There are a number of special keystrokes that will cause a Mac to boot in various different ways, some of which are integral to performing forensic acquisitions.The first two will be determined in early steps below, and the last two will be determined as the imaging process progresses. MACFUSION YOSEMITE PASSWORDa) is there a Firmware Password b) is FileVault enabled c) is there a Fusion drive and d) what is the Block Size. You must check for a number of things in a particular order. You must first determine if imaging the drive via this method is even possible.Since this tutorial is based on a computer that is off, we will proceed as such. Press the spacebar a couple of times, and if the computer was simply asleep, it will come on. MACFUSION YOSEMITE HOW TOA tutorial for how to format media for use in a Mac environment can be read HERE. You will need to prepare destination media to receive the forensic image you are creating. The decision to image live or not is a judgment call based on the situation and goals of the investigation. For instructions on doing a live acquisition on a machine that is running, click HERE. For instructions on acquiring RAM click HERE. This is not a tutorial on seizure practices, but it is assumed that if the computer is on at time of seizure, it will be handled as such, with imaging of RAM, and potential imaging of a live system being the way to proceed. First and foremost, we must determine if the computer is on or not. There are some necessary steps to perform prior to actually starting your collection. This tutorial assumes that you already know how to image the drives individually, and you can see a tutorial of this HERE. There are commands to rejoin the two drives into a single fusion drive after the fact, but they have mixed reviews as to the success rate. That is why, when faced with a fusion drive scenario you should absolutely image the virtual fusion drive, and it is recommended that you also image each of the physical drives separately. That being said, if the SSD is 128 GB, it will reserve a portion for working space, and this portion does NOT get imaged when imaging the fusion drive. It then starts prioritizing data to keep on the SSD. No data ever actually gets to the HDD until the SSD fills up. This is a virtual drive created by system that incorporates both drives. In a fusion drive system, the user only sees one hard drive. This is not to be confused with two separate drives, or with a RAID system. The SSD gives the system its speed, while the HDD gives it ample storage space. One solid state drive, and one traditional rotating media drive. The Fusion drive consists of actually 2 hard drives. Without going into great detail, Fusion drive is a technology used by Apple in its iMac line of computers, as well as its Mac line. With FileVault enabled, you cannot extract a usable image without them. This tutorial also assumes that you have the necessary credentials to access the device. It is assumed that you are already aware of them, and will follow them in every case. This tutorial does not get into evidence intake procedures. If this is your first time dealing with acquisition of Mac computers, now is not the time to practice on a real case. If, after reading this, there are still things you don’t understand, STOP before you START. This tutorial is about as simple and “step-by-step” as it gets. Read all instructions FIRST, before attempting. Instructions and screen shots are from El Capitan. This has NOT been tested on every Apple OS, but I have tested it on Mountain Lion, Mavericks, Yosemite, and El Capitan. The instructions below are designed to create a forensic image of a Mac Computer with Fusion drive via the command line and Target Disk Mode, so that you don’t have to spend piles of money on acquisition programs. PI, GSEC, GCFE, GCFA, EnCE, BAI, CDRP, CEH
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |