Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
Acquisition
Once you have decided that an image of a Macintosh is necessary, there are many valid and forensically sound methods for acquiring a complete physical image of a Macintosh computer. This page will serve as an outline of the methods available.
Target Disk Mode
Apple has built-in to all late model Macintosh computers, a technology found in no other personal computer, Target Disk Mode. This technology allows the Macintosh to become an external Firewire hard drive providing access to the contents contained within. This technology is available on the following Macintosh models according to Apple’s Support website, Article HT1661:
What this note means to us: The Power Mac, Mac Pro and XServe all support multiple internal hard drives. If you have multiple ATA drives inside of these models, Target Disk Mode will only make the “master” drive available. The Power Mac shipped with IDE as a standard and SCSI as an option. Mac Pros and XServes ship with SATA or SAS drives and they will all appear in Target Disk Mode. If the person has installed additional drives that use SCSI or IDE, you may not get the whole picture presented in Target Disk Mode.
Once you have determined that Target Disk Mode is for you, here is how to use it:
Windows Tip for Target Disk Mode Acquisitions
Windows users have long been plagued with the problem of Macs in Target Disk Mode not showing up as a device. There is a fix for this. Using Regedit, we need to remove the 1394 (Firewire) entry. Here is how:
In Windows (of course)
Changes to the Registry are live and there should be no need to reboot your system. The entry for 1394 will be recreated as new Firewire devices are connected.
What should your Acquisition computer be?
A Mac
A PC
What file format should you acquire to?
Of course this is a personal choice but consider this:
What do I do if Target Disk Mode is not an Option?
Your next best option is using a Live CD to boot the target Macintosh, and perform the acquisition to an external hard drive. Using this method, you will use a CD that contains an operating system to boot the Macintosh. This CD should contain an operating system that has been modified to be forensically sound such that is won’t modify the contents of the Mac in any way.
Your choices for this include:
You will need an external hard drive that is larger than the internal disk of the target Mac to guarantee adequate space for acquisition to complete. To use a Live CD as a boot disc, use the following steps:
Note: Your external hard drive should be formatted such that your destination analysis machine can read the contents! If you plan to acquire the Mac using a Live CD such as Raptor, you will be able to use an external drive that is formatted Mac OS Extended (No Journaling Enabled), NTFS and FAT32. If you acquire to a Mac OS Extended file system and then connect to a Windows system, your Windows system will not be able to read the contents of the drive! (MacDrive 7 for Windows fixes this but it costs money)
What if a Live CD is not an option?
Here, you are probably stuck taking the Mac apart to gain access to the physical hard drive. A fabulous website to assist you in taking apart Macs is the iFixit website (http://www.ifixit.com) where their step-by-step guides will show you, down to the last screw, how to get hard drives out of every Macintosh model made! With the hard drive removed, you are free to acquire using any write-blocked method you have traditionally used for any hard drive.
Once you have decided that an image of a Macintosh is necessary, there are many valid and forensically sound methods for acquiring a complete physical image of a Macintosh computer. This page will serve as an outline of the methods available.
Target Disk Mode
Apple has built-in to all late model Macintosh computers, a technology found in no other personal computer, Target Disk Mode. This technology allows the Macintosh to become an external Firewire hard drive providing access to the contents contained within. This technology is available on the following Macintosh models according to Apple’s Support website, Article HT1661:
- iMac (Slot Loading) with Firmware version 2.4 or later
- iMac (Summer 2000) and all models introduced after July 2000
- eMac (all models)
- Mac mini (all models)
- Power Mac G4 (AGP Graphics) with ATA drive
- Power Mac G4 Cube
- Power Mac G4 (Gigabit Ethernet) and all models introduced after July 2000
- Power Mac G5 (all models)
- iBook (FireWire) and all models introduced after September 2000
- MacBook (all models)
- PowerBook G3 (FireWire)
- PowerBook G4 (all models)
- MacBook Pro (all models)
- In addition, the Mac Pro and the XServe support Target Disk Mode.
Tip: FireWire Target Disk Mode works on internal ATA drives only. Target Disk Mode only connects to the master ATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI or SCSI drives.
What this note means to us: The Power Mac, Mac Pro and XServe all support multiple internal hard drives. If you have multiple ATA drives inside of these models, Target Disk Mode will only make the “master” drive available. The Power Mac shipped with IDE as a standard and SCSI as an option. Mac Pros and XServes ship with SATA or SAS drives and they will all appear in Target Disk Mode. If the person has installed additional drives that use SCSI or IDE, you may not get the whole picture presented in Target Disk Mode.
Once you have determined that Target Disk Mode is for you, here is how to use it:
- Power on the Macintosh and IMMEDIATELY hold down the Option key.
- This will cause the Macintosh to boot to either the “Startup Manager” or “Open Firmware Password”
- If you are presented with the bootable partitions, you successfully booted to the Startup Manager. Power Off the Mac by holding down the Power button until shut down.
- If you are presented with a Lock with password dialog box, you have booted to Open Firmware Password. You cannot boot to Target Disk Mode until you remove this password. This is done by changing the amount of physical RAM in the Mac and reseting the PRAM. This also resets the clock so weigh the consequences carefully to your own case.
- Once you have shut down the Mac and determined Target Disk Mode will be available, Power it back on and this time, immediately hold down the “T” key.
- You should now see the Firewire symbol floating around the screen. This indicates the Macintosh is in Target Disk Mode. You can now insert a Firewire cable into the target Mac and connect it to your acquisition computer.
Windows Tip for Target Disk Mode Acquisitions
Windows users have long been plagued with the problem of Macs in Target Disk Mode not showing up as a device. There is a fix for this. Using Regedit, we need to remove the 1394 (Firewire) entry. Here is how:
In Windows (of course)
- Click on Start -> Run and type “regedit” and click on Ok.
- In Regedit, navigate to the key, “My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum” and delete the entry for “1394”
- Exit Regedit.
Changes to the Registry are live and there should be no need to reboot your system. The entry for 1394 will be recreated as new Firewire devices are connected.
What should your Acquisition computer be?
A Mac
- If you choose a Mac, then it should be a Mac that you have successfully disabled DiskArbitration. Once you have disabled DiskArbitration, you can use DD (or any of its derivatives). You can also use MacForensicsLab or BlackBag Mac Forensic Suite to perform an acquisition.
A PC
- If you choose a PC, and it is running Windows, you will need to consider a hardware write blocking device. Windows, all versions, will write to a Mac in Target Disk Mode if the Mac has a FAT32 partition. Windows versions that support NTFS will write to a Mac that has an NTFS partition. Once you have write-blocked the TDM Macintosh, you can acquire using your favorite acquisition method, including the freely available FTK Imager.
- If you choose a PC and it’s running Linux, you will need to consider your auto-mounts. You need to insure that your Linux box is not auto-mounting the Mac. You can use freely available Live CD distributions of Linux that have been modified to be forensically sound to insure against such detrimental actions. One such available distribution is Raptor from Forward Discovery and it is based upon Ubuntu. Live CD distributions typically allow for the installation to your hard drive so you can make an acquisition PC based on Linux.
What file format should you acquire to?
Of course this is a personal choice but consider this:
- A raw image, such as the one produced from DD, is the most widely accepted file format of all analysis tools. Although it is uncompressed, the resulting file can be compressed and split to fit whatever archival media you use.
- A raw image can be directly mounted on a Macintosh as a virtual disk. Any other media format is not directly supported until other support files are installed to your Macintosh (an example is the Encase Expert Witness File Format and the “libewf” project to support it directly on your Macintosh)
What do I do if Target Disk Mode is not an Option?
Your next best option is using a Live CD to boot the target Macintosh, and perform the acquisition to an external hard drive. Using this method, you will use a CD that contains an operating system to boot the Macintosh. This CD should contain an operating system that has been modified to be forensically sound such that is won’t modify the contents of the Mac in any way.
Your choices for this include:
- Raptor from Forward Discovery (Intel and PPC versions available) - Ubuntu Linux based
- ASR Data’s SMART - Ubuntu and Slackware Linux based
- E-Fense Helix v2 - Ubuntu based
- Subrosasoft’s MacForensicsLab which will give you a bootable DVD containing a bootable Mac OS X with the proper modifications - Mac OS X based
- BlackBag MacQuisition. It is a bootable DVD and a bootable Compact Flash card! The speed reported on the Compact Flash card is said to be faster than any of the other available media. - Mac OS X based
You will need an external hard drive that is larger than the internal disk of the target Mac to guarantee adequate space for acquisition to complete. To use a Live CD as a boot disc, use the following steps:
- Power on the Macintosh and IMMEDIATELY hold down the Option key.
- This will cause the Macintosh to boot to either the “Startup Manager” or “Open Firmware Password”
- If you are presented with the bootable partitions, you successfully booted to the Startup Manager. Insert your Live CD. If it does not automatically show, click the rescan arrow.
- If you are presented with a Lock with password dialog box, you have booted to Open Firmware Password. You cannot boot to a Live CD until you remove this password. This is done by changing the amount of physical RAM in the Mac and reseting the PRAM. This also resets the clock so weigh the consequences carefully to your own case.
- If you have determined that you can boot from a Live CD, connect you external drive here, prior to booting from the Live CD.
- Select your Live CD to boot from.
Note: Your external hard drive should be formatted such that your destination analysis machine can read the contents! If you plan to acquire the Mac using a Live CD such as Raptor, you will be able to use an external drive that is formatted Mac OS Extended (No Journaling Enabled), NTFS and FAT32. If you acquire to a Mac OS Extended file system and then connect to a Windows system, your Windows system will not be able to read the contents of the drive! (MacDrive 7 for Windows fixes this but it costs money)
What if a Live CD is not an option?
Here, you are probably stuck taking the Mac apart to gain access to the physical hard drive. A fabulous website to assist you in taking apart Macs is the iFixit website (http://www.ifixit.com) where their step-by-step guides will show you, down to the last screw, how to get hard drives out of every Macintosh model made! With the hard drive removed, you are free to acquire using any write-blocked method you have traditionally used for any hard drive.