Computer ForensicsA community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.).
Topics include digital forensics, incident response, malware analysis, and more.Vote based on the quality of the content. Irrelvant submissions will be pruned in an effort towards tidiness. Read the before posting.Related Subreddits:- anti forensics- cryptography- forensics- cyberlaws- malware- memory forensics- netsec- binary reversing- reversing/malware researchRelated Technical Subreddits- filesystems- kernel development- low level programming. What we did was to take a previous e01 image of a Mac, restore it to an external USB drive, configure it as our own forensic version and then use that drive to boot the computer by holding down the option key.Have your forensic tools like FTK imager for Mac GUI version preloaded on it and create your e01 directly to it. FTK Imager for Mac defaults to imaging the Internal drive.FYI, be careful, there are Macbook Pros out there that have M2 type SSDs and ALSO a 500gb or 1TB sata data drive. If you are not careful you can open it up and only see the data drive.
If a hard drive is encrypted, a live image will allow you to create a logical image of the partition in an unencrypted state. In my previous posts I covered how to image a Mac using and a disk. I've put off doing this blog post because there is a very detailed and well written by Matt at 505Forensics that covers this topic. In his blog post, Matt walks though step by step how to image a Mac using the tool for Mac OS X operating systems. As such, I wanted to cover how to do a live image using the as another option. Out in the field, I've found that it seems to take a longer time when using FTK Imager.
I finally had a chance to do some testing and found that it took FTK Imager almost 2 hours to image a drive to a raw image (no compression). It took just 15 minutes using dd with an MD5. My test system was a MacBook Air, Early 2015, OS X El Capitan with a 75GB partition that was being imaged.Using FTK command line has some distinct advantages over dd. There are options to compress the image, choose e01 format and supply case information. However, if time and speed are an issue, dd may be a better option. For example, I've been onsite when 10 Macs needed to be imaged - dd was nice to use so we could finish up in time for dinner. If you can leave an image running overnight - it's probably not as critical.
In 34th episode of the Digital Forensic Survival Podcast Michael Leclair talks about his favourite tools for OS X forensics. He presents a wide list of forensic tools, which can be used for solving common problems, such as imaging, file analysis, data carving, decryption, email analysis, etc. Download FTK-Forensic Toolkit Free Software Cracked available for instant download. Our cracked program for FTK-Forensic Toolkitcracked + crack – key – serial – license download working on Windows and Mac. FTK-Forensic ToolkitCracked with crack key,serial,license for Pc & Mac. We have a great offer for you forever: The Live Time Best Deal! 100% Secure and Satisfaction 100% guaranteed.
See below for the test data:FTK Imager: Total image time 1 hour, 49 min and 04 sec. Diskutil listNo FileVault2/No EncryptionMy system has both OS X and Windows (Bootcamp) installed.
As you can see /dev/disk0 is my physical drive. Partition 2 is the Machintosh HD and Partition 4 is the Windows aka Bootcamp partition. The logical, active device I want to image is /dev/disk1.
As you can see in the screenshot above, it is listed as the logical, unencrypted volume and refers back to disk0s2. (If you do run across a system with Bootcamp you will probably want to grab that partition as well, but for the purpose of this blog post I am focusing on the Mac partition)Below is a screen shot of what the same system looks like with FileVault2 turned on. Note that it says 'Unlocked Encrypted'.
In this scenario, /dev/disk1 is logical volume I want to image. Sudo dd if=/dev/rdisk1 bs=4k conv=sync,noerror of=/Volumes/MAC-Images/myimage.ddLets break down this command:. sudo: run as super user. if=/dev/rdisk1: this stands for input file. This will be the disk that requires imaging. bs=4k: this is the block size used when creating an image.
The Forensic Wiki recommends 4k. conv=sync,noerror: if there is an error, null fill the rest of the block; do not error outBetter yet - let's add in an MD5 so we can have a hash of the image to make it more 'forensicky'. In order to do this. Thanks for the great questions. I have not done any speed tests on Macquisition as I don't have access to the software.
You are correct - when a user/examiner logs into the system, the partition is unencrypted and presented (in this example) as /dev/disk1. The link I presented earlier to 505forensics explains this really well. The external hard drive was an Western Digital My Passport Ultra formatted with HFS+, and the USB interface according to the specs is 'USB 3 ports (up to 5 Gbps)'.Also, you mentioned single user mode - this terminology actually refers to a special mode that I have covered in another blog post (but the concept is the same. When you boot into single user mode using COMMAND-S and supply the username and password, the partition is mounted in an unencrypted state.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |