Acquiring a MacOS System with Target Disk Mode

From ForensicsWiki
Revision as of 10:29, 26 September 2007 by Simsong (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

First, Disable the disk arbitration daemon on the machine where you will do the acquisition.

Prepare a clean firewire drive in HFS+ using Mac Disk Utility; name the volume “Target”. This process relies on being able to identify which drive is the suspect's drive by knowing its size. Many new Macs are shipping with 250GB drives. Having a unique firewire target drive size will help you identify it later, as you will see below.

Note the sizes of all drives on your forensic Mac, if you don't already know. (Go to the Apple menu>About This Mac>More info>ATA.)