This post will cover another option, creating an image by booting a Mac into single-user mode. My first post was on how to image a Mac with a bootable Linux distro. Make a forensic image of physical memory (32 and 64 bit) Determine if disk level encryption is turned on.This is the second post in my series on different ways to image a Mac. Make forensic images of all internal devices. A multi-platform LIVE side for three environments Mac OS X, Windows and Linux with one simple to use interface. Get the only tool with a Live and Bootable side for your investigation needs.Once in single-user mode, a USB drive can be attached and dd can be used to create an image.Forensic copies in the Encase format can significantly save disk space on the computer of an incident investigation specialist or a computer forensics expert.Virtual Live Boot. In single-user mode, the internal hard drive is mounted read only and a limited set of commands are available. Single-user mode is a limited shell that a Mac can boot into before fully loading the operating system. Create forensic images of local hard drives, CDs and DVDs, thumb drives or other USB devices, entire folders, or individual. FTK® Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Forensic Toolkit (FTK®) is warranted. Provide any additional storage devices with individual.Features & Capabilities.
Boot Cd For Forenisc Image Mac Into SingleWhile not as forensically sound as using a write blocker or booting into a Linux distro, less changes are made than fully booting the operating system to take a live image. Mention that you need a Mac-compatible forensic boot CD to make an image.8.Explain that BlackBag Technologies sells acquisition products specifically.In order to mount the USB drive, the internal drive needs to be changed to read/write to create a mount point. It is both an effective investigations tool as well as a means by which. Live Boot gives the investigator a unique perspective into a suspects computer use. Boot both Windows (all versions) and Macintosh computers. For each step I will cover both scenarios. Three partitionsWere created by default during the initial setup: an EFI partition, a MacOSX partition, and a recovery partition.I tested two scenarios, one without encryption and one with encryption (FileVault 2). Another benefit is that if there is FileVault encryption, the encrypted drive is decrypted after a username and password are supplied.The system I used for testing was a Mac Mini, OS X Version 10.8.5 with one hard drive. At this time, I do not to have the USB drive that will hold the image plugged in.If the system is not encrypted a bunch of white text will scroll and finally present a shell with root:Here I can see "MacEncryptedImage" and "MacImage", the folders I created on the USB drive. I usually hold down this key combo before I even power on the system so I don't accidentally "miss" it. While the system is booting, select COMMAND-S to enter single-user mode. I have had some people in the community provide some great tips and suggestions since this was posted!The first step is to boot into single-user mode. if=/dev/disk0: this stands for input file. The syntax looks something like this:Dd if=/dev/disk0 bs=4k conv=sync,noerror of=/tmp/usb/mac_image.dd For dd, I use the options recommend on the Forensic Wiki page. Since FAT32 has a 4GB file size limit, dd will need to be piped through the split command to keep the file size under 4GB:So, in summary, here are the steps and commands covered above: Rdisk provides access to the raw disk which is supposed to be faster then /dev/disk which uses buffering.For the unencrypted system the image will be of /dev/disk0 to a FAT32 USB mounted drive. conv=sync,noerror: if there is an error, null fill the rest of the block do not error outIf /dev/rdisk is available this can be used instead of /dev/disk. The Forensic Wiki recommends 4K bs=4K : this is the block size used when creating an image. Pokemon crystal emulator macUse mkdir /tmp/USB to create a mount point Use mount -uw / to change internal drive to read/write Use ls /dev/disk* to determine USB drive device Use ls /dev/disk* to determine the disk(s) to image ![]() Boot using Option key, see if there is no Lock Icon, shutdown and reboot from Single User Mode.If a Firmware password is set, I have seen times when it it would bypass single user mode boot up directly the system and change a lot of time stamps at boot timeYou can also try to boot from the recovery partition then from Single User Mode from the recovery partition. I wanted to pass them on as they are really helpful!A few things I thought I would pass on about your post:It is always good to boot a Mac first holding down the Option key to make sure the system does not have a Firmware Password before trying to boot into Single User Mode. Remember - Trust but Verify! :)These are some comments sent to me by Derrick Donnelly. Single user-mode logs in as root, and this can be very dangerous. I know you talked about the raw disk in your blog but I can tell you for sure that the risk will be faster when using dd.Dd if=/dev/rdisk0 bs=65536 conv=noerror,sync of=/dev/rdisk2Output = /dev/rdisk1 (going directly to a device instead of a file)I also tend to use a big block size of bs=65536 but if you run into media errors, you can lose more data if you have the media errors.If you do image to a single file, you could use the. You might also want to wipe the destination drive before imaging.When you do the mount -uw you will change the last modified date and time for the volume at a minimum.Suppose you have disk0 (internal drive) and disk2 (external usb drive)When using a disk in Mac OS X as a source or destination, you should always you the rdisk entry for that disk entry (it will make for faster imaging). The destination device has to be the same size or larger (usually easier to just have a larger drive). Later you could image from that clone drive to files or a single. Dmg files.If you image to a device (or clone to it), once the imaging is complete you have to put the clone drive on a Write-Blocker or time stamps again will change.
0 Comments
Leave a Reply. |
AuthorKevin ArchivesCategories |