Difference between pages "Training Courses and Providers" and "Acquiring a MacOS System with Target Disk Mode"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(COMMERCIAL TRAINING)
 
m (Imported with permission by John Muller)
 
Line 1: Line 1:
This is the list of Training Providers, who offer training courses of interest to practitioners and researchers in the field of Digital Forensics.  Conferences which may include training are located on the [[Upcoming_events]] page.
+
First, [[Disabling_Macintosh_Disk_Arbitration_Daemon|Disable the disk arbitration daemon]] on the machine where you will do the acquisition.
  
<b>PLEASE READ BEFORE YOU EDIT THE LIST BELOW</b><br>
+
Prepare a clean firewire drive in HFS+ using Mac Disk Utility; name the volume “Target”. This process relies on being able to identify which drive is the suspect's drive by knowing its size. Many new Macs are shipping with 250GB drives. Having a unique firewire target drive size will help you identify it later, as you will see below.
Some training providers offer on-going training courses that are available in an on-line "any time" format. Others have regularly scheduled training that is the same time each month. Others have recurring training but are scheduled at various times throughout the year. Providers training courses should be listed in alphabetical order, and should be listed in the appropriate section.  Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement.  Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite). Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.
+
  
<i>Some training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
Note the sizes of all drives on your forensic Mac, if you don't already know. (Go to the Apple menu>About This Mac>More info>ATA.)
== On-going / Continuous Training ==
+
==Connecting==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<table>
|- style="background:#bfbfbf; font-weight: bold"
+
<table>
! width="40%"|Title
+
      <td class="Section1"><span class="style1">Connecting</span></td>
! width="20%"|Date/Location
+
    </tr>
! width="40%"|Website
+
  </table>
|-
+
  <table width="705" border="0" cellspacing="1" cellpadding="15">
|- style="background:pink;align:left"
+
    <tr class="Section1">
! DISTANCE LEARNING
+
      <td width="4">&nbsp;</td>
|-
+
      <td width="638" align="left" valign="top"><ol start=1 type=1>
|Basic Computer Examiner Course - Computer Forensic Training Online
+
        <li class="Section1">Without turning anything on, chain the forensic Mac to the firewire drive to the suspect’s computer using  firewire cables.</li>
|Distance Learning Format
+
      </ol>
|http://www.cftco.com
+
        <ol start=2 type=1>
|-
+
          <li>Hold down the “Option” key on the suspect’s computer and turn it on.</li>
|Linux Data Forensics Training
+
        </ol>
|Distance Learning Format
+
        <ol start=3 type=1>
|http://www.crazytrain.com/training.html
+
          <li>If the suspect’s computer <b>does not </b><span style='font-weight:normal'>ask for a password, then</span><b> turn it off</b><span style='font-weight:     normal'>. If the computer </span><b>does</b><span style='font-weight:     normal'> ask for a password, then</span><b> turn it off</b><span
|-
+
    style='font-weight:normal'>. You cannot do a simple TDM acquisition if a password is required. You will have to either: 1) remove the drive and do a direct acquisition; or, 2) modify the memory by adding or removing chips and zapping the PRAM.</span></li>
|SANS On-Demand Training
+
        </ol>
|Distance Learning Format
+
      </td>
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
    </tr>
|-
+
  </table>
|Champlain College - CCE Course
+
  <table width="700" border="0" cellspacing="1" cellpadding="0">
|Online / Distance Learning Format
+
    <tr class="Section1">
|http://extra.champlain.edu/cps/wdc/alliances/cce/landing/
+
      <td width="17">&nbsp;</td>
|-
+
      <td width="680"><table width="500" border="1" align="center" cellpadding="15" cellspacing="1" bordercolor="#000000">
|Las Positas College
+
        <tr>
|Online Computer Forensics Courses
+
          <td align="center" valign="middle" class="Section1"> To zap the PRAM, start up the computer and as soon as you hear the startup 'bong', hold down these four keys: Command-Option-P-R. It will bong again. And again. Continue to hold down these four keys until it has 'bonged' a total of three times (the initial startup bong and two more after you hold down those four keys). </td>
|http://www.laspositascollege.edu
+
        </tr>
|-
+
      </table></td>
|- style="background:pink;align:left"
+
    </tr>
!RECURRING TRAINING
+
  </table>
|-
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|MaresWare Suite Training
+
    <tr class="Section1">
|First full week every month<br>Atlanta, GA
+
      <td>&nbsp;</td>
|http://www.maresware.com/maresware/training/maresware.htm
+
      <td><ol start=4 type=1>
|-
+
          <li>Assuming that no password was needed, hold down the “T” key and turn the suspect’s computer back on. The computer will eventually display the firewire logo on the screen and is then ready for TDM.</li>
|Evidence Recovery for Windows Vista&trade;
+
      </ol> </td>
|First full week every month<br>Brunswick, GA
+
    </tr>
|http://www.internetcrimes.net
+
  </table>
|-
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|Evidence Recovery for Windows Server&reg; 2003 R2
+
    <tr>
|Second full week every month<br>Brunswick, GA
+
      <td class="Section1"><strong>Acquisition</strong></td>
|http://www.internetcrimes.net
+
    </tr>
|-
+
  </table>
|Evidence Recovery for the Windows XP&trade; operating system
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|Third full week every month<br>Brunswick, GA
+
    <tr class="Section1">
|http://www.internetcrimes.net
+
      <td width="4">&nbsp;</td>
|-
+
      <td width="633" align="left" valign="top">
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
        <ol start=1 type=1>
|Third weekend of every month(Fri-Mon)<br>Dallas, TX
+
          <li>Turn on the forensic Mac.</li>
|http://www.md5group.com
+
        </ol>
|-
+
        <ol start=2 type=1>
|}
+
          <li>Start the Terminal.</li>
==NON-COMMERCIAL TRAINING==
+
        </ol>
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
        <ol start=3 type=1>
|- style="background:#bfbfbf; font-weight: bold"
+
          <li style='text-align:justify;'>At the command prompt, type <span style='color:maroon'><b>cd /dev</b></span>.<b> </b><span style='font-weight:normal'>A list will appear, but you can ignore it. Type<br>
! width="40%"|Title
+
          </span><span style='color:maroon'><b>ls disk?</b></span><b> </b><span style='font-weight:normal'>This will list all drives that are seen by the system. A list containing at least three drives will appear; </span><b>disk0</b><span style='font-weight:normal'>, </span><span
! width="40%"|Website
+
    style='color:red'><b>disk1 </b></span>and<span style='color:red'><b> </b></span><span
! width="20%"|Limitation
+
    style='color:blue'><b>disk2</b></span>. One of these drives is the suspect’s. The other two are either the forensic Mac’s OS or the <span
|-
+
    style='color:blue'><b>Target</b></span> drive. You won’t necessarily know which is which, so you need to query them to see their size, which will give you a hint. </li>
|Defense Cyber Investigations Training Academy (DCITA)
+
        </ol>
|http://www.dc3.mil/dcita/dcitaAbout.php
+
        <ol start=4 type=1>
|Limited To Certain Roles within US Government Agencies[http://www.dc3.mil/dcita/dcitaRegistration.php (1)]
+
          <li>Type <span
|-
+
    style='color:maroon'><b>sudo pdisk /dev/</b></span><span style='color:    red'><b>disk1</b></span><b> <span style='color:maroon'>–dump</span></b><span
|Federal Law Enforcement Training Center
+
    style='color:maroon;font-weight:normal'>.</span><span style='color:maroon'><b> </b></span>Your return will look something like this:</li>
|http://www.fletc.gov/training/programs/technical-operations-division
+
      </ol> </td>
|Limited To Law Enforcement
+
    </tr>
|-
+
  </table>
|MSU National Forensics Training Center
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|http://www.security.cse.msstate.edu/ftc
+
    <tr class="Section1">
|Limited To Law Enforcement
+
      <td width="77">&nbsp;</td>
|-
+
      <td width="560" align="left" valign="top"><p>/dev/disk0 map block size=512<br>
|IACIS
+
        #: type name length base ( size )<br>
|http://www.iacis.com/training/course_listings
+
          1: Apple_partition_map Apple 63 @ 1 <br>
|Limited To Law Enforcement and Affiliate Members of IACIS
+
          2: Apple_Driver43*Macintosh 56 @ 64 <br>
|-
+
          3: Apple_Driver43*Macintosh 56 @ 120 <br>
|SEARCH
+
          4: Apple_Driver_ATA*Macintosh 56 @ 176 <br>
|http://www.search.org/programs/hightech/courses/
+
          5: Apple_Driver_ATA*Macintosh 56 @ 232 <br>
|Limited To Law Enforcement
+
          6: Apple_FWDriver Macintosh 512 @ 288 <br>
|-
+
          7: Apple_Driver_IOKit Macintosh 512 @ 800 <br>
|National White Collar Crime Center
+
          8: Apple_Patches Patch Partition 512 @ 1312 <strong><br>
|http://www.nw3c.org/ocr/courses_desc.cfm
+
        </strong><b>9: Apple_HFS OS X 72600384 @ 1824 ( 34.6G)<br>
|Limited To Law Enforcement
+
        10: Apple_HFS OS 8.6 5537944 @ 72602208 ( 2.6G)</b><br>
|-
+
        11: Apple_Free 0+@ 78140152</p>
|}
+
      </td>
 
+
    </tr>
==TOOL VENDOR TRAINING==
+
  </table>
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|- style="background:#bfbfbf; font-weight: bold"
+
    <tr class="Section1">
! width="40%"|Title
+
      <td width="4">&nbsp;</td>
! width="40%"|Website
+
      <td width="633" align="left" valign="top"><ol start=5 type=1>
! width="20%"|Limitation
+
          <li>Partitions on an HFS are called  “slices.” You can see in bold that this drive has a 34.6G slice listed under the number 9<span
|-
+
    style='color:lime'> </span>and a 2.6G under line 10. Add them up and your looking at a “40G” drive. If the result is the wrong size, then you are looking at the wrong drive. Repeat step 4 using <b>disk0</b><span
|AccessData (Forensic Tool Kit FTK)
+
    style='font-weight:normal'> and </span><b>disk2</b><span style='font-weight:    normal'> to identify all the disks. </span></li>
|http://www.accessdata.com/courses.html
+
        </ol>
|-
+
        <ol start=6 type=1>
|ASR Data (SMART)
+
          <li>Lets assume that your Target volume is <b>disk2</b> and is a 120GB<span style='font-weight:normal'>. If it is formatted as HFS, then the query in step 4 should return something like this.</span></li>
|http://www.asrdata.com/training/
+
      </ol></td>
|-
+
    </tr>
|ATC-NY (P2P Marshal, Mac Marshal)
+
  </table>
|http://p2pmarshal.atc-nycorp.com/index.php/training http://macmarshal.atc-nycorp.com/index.php/training
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|-
+
    <tr class="Section1">
|BlackBag Technologies (Mac Forensic Tools- BlackLight and SoftBlock)
+
      <td width="76">&nbsp;</td>
|https://www.blackbagtech.com/training.html
+
      <td width="561" align="left" valign="top"><p>/dev/disk2 map block size=512<br>
|-
+
        #: type name length base ( size )<br>
|Cellebrite (UFED)
+
          1: Apple_partition_map Apple 63 @ 1 <br>
|http://www.forwarddiscovery.com
+
          2: Apple_Free 0+@ 64 <br>
|-
+
          <span style='color:lime'><b>3</b></span><b>: Apple_HFS Apple_HFS_Untitled_2 239859504 @ 262208 (114.4G)<br>
|CPR Tools (Data Recovery)
+
        </b>4: Apple_Free 0+@ 240121712</p>
|http://www.cprtools.net/training.php
+
      </td>
|-
+
    </tr>
|Digital Intelligence (FRED Forensics Platform)
+
  </table>
|http://www.digitalintelligence.com/forensictraining.php
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|-
+
    <tr>
|e-fense, Inc. (Helix3 Pro)
+
      <td class="Section1"><p>Notice that slice <span
|http://www.e-fense.com/training/index.php
+
style='color:lime'><b>3</b></span> is 114.4 GB in size. Slice 3 is the “working area” on this 120G drive and is the slice that you will make available for receiving your evidence, using the mount command shown in green in line 8 below. </p>
|-
+
   
|Guidance Software (EnCase)
+
      </td>
|http://www.guidancesoftware.com/computer-forensics-training-courses.htm
+
    </tr>
|-
+
  </table>
|Micro Systemation (XRY)
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|http://www.msab.com/training/
+
    <tr class="Section1">
|-
+
      <td width="4">&nbsp;</td>
|Nuix (eDiscovery)
+
      <td width="633" align="left" valign="top"><ol start=7 type=1>
|http://www.nuix.com.au/eDiscovery.asp?active_page_id=147
+
          <li>Once you confirm which drive is which, you are ready to go. Lets assume that your forensic drive is <b>disk0</b><span style='font-weight:normal'>, the suspect’s drive is </span><span style='color:red'><b>disk1</b></span>, and the Target drive is <span style='color:blue'><b>disk2</b></span>.</li>
|-
+
        </ol>
|Paraben (Paraben Suite)
+
        <ol start=8 type=1>
|http://www.paraben-training.com/training.html
+
          <li>Because we turned off disk arbitration, however, the target drive isn't available to receive the image. We therefore need to mount the <span style='color:blue'><b>Target</b></span> drive; specifically slice <span style='color:lime'><b>3</b></span> of <span
|-
+
    style='color:blue'><b>disk2</b></span>. </li>
|Software Analysis & Forensic Engineering (CodeSuite)
+
      </ol></td>
|http://www.safe-corp.biz/training.htm
+
    </tr>
|-
+
  </table>
|Technology Pathways(ProDiscover)
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
+
    <tr>
|-
+
      <td width="4">&nbsp;</td>
|SubRosaSoft (MacForensicsLab)
+
      <td width="633" align="left" valign="top"><span class="Section1">Type<b> <span
|http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
+
style='color:maroon'>sudo mount –t hfs /dev/</span><span style='color:blue'>disk2</span><span
|-
+
style='color:maroon'>s</span><span style='color:lime'>3 </span></b><span
|WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator)
+
style='color:maroon;font-weight:normal'>/Volumes</span></span><span class="Section1" style='color:maroon'><b>/</b></span><span class="Section1"
|https://www.wetstonetech.com/trainings.html
+
style='color:blue'><b>Target</b></span><span class="Section1">.</span></td>
|-
+
    </tr>
|X-Ways Forensics (X-Ways Forensics)
+
  </table>
|http://www.x-ways.net/training/
+
  <table width="700" border="0" cellspacing="1" cellpadding="0">
|-
+
    <tr class="Section12">
|}
+
      <td width="17">&nbsp;</td>
 
+
      <td width="680"><div align="left">
==COMMERCIAL TRAINING==
+
        <table width="500" border="1" align="center" cellpadding="15" cellspacing="1" bordercolor="#000000">
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
            <tr>
|- style="background:#bfbfbf; font-weight: bold"
+
              <td align="center" valign="middle" class="Section12"><p align="left">If you are still unsure about which drive is which, you can verify things because <span class="style24">Target</span>  now has a BSD name. To clear the Terminal screen, hold down the <span class="style35">command</span> key and type</p>
! width="40%"|Title
+
                <p align="center" class="style29"> k</p>
! width="40%"|Website
+
                <p align="left">Then, type </p>
! width="20%"|Limitation
+
                <p align="center" class="Section1 style29">ioreg -l</p>
|-
+
              <p align="left">Buried in the resulting display is information about the connected drives. Go to the Terminal Menu&gt;Edit&gt;Find. Search for <span class="style30">disk1</span>. Scroll through the hits and you should see the make and model number for <span class="style34">disk1</span>. If a search for <span class="style24">disk2</span> comes up empty, then you know it is the unmounted drive. </p> </td>
|BerlaCorp iOS and GPS Forensics Training
+
            </tr>
|http://www.berlacorp.com/training.html
+
          </table>
|-
+
      </div></td>
|Computer Forensic Training Center Online (CFTCO)
+
    </tr>
|http://www.cftco.com/
+
  </table>
|-
+
 
|CCE Bootcamp
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|http://www.cce-bootcamp.com/
+
    <tr>
|-
+
      <td class="Section1">At this point, you have the choice of imaging the suspect’s entire drive (recommended), or of just imaging the slice that you want. If you want to image the entire drive, type:&nbsp;&nbsp; </td>
|Dera Forensics Group
+
    </tr>
|http://www.deraforensicgroup.com/courses.htm
+
  </table>
|-
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|e-fense Training
+
    <tr class="Section1">
|http://www.e-fense.com/training/index.php
+
      <td width="4"><span class="style11"></span></td>
|-
+
      <td width="633" align="left" valign="top" class="style11"><span class="style12" style='color:maroon; page:Section1; font-family: Arial, Helvetica, sans-serif;'><b>sudo dd if=/dev/</b></span><span class="style12" style='color:red; page:Section1; font-family: Arial, Helvetica, sans-serif;'><b>disk1</b></span><span class="style10"><b> <span
|Forward Discovery, Inc.
+
style='color:maroon'>bs=1024 conv=notrunc,noerror,sync of=/Volumes/</span><span
|http://www.forwarddiscovery.com
+
style='color:blue'>Target/Evidence.dmg</span></b><span style='font-weight:normal'>.</span></span></td>
|-
+
    </tr>
|H-11 Digital Forensics
+
  </table>
|http://www.h11-digital-forensics.com/training/viewclasses.php
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|-
+
    <tr>
|High Tech Crime Institute
+
      <td><p class="Section1">This will write a raw DD image to the root of <span style='color:blue'><b>Target</b></span> and will name the image <span style='color:blue'><b>Evidence.dmg</b>.</span></p>        <p class="Section1">If you only want to image particular slices, then add the slice to the command, i.e.</p></td>
|http://www.gohtci.com
+
    </tr>
|-
+
  </table>
|Infosec Institute
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|http://www.infosecinstitute.com/courses/security_training_courses.html
+
    <tr>
|-
+
      <td width="4">&nbsp;</td>
|Intense School (a subsidiary of Infosec Institute)
+
      <td width="633" align="left" valign="top"><span class="style13" style='color:maroon'><span class="style22">sudo dd if=/dev/</span></span><span class="style15">disk1</span><span class="style17">s</span><span class="style19">9</span> <span class="style21"><b><span style='color:maroon'>bs=1024 conv=notrunc,noerror,sync of=/Volumes/</span><span
|http://www.intenseschool.com/schedules
+
style='color:blue'>Target/Evidence.dmg</span></b><span style='font-weight:normal'>.</span></span></td>
|-
+
    </tr>
|ManTech Computer Security Training
+
  </table>
|http://www.mantech.com/capabilities/comptraining.asp
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|-
+
    <tr>
|Mobile Forensics, Inc
+
      <td><p class="Section1">A separate acquisition can be done for each slice that you want to examine by changing the slice number and giving each new image a different file name, i.e. <span style='color:blue'><b>EvidOS8.dmg</b></span>.</p>       
|http://mobileforensicsinc.com/
+
        <p class="Section1">The advantage of imaging the whole disk is that you can later bring it into Encase as a single evidence file. </p></td>
|-
+
    </tr>
|NetSecurity
+
  </table>
|http://www.netsecurity.com/training/registration_schedule.html
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|-
+
    <tr class="Section1">
|NID Forensics Academy (Certified Digital Forensic Investigator - CDFI Program)
+
      <td width="4">&nbsp;</td>
|http://www.nidforensics.com.br/
+
      <td width="633" align="left" valign="top"><ol start=9 type=1>
|-
+
          <li><span class="Section1">Your done. Unmount the <span class="style24">Target</span> drive by typing
|NTI (an Armor Forensics Company)
+
            </span>
|http://www.forensics-intl.com/training.html
+
            <p class="style25">cd /Volumes</p>
|-
+
            <p><span class="Section1" style='color:maroon'><b>sudo umount /</b></span><span class="Section1" style='color:blue'><b>Target</b></span></p>
|Security University
+
          </li>
|http://www.securityuniversity.net/classes.php
+
      </ol></td>
|-
+
    </tr>
|Steganography Analysis and Research Center (SARC)
+
  </table>
|http://www.sarc-wv.com/training.aspx
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|-
+
    <tr>
|Sumuri - Forensics Simplified
+
      <td><p class="Section1">Shut down your forensic Mac and then shut down the suspect’s Mac. Disconnect the firewire connection to the suspect’s Mac.</p>       
|http://sumuri.com/
+
      <p class="style26">Examination</p></td>
|-
+
    </tr>
|SysAdmin, Audit, Network, Security Institute (SANS)
+
  </table>
|http://computer-forensics.sans.org/course/
+
  <table width="700" border="0" cellspacing="1" cellpadding="15">
|-
+
    <tr class="Section1">
|Teel Technologies Mobile Device Forensics Training
+
      <td width="4">&nbsp;</td>
|http://www.teeltech.com/tt3/training.asp
+
      <td width="633" align="left" valign="top"><ol start=1 type=1>
|-
+
          <li><span class="Section1">Reboot your forensic Mac and restore the <b>diskarbitrationd.plist</b><span
|Zeidman Consulting (MCLE)
+
    style='font-weight:normal'> file back to the </span><b>/etc/mach-init.d</b><span
|http://www.zeidmanconsulting.com/speaking.htm
+
    style='font-weight:normal'> directory. Type </span></span>
|-
+
            <p class="style23">cd / </p>
|}
+
            <p><span class="Section1"
 +
style='color:maroon'><b>sudo cp diskarbitrationd.plist /etc/mach_init.d</b></span><span class="Section1">. </span></p>
 +
          </li>
 +
      </ol></td>
 +
    </tr>
 +
  </table>
 +
  <table width="700" border="0" cellspacing="1" cellpadding="15">
 +
    <tr>
 +
      <td class="Section1">Turn the  forensic Mac off and back on to initiate diskarbitration. Power up the <span style='color:blue'><b>Target</b></span> drive. The <span style='color:blue'><b>Target</b></span> drive should  mount and appear on your desktop. Open it.</td>
 +
    </tr>
 +
  </table>
 +
  <table width="700" border="0" cellspacing="1" cellpadding="15">
 +
    <tr>
 +
      <td width="4">&nbsp;</td>
 +
      <td width="633" align="left" valign="top"><ol start=2 type=1>
 +
          <li class="Section1">The <span
 +
    style='color:blue'><b>Evidence.dmg</b></span> file should appear. Click on it once. Lock the file via the “GET INFO” menu to ensure it is write protected.</li>
 +
      </ol></td>
 +
    </tr>
 +
  </table>
 +
  <table width="700" border="0" cellspacing="1" cellpadding="15">
 +
    <tr>
 +
      <td><p class="Section1">You can now double-click to mount the Evidence.dmg file <b>and explore it within the native Mac OS environment.</b></p>       
 +
      <p class="Section1">If the image won’t mount, go into the Terminal and type the following:</p></td>
 +
    </tr>
 +
  </table>
 +
  <table width="700" border="0" cellspacing="1" cellpadding="15">
 +
    <tr>
 +
      <td width="4">&nbsp;</td>
 +
      <td width="633" align="left" valign="top"><span class="Section1"
 +
style='color:maroon;layout-grid-mode:line'><b>sudo hdiutil attach</b></span> <span class="Section1" style='color:maroon'><b>/Volumes/</b></span><span class="Section1"
 +
style='color:blue'><b>Target/Evidence.dmg</b></span><span class="Section1" style='layout-grid-mode:line'> <span style='color:maroon'><b>-shadow</b></span></span></td>
 +
    </tr>
 +
  </table>
 +
  <table width="700" border="0" cellspacing="1" cellpadding="15">
 +
    <tr>
 +
      <td class="Section1"><p>If you want to move the evidence file over into Encase, change the .dmg extension to .001 and add it as a raw image.</p>
 +
      <p>Jon Muller<br>
 +
        San Jose PD<br>
 +
        (With guidance from Derrick Donnally)<br>
 +
        July-05
 +
      </p>
 +
      </td>
 +
    </tr>

Revision as of 10:32, 26 September 2007

First, Disable the disk arbitration daemon on the machine where you will do the acquisition.

Prepare a clean firewire drive in HFS+ using Mac Disk Utility; name the volume “Target”. This process relies on being able to identify which drive is the suspect's drive by knowing its size. Many new Macs are shipping with 250GB drives. Having a unique firewire target drive size will help you identify it later, as you will see below.

Note the sizes of all drives on your forensic Mac, if you don't already know. (Go to the Apple menu>About This Mac>More info>ATA.)

Connecting

   </tr>
Connecting
 
  1. Without turning anything on, chain the forensic Mac to the firewire drive to the suspect’s computer using firewire cables.
  1. Hold down the “Option” key on the suspect’s computer and turn it on.
  1. If the suspect’s computer does not ask for a password, then turn it off. If the computer does ask for a password, then turn it off. You cannot do a simple TDM acquisition if a password is required. You will have to either: 1) remove the drive and do a direct acquisition; or, 2) modify the memory by adding or removing chips and zapping the PRAM.
 
To zap the PRAM, start up the computer and as soon as you hear the startup 'bong', hold down these four keys: Command-Option-P-R. It will bong again. And again. Continue to hold down these four keys until it has 'bonged' a total of three times (the initial startup bong and two more after you hold down those four keys).
 
  1. Assuming that no password was needed, hold down the “T” key and turn the suspect’s computer back on. The computer will eventually display the firewire logo on the screen and is then ready for TDM.
Acquisition
 
  1. Turn on the forensic Mac.
  1. Start the Terminal.
  1. At the command prompt, type cd /dev. A list will appear, but you can ignore it. Type
    ls disk? This will list all drives that are seen by the system. A list containing at least three drives will appear; disk0, disk1 and disk2. One of these drives is the suspect’s. The other two are either the forensic Mac’s OS or the Target drive. You won’t necessarily know which is which, so you need to query them to see their size, which will give you a hint.
  1. Type sudo pdisk /dev/disk1 –dump. Your return will look something like this:
 

/dev/disk0 map block size=512

       #: type name length base ( size )
1: Apple_partition_map Apple 63 @ 1
2: Apple_Driver43*Macintosh 56 @ 64
3: Apple_Driver43*Macintosh 56 @ 120
4: Apple_Driver_ATA*Macintosh 56 @ 176
5: Apple_Driver_ATA*Macintosh 56 @ 232
6: Apple_FWDriver Macintosh 512 @ 288
7: Apple_Driver_IOKit Macintosh 512 @ 800
8: Apple_Patches Patch Partition 512 @ 1312
9: Apple_HFS OS X 72600384 @ 1824 ( 34.6G)
10: Apple_HFS OS 8.6 5537944 @ 72602208 ( 2.6G)

