Difference between pages "Disabling Macintosh Disk Arbitration Daemon" and "GRR"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
#Start Terminal (in the Utilities folder).
+
{{Infobox_Software |
#Type:
+
  name = Rekall |
  cd /etc/mach_init.d
+
  maintainer = [[Darren Bilby]] and others |
  ls
+
  os = {{Cross-platform}} |
#Look for the file called diskarbitrationd.plist. If this file is in this directory, then disk arbitration is turned on. The disk arbitration file will attempt to mount any device it sees connected to the Mac, so one way you can stop disk arbitration from mounting the suspect's drive is by hiding this file. Simply renaming the file may not work. To do this, store a backup copy of diskarbitrationd.plist under the root directory and then delete the original.  
+
  genre = {{Incident response}} |
#Type
+
  license = {{APL}} |
  sudo cp diskarbitrationd.plist /
+
  website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
#Confirm that the copy is there.
+
}}
  ls /
+
 
#Remove the original file from the '''mach-int.d''' directory by typing:
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
  sudo rm diskarbitrationd.plist.
+
 
#You can restore disk arbitration when your done by typing:
+
The disk and file system analysis capabilities of GRR are provided by the [[sleuthkit]] and [[pytsk]] projects.
    sudo cp /diskarbitrationd.plist /etc/mach_init.d.
+
 
You can leave the copy in root for the next time, as it will have no effect on your system if it is left in that directory.
+
The memory analysis and acquisition capabilities of GRR are provided by the [[rekall]] project.
 +
 
 +
= See also =
 +
* [[rekall]]
 +
 
 +
= External Links =
 +
* [https://code.google.com/p/grr/ Project site]
 +
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
 +
* [http://grr.googlecode.com/git/docs/index.html Documentation]
 +
 
 +
== Publications ==
 +
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
 +
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser]], [[Michael Cohen]], Digital Investigation, 2013.
 +
 
 +
== Presentations ==
 +
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
 +
 
 +
== Workshops ==
 +
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013], by [[Darren Bilby]]

Revision as of 14:36, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

The disk and file system analysis capabilities of GRR are provided by the sleuthkit and pytsk projects.

The memory analysis and acquisition capabilities of GRR are provided by the rekall project.

Contents

See also

External Links

Publications

Presentations

Workshops