Difference between pages "Training Courses and Providers" and "Disabling Macintosh Disk Arbitration Daemon"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(NON-COMMERCIAL TRAINING)
 
m
 
Line 1: Line 1:
This is the list of Training Course Providers, who offer training courses at specific dates/times and locations (referred to by [[Upcoming_events]]).
+
#Start Terminal (in the Utilities folder).  
 
+
#Type:
<b>PLEASE READ BEFORE YOU EDIT THE LIST BELOW</b><br>
+
  cd /etc/mach_init.d
Providers of scheduled training course should be listed in alphabetical order, and should be listed in only one section. Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement. Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite).  Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.
+
  ls
 
+
#Look for the file called diskarbitrationd.plist. If this file is in this directory, then disk arbitration is turned on. The disk arbitration file will attempt to mount any device it sees connected to the Mac, so one way you can stop disk arbitration from mounting the suspect's drive is by hiding this file. Simply renaming the file may not work. To do this, store a backup copy of diskarbitrationd.plist under the root directory and then delete the original.  
<i>Some training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
#Type
 
+
  sudo cp diskarbitrationd.plist /
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv.
+
#Confirm that the copy is there.
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
  ls /
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
#Remove the original file from the '''mach-int.d''' directory by typing:
 
+
  sudo rm diskarbitrationd.plist.
==NON-COMMERCIAL TRAINING==
+
#You can restore disk arbitration when your done by typing:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
    sudo cp /diskarbitrationd.plist /etc/mach_init.d.
|- style="background:#bfbfbf; font-weight: bold"
+
You can leave the copy in root for the next time, as it will have no effect on your system if it is left in that directory.
! width="40%"|Title
+
! Website
+
! Limitation
+
|-
+
|Federal Law Enforcement Training Center
+
|http://www.fletc.gov/training/programs/computer-financial-intelligence/technical-operations
+
|Limited To Law Enforcement
+
|-
+
|IACIS
+
|http://www.cops.org/training
+
|Limited To Law Enforcement and Affiliate Members of IACIS
+
|-
+
|SEARCH
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|National White Collar Crime Center
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited To Law Enforcement
+
|-
+
|}
+
 
+
==TOOL VENDOR TRAINING==
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Website
+
! Limitation
+
|-
+
|AccessData (Forensic Tool Kit FTK)
+
|http://www.accessdata.com/courses.html
+
|-
+
|ASR Data (SMART)
+
|http://www.asrdata.com/training/
+
|-
+
|BlackBag Technologies (Macintosh Forensic Suite and MacQuisition Boot Disk)
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|CPR Tools (Data Recovery)
+
|http://www.cprtools.net/training.php
+
|-
+
|Guidance Software (EnCase)
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Nuix (eDiscovery)
+
|http://www.nuix.com.au/eDiscovery.asp?active_page_id=147
+
|-
+
|Paraben (Paraben Suite)
+
|http://www.paraben-training.com/training.html
+
|-
+
|Technology Pathways(ProDiscover)
+
|http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
+
|-
+
|SubRosaSoft (MacForensicsLab)
+
|http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
+
|-
+
|WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator)
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|}
+
 
+
==COMMERCIAL TRAINING==
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Website
+
! Limitation
+
|-
+
|Computer Forensic Training Center Online (CFTCO)
+
|http://www.cftco.com/
+
|-
+
|CCE Bootcamp
+
|http://www.cce-bootcamp.com/
+
|-
+
|e-fense Training
+
|http://www.e-fense.com/training.php
+
|-
+
|Infosec Institute
+
|http://www.infosecinstitute.com/courses/security_training_courses.html
+
|-
+
|ManTech Computer Security Training
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|Mobile Forensics, Inc
+
|http://mobileforensicsinc.com/
+
|-
+
|NTI (an Armor Forensics Company)
+
|http://www.forensics-intl.com/training.html
+
|-
+
|Security University
+
|http://www.securityuniversity.net/classes.php
+
|-
+
|Steganography Analysis and Research Center (SARC)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|SysAdmin, Audit, Network, Security Institute (SANS)
+
|http://www.sans.org/training/courses.php
+
|-
+
|Vigilar
+
|http://www.vigilar.com/training/
+
|-
+
|}
+

Revision as of 10:28, 26 September 2007

  1. Start Terminal (in the Utilities folder).
  2. Type:
  cd /etc/mach_init.d
  ls
  1. Look for the file called diskarbitrationd.plist. If this file is in this directory, then disk arbitration is turned on. The disk arbitration file will attempt to mount any device it sees connected to the Mac, so one way you can stop disk arbitration from mounting the suspect's drive is by hiding this file. Simply renaming the file may not work. To do this, store a backup copy of diskarbitrationd.plist under the root directory and then delete the original.
  2. Type
  sudo cp diskarbitrationd.plist /
  1. Confirm that the copy is there.
  ls /
  1. Remove the original file from the mach-int.d directory by typing:
 sudo rm diskarbitrationd.plist.
  1. You can restore disk arbitration when your done by typing:
   sudo cp /diskarbitrationd.plist /etc/mach_init.d.

You can leave the copy in root for the next time, as it will have no effect on your system if it is left in that directory.