11: Apple_Free 0+@ 78140152

 
  1. Partitions on an HFS are called “slices.” You can see in bold that this drive has a 34.6G slice listed under the number 9 and a 2.6G under line 10. Add them up and your looking at a “40G” drive. If the result is the wrong size, then you are looking at the wrong drive. Repeat step 4 using disk0 and disk2 to identify all the disks.
  1. Lets assume that your Target volume is disk2 and is a 120GB. If it is formatted as HFS, then the query in step 4 should return something like this.
 

/dev/disk2 map block size=512

       #: type name length base ( size )
1: Apple_partition_map Apple 63 @ 1
2: Apple_Free 0+@ 64
3: Apple_HFS Apple_HFS_Untitled_2 239859504 @ 262208 (114.4G)
4: Apple_Free 0+@ 240121712

Notice that slice 3 is 114.4 GB in size. Slice 3 is the “working area” on this 120G drive and is the slice that you will make available for receiving your evidence, using the mount command shown in green in line 8 below.

 
  1. Once you confirm which drive is which, you are ready to go. Lets assume that your forensic drive is disk0, the suspect’s drive is disk1, and the Target drive is disk2.
  1. Because we turned off disk arbitration, however, the target drive isn't available to receive the image. We therefore need to mount the Target drive; specifically slice 3 of disk2.
  Type sudo mount –t hfs /dev/disk2s3 /Volumes/Target.
 

If you are still unsure about which drive is which, you can verify things because Target now has a BSD name. To clear the Terminal screen, hold down the command key and type

k

Then, type

ioreg -l

Buried in the resulting display is information about the connected drives. Go to the Terminal Menu>Edit>Find. Search for disk1. Scroll through the hits and you should see the make and model number for disk1. If a search for disk2 comes up empty, then you know it is the unmounted drive.

At this point, you have the choice of imaging the suspect’s entire drive (recommended), or of just imaging the slice that you want. If you want to image the entire drive, type:  
sudo dd if=/dev/disk1 bs=1024 conv=notrunc,noerror,sync of=/Volumes/Target/Evidence.dmg.

This will write a raw DD image to the root of Target and will name the image Evidence.dmg.

If you only want to image particular slices, then add the slice to the command, i.e.

  sudo dd if=/dev/disk1s9 bs=1024 conv=notrunc,noerror,sync of=/Volumes/Target/Evidence.dmg.

A separate acquisition can be done for each slice that you want to examine by changing the slice number and giving each new image a different file name, i.e. EvidOS8.dmg.

The advantage of imaging the whole disk is that you can later bring it into Encase as a single evidence file.

 
  1. Your done. Unmount the Target drive by typing

    cd /Volumes

    sudo umount /Target

Shut down your forensic Mac and then shut down the suspect’s Mac. Disconnect the firewire connection to the suspect’s Mac.

Examination

 
  1. Reboot your forensic Mac and restore the diskarbitrationd.plist file back to the /etc/mach-init.d directory. Type

    cd /

    sudo cp diskarbitrationd.plist /etc/mach_init.d.

Turn the forensic Mac off and back on to initiate diskarbitration. Power up the Target drive. The Target drive should mount and appear on your desktop. Open it.
 
  1. The Evidence.dmg file should appear. Click on it once. Lock the file via the “GET INFO” menu to ensure it is write protected.

You can now double-click to mount the Evidence.dmg file and explore it within the native Mac OS environment.

If the image won’t mount, go into the Terminal and type the following:

  sudo hdiutil attach /Volumes/Target/Evidence.dmg -shadow

If you want to move the evidence file over into Encase, change the .dmg extension to .001 and add it as a raw image.

Jon Muller
San Jose PD
(With guidance from Derrick Donnally)
July-05