reactions
2,792 Views
binarybod
(@binarybod)
Reputable Member
Joined: 17 years ago
Posts: 272
 

it is also nice to find these 'discrepancies' once in a while because it reduces complacency

I agree entirely, I use all sorts of forensic software including EnCase, FTK, TSK and X-Ways and I have found them all interpreting data wrongly to one degree or another. Some of the errors have been breathtaking in their incompetence.

Paul


   
ReplyQuote
(@nathan_84)
Eminent Member
Joined: 16 years ago
Posts: 31
 

Hi guys,

I'm a newbie to forensics, so apologies in advance for asking what might seem a silly question.

I've got a friends Mac Powerbook G4 which I'm trying to image. I've used Raptor PowerCD to boot into a live state but had no joy. Raptor just keeps freezing.

Which tools would you guys recommend I use to capture a clone onto an external usb drive.

Thanks

Nathan


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

"I've used Raptor PowerCD to boot into a live state but had no joy. Raptor just keeps freezing."

How did you burn the CD/DVD. Try to re-burn the ISO at slowest speed possible, a different writer, different burn software, different brand of CD/DVD, or all of the above.

You can also try Helix 3 - search around there are download locations out there.

LineEn with x-over and EnCase in acquisition mode.

BlackBag makes MacQusistion - it works well, pretty GUI and therefore no fun for hacking/playing.

The http//www.appleexaminer.com/ site has a bunch of links too.

There is always the dismantle vs. boot 'n image methods. If your friend doesn't mind you taking apart his expensive equipment and enjoys extra screws after you put it together than that is an option as well.

I am taking the assumption that you are learning/playing and this is not actual case work where you can be damaging evidence correct?


   
ReplyQuote
(@nathan_84)
Eminent Member
Joined: 16 years ago
Posts: 31
 

Hi Douglas,

Yes I'm defiantly doing this all this to increase my own knowledge. I did explore the option of just removing the hard drive. I found a helpful website providing a guide

http//www.ifixit.com/Guide/Repair/Installing-PowerBook-G4-Aluminum-17-Inch-1-1-67-GHz-Hard-Drive/245/5

However I thought this was the easy option and me being me, very stubborn, decided to pursue the Live CD option. I discovered Raptor is based on an old Linux distribution, 7.10 I believe and the "black screen is a common problem with the PowerPC mac. Many have people complained and most have been unable to solve the issue.

http//mac.linux.be/content/black-screen-or-missing-gui

I did come across MacQusition but only commercial versions. I'll try the others Live CD's you recommended.

Thanks for your help Douglas. Really appreciated.

Nathan


   
ReplyQuote
Welshie
(@welshie)
Eminent Member
Joined: 16 years ago
Posts: 21
 

Nathan,

reMac Powerbook G4 (PPC)

As you are not working on real evidence.

Sounds like your having difficulties… one simple option is to try using a PowerPC Linux CD distro to boot the laptop, there's a few around… SE them.

Burn one onto a CD/DVD/… boot the laptop from it, then image the drive/partition to your external using shell commands (for this purpose DD is your best place to start).

Good luck and becareful to read the DD parameters so u dont overwrite anything.


   
ReplyQuote
ehuber
(@ehuber)
Trusted Member
Joined: 17 years ago
Posts: 91
 

However I thought this was the easy option and me being me, very stubborn, decided to pursue the Live CD option.

As you learn more about doing digital forensics on laptops, you'll get a pretty good sense about which laptops you will be able to easily remove a hard drive from to examine (Dell) and which ones you'll want to just go with a CD\DVD based option (Apple).

Using a CD\DVD based imaging method is a good way to avoid the dreaded "Bag O' Laptop" at the end of the process.


   
ReplyQuote
(@nathan_84)
Eminent Member
Joined: 16 years ago
Posts: 31
 

Thank you all for your responses. It's a learning curve, one which can be very frustrating but even more satisfying when you get it! )

Thanks again all!

Nathan


   
ReplyQuote
(@dc1743)
Eminent Member
Joined: 21 years ago
Posts: 48
 

Nathan,

Probably the easiest approach in your scenario is to boot the laptop up holding down the T key thus booting it into target disc mode. Then attach it to another computer via a firewire cable. The other computer should be booted with a forensics linux distro which you can then use to image the attached computer as if it is an attached hard drive.

Regards Richard


   
ReplyQuote
ehuber
(@ehuber)
Trusted Member
Joined: 17 years ago
Posts: 91
 

Thank you all for your responses. It's a learning curve, one which can be very frustrating but even more satisfying when you get it! )

When I started learning digital evidence acquisition back in the day, it was easier than it is today. We live in a time of some very exciting advances in technology especially in the mobile device space. This means that there is more complexity for digital forensic examiners to deal with when it comes to obtaining evidence.

It's an great time to be in digital forensics, but it's not for the faint hearted or unmotivated.


   
ReplyQuote
(@nathan_84)
Eminent Member
Joined: 16 years ago
Posts: 31
 

dc1743 - That's a very interested method. I defiantly will give that a go. Thx again.

ehuber - Your spot on, times are changing and it is becoming more and more challenging. I used to do IT Support, but after 18 months realised I needed to be in a job where I was making a difference and which offered great satisfaction.


   
ReplyQuote
Page 3 / 4
Share: