Figure 1) Mac OS X Forensics Imager. Tool for imaging disk byte by byte format Encase or FTK for later forensic analysis in these tools. Metadata Extractor Application to extract meta-data files for a specific folder in Mac Displays location on google maps in case there are. Feb 05, 2011 Re: FTK Imager and Mac Posted: Feb 03, 11 12:23 i recently wrote a blog entry about using the cmd line tool to acq os x machines. You can read it at www.davnads.blogspot.com it may also be worth noting that there is also a beta GUI interface to this cmd line utility available.
Oct 28, 2015 8 2 Understanding Linux and MAC OS X Forensics Basics - Duration: 13:01. Dark Coding 758 views. Forensic Acquisition in Windows - FTK Imager. Sep 05, 2014 STARTING FTK IMAGER. Open the Physical Drive of my computer in FTK Imager. The contents of the Physical Drive appear in the Evidence Tree Pane. Click the root of the file system and several files are listed in the File List Pane, notice the MFT. Click this file to show the contents in the Viewer Pane. FTK Imager Panes.
Mac Imaging![]()
In order to preserve the physical integrity of the machine, we chose to image the Mac non-invasively. We forced the target Mac to enter “Target disk mode” during the boot process and attached a thunderbolt cable. After attaching the other end of the cable to our “Analysis Mac,” we were able to fully image the “Target Mac” using MacOSX Forensic Imager.
Before the acquisition could be started, we employed Disk Arbitrator. We were not able to use a physical write blocker, due to the nature of Macs so instead we used Disk Arbitrator to keep the integrity of the process. Disk Arbitrator is a software-based write-blocker that also facilitates the mounting and reading of the “Target Mac.” This enabled us to successfully point the imaging software to it while verifying digital integrity of the “Target Mac” by not allowing it to change any potentially sensitive files. After Disk Arbitrator was up and running and actively write-blocking, we began imaging using the Mac OS X Forensics Imager as stated above.
Mac OS X Forensics Imager is a program found on www.macosxforensics.com that makes an identical copy of the hard drive and saves it in a file that we can then analyze using another program. Mac OS X Forensics Imager saves it in a file that is both EnCase and FTK compatible. After the acquisition was complete, we were able to successfully analyze the collected data.
We will continue the researching this project after the Holiday season, starting on January 12th.
Forensic Imaging of MAC OS is always a challenge among forensic