Posted: Tue Oct 15, 2013 8:18 pm
Having read through the post here I did some playing around and a bit of research. Did you try the TDM with firewire?
Forgive me if I offer advice that you already know. You could do this.
1. Analysis machine is the same Mac, but, not booted from a forensic disk
2. In Terminal disable disk arbitration on the analysis machine using .. sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
After disabling disk arbitration you will not be able to mount or eject a disk.
3. in Terminal, type mount and note the results, then, type ls -l /dev/disk* noting the result
4. Next, connect the firewire cable to the target device and the analysis firewire port
5. Boot the target device while holding the "T" on the keyboard.
6. With the device booted, verify that it didn't mount on the analysis machine by repeating step 3. You should see the same mount information as before connecting the target device. However, when listing /dev/disk* you will see the target device, /dev/disk n
7. You can then acquire the target disk using dd or similar utility to a forensically sterile device attached to the analysis machine.
I tested this to make sure it worked.
To make it forensically sound, you run a firewire write-block inline to the target. And, using the dcfldd or similar command include hash verification of the target and image to ensure they match.
One more thing. I found this in an Apple support blog, "...Note: FireWire Target Disk Mode works on internal PATA or SATA drives only. Target Disk Mode only connects to the master PATA drive on the Ultra ATA bus. It will not connect to Slave ATA, ATAPI, or SCSI drives..."
I didn't see where TDM supports Thunderbolt and I haven't tested it yet. So, if you have the fusion HD configuration and/or Thunderbolt connection for the TDM, I am not sure if you will be successful.