New iMac (A1418) Imaging Issues

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Go to page 1 , 2 , 3 Next

New iMac (A1418) Imaging Issues

Post Posted: Mon Oct 14, 2013 7:15 am

Anyone having any luck imaging these without disassembly or imaging live? Having no joy with Paladin v4 or v5 or MacQuisition.

Thanks.

garybrevans
Member

Re: New iMac (A1418) Imaging Issues

Post Posted: Mon Oct 14, 2013 8:03 pm

When you say no joy... do you mean that none of those boot CDs work or they work and image but you get nothing?

Are you able to boot the imac with those CDs?
Are you pressing the OPTION key to get the boot menu and do you see the boot cd as an bootable option?

-=Art=-

4n6art
Senior Member

    Re: New iMac (A1418) Imaging Issues

    Post Posted: Tue Oct 15, 2013 12:18 am

    Try Kali-Linux. It has a forensic mode. Very easy to work with.

    clownboy
    Member

      Re: New iMac (A1418) Imaging Issues

      Post Posted: Tue Oct 15, 2013 7:12 am

      I mean that all boot CD's we have tried thus far hang at some point during the boot process.

      I'm not that keen to take a heat gun to the screen and start taking them to bits. Last time I did that I had enough parts left over to make an iPhone 5.

      The plan for today is to boot the suspect iMac in TDM.

      Boot a second Mac (with Thunderbolt) with Paladin v5. Attach a target disk to this for the image files to go on.

      Then, attach the suspect iMac to the second Mac via Thunderbolt. With any luck the suspect Mac will be seen as an external attached device in the second Mac and can then be imaged.

      garybrevans
      Member

      Re: New iMac (A1418) Imaging Issues

      Post Posted: Tue Oct 15, 2013 10:01 am

      Above did not work as the Thunderbolt connected suspect iMac was not recognised as an external storage device on the host MacSad

      garybrevans
      Member

      Re: New iMac (A1418) Imaging Issues

      Post Posted: Tue Oct 15, 2013 6:38 pm

      The last one we did had the Fusion drive in it, which is a separate SSD linked to the hard drive, installed in very separate locations.

      We found this out after disassembly and trying to image the hard drive alone. The image from the hard drive alone was unrecognized by EnCase,, FTK and Blackbag.

      BlackBags MacQuisition worked when we put it together, imaging from thumbdrive. It would not see the external hdd until we formatted it properly.Embarassed

      John_Smith
      Member

        Re: New iMac (A1418) Imaging Issues

        Post Posted: Tue Oct 15, 2013 8:18 pm

        Having read through the post here I did some playing around and a bit of research. Did you try the TDM with firewire?

        Forgive me if I offer advice that you already know. You could do this.

        1. Analysis machine is the same Mac, but, not booted from a forensic disk
        2. In Terminal disable disk arbitration on the analysis machine using .. sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
        After disabling disk arbitration you will not be able to mount or eject a disk.
        3. in Terminal, type mount and note the results, then, type ls -l /dev/disk* noting the result
        4. Next, connect the firewire cable to the target device and the analysis firewire port
        5. Boot the target device while holding the "T" on the keyboard.
        6. With the device booted, verify that it didn't mount on the analysis machine by repeating step 3. You should see the same mount information as before connecting the target device. However, when listing /dev/disk* you will see the target device, /dev/disk n
        7. You can then acquire the target disk using dd or similar utility to a forensically sterile device attached to the analysis machine.

        I tested this to make sure it worked.

        To make it forensically sound, you run a firewire write-block inline to the target. And, using the dcfldd or similar command include hash verification of the target and image to ensure they match.

        One more thing. I found this in an Apple support blog, "...Note: FireWire Target Disk Mode works on internal PATA or SATA drives only. Target Disk Mode only connects to the master PATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI, or SCSI drives..."

        I didn't see where TDM supports Thunderbolt and I haven't tested it yet. So, if you have the fusion HD configuration and/or Thunderbolt connection for the TDM, I am not sure if you will be successful.

        Good Luck,

        Scott


        Scott Ware
        MSDF, CFCE 

        sgware
        Member
          Page 1 of 3
          Go to page 1 , 2 , 3 Next




          ± Forensic Focus Partners

          ± Your Account



          Site Members:

          New Today: 3 Overall: 33332
          New Yesterday: 3 Visitors: 206

          ± Follow Forensic Focus

          Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

          RSS feeds: News Forums Articles

          ± Latest Articles

          ± Latest Webinars


          Build a Mobile Site
          View Site in Mobile | Classic
          Share by: