Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
iPod
Acquisition
For this section, iPod covers the iPod, iPod Mini and iPod Nano. The iPod Touch is similar to an iPhone and has very different functionality.
Acquiring an iPod is similar to acquiring an external USB storage device. Care needs to be taken to preserve the data and maintain an unaltered state. This is easily accomplished using a Macintosh with OS X 10.5 installed. We can take control of the Disk Arbitration daemon, and image the device. Here are the steps for a basic successful image:
Results of MD5 hash of physical device and DMG
Get Info Window for iPod Image file
The above figure shows how the image looks without a lock and with a lock placed on it.
You are now able to turn Disk Arbitration back on. Examining a Locked iPod image on a Mac is as simple as double-clicking it in the Finder and it will mount. You can also look at it from Terminal. If you need to simulate read/write ability (for Spotlight indexing, for instance), consider mounting the image using a shadow file.
Lastly, if you need to examine this image from other tools, such as Access Data’s Forensic Toolkit, you may need to add the “.dd” extension to the image for everything to work properly. Some applications do not understand the “.dmg” extensions used by Disk Utility in the Macintosh world.
Notes on this process:
For this section, iPod covers the iPod, iPod Mini and iPod Nano. The iPod Touch is similar to an iPhone and has very different functionality.
Sponsored Advertisement
Acquiring an iPod is similar to acquiring an external USB storage device. Care needs to be taken to preserve the data and maintain an unaltered state. This is easily accomplished using a Macintosh with OS X 10.5 installed. We can take control of the Disk Arbitration daemon, and image the device. Here are the steps for a basic successful image:
- Make certain you do NOT have the iPod connected to your Macintosh.
- Open Terminal.
- Type the following command: ls /dev/disk?
- The output of that command are the resulting ‘disk’ entries for all connected disks to your Macintosh currently. If you have more than 10 disks, re-run the command again with the following syntax: ls /dev/disk??
- Make note of the current ‘disk’ entries for your Macintosh.
- Turn off Disk Arbitration (Download the tools from our Files section to make this easy or use the Terminal command line method found here)
- Validate Disk Arbitration is off using test media. Verify that it did not mount automatically.
- Connect the iPod to be imaged. It should not mount on the Desktop in this step, nor should it show in iTunes. Disk Arbitration needs to be running for this to happen.
- In Terminal, re-run the command: ls /dev/disk?
- Make note of the new ‘disk’ entry. This is the iPod you just connected and the device which needs to be imaged.
- In Terminal, begin imaging the iPod using the following command: sudo dd if=/dev/disk# of=~/Desktop/iPodimage.dmg when the ‘#’ represents the device number of the iPod you wish to image.
- Once the imaging has completed, you will have you command prompt back with no error messages. You now need a hash value for the iPod.
- In Terminal, run the following command: sudo openssl dgst -md5 /dev/disk# > ~/Desktop/iPodImage.dmg.md5.txt
- The previous command will calculate an MD5 hash of the physical device and save a text file to the Desktop with the results.
- Once the hash has completed, you will have you command prompt back with no error messages. Remove the iPod by unplugging it from your Macintosh.
- Verify your image with the following Terminal command: sudo openssl dgst -md5 ~/Desktop/iPodImage.dmg >> ~/Desktop/iPodImage.dmg.md5.txt NOTICE the “>>” in this command. If you use a single ‘>’ you will overwrite your original file!
Results of MD5 hash of physical device and DMG
- In Terminal, you need to take ownership of this image. Do this with the following command: sudo chown ‘username’ ~/Desktop/iPodImage.dmg where ‘username’ represents your username on the Macintosh. This step allows you to own the file in order to take the next step of placing an HFS+ Lock on it.
- In the Finder, Control-Click or right-click on the iPod image you just made and select “Get Info”
Get Info Window for iPod Image file
- In the General section, click on the Locked box.
The above figure shows how the image looks without a lock and with a lock placed on it.
You are now able to turn Disk Arbitration back on. Examining a Locked iPod image on a Mac is as simple as double-clicking it in the Finder and it will mount. You can also look at it from Terminal. If you need to simulate read/write ability (for Spotlight indexing, for instance), consider mounting the image using a shadow file.
Lastly, if you need to examine this image from other tools, such as Access Data’s Forensic Toolkit, you may need to add the “.dd” extension to the image for everything to work properly. Some applications do not understand the “.dmg” extensions used by Disk Utility in the Macintosh world.
Notes on this process:
- As you can see in the above process, I named my image “iPodNano.dmg”. I recommend in your images that you use files that are descriptive as well, likely containing case numbers and item numbers.
- The imaging command ‘dd’ has many options that can be used. I recommend you familiarize yourself with these options. I have given you the very basic command here. There is also some excellent builds of ‘dd’ that have much more functionality such as ‘dcfldd’. I encourage you to take a look.
- Last, the Lock that we placed on the image can be easily overridden by the owner of the file as you can see. As simple open of the Get Info window and the box can be unchecked, for instance. Incorporate into your processes safeguards that insure this file cannot be manipulated after imaging.