Mac OSX Forensics Part 3

mac_osx8

Mac Imaging

In order to preserve the physical integrity of the machine, we chose to image the Mac non-invasively.  We forced the target Mac to enter “Target disk mode” during the boot process and attached a thunderbolt cable.  After attaching the other end of the cable to our “Analysis Mac,” we were able to fully image the “Target Mac” using MacOSX Forensic Imager.

Before the acquisition could be started, we employed Disk Arbitrator. We were not able to use a physical write blocker, due to the nature of Macs so instead we used Disk Arbitrator to keep the integrity of the process. Disk Arbitrator is a software-based write-blocker that also facilitates the mounting and reading of the “Target Mac.” This enabled us to successfully point the imaging software to it while verifying digital integrity of the “Target Mac” by not allowing it to change any potentially sensitive files.  After Disk Arbitrator was up and running and actively write-blocking, we began imaging using the Mac OS X Forensics Imager as stated above.

Mac OS X Forensics Imager is a program found on www.macosxforensics.com that makes an identical copy of the hard drive and saves it in a file that we can then analyze using another program. Mac OS X Forensics Imager saves it in a file that is both EnCase and FTK compatible. After the acquisition was complete, we were able to successfully analyze the collected data.

We will continue the researching this project after the Holiday season, starting on January 12th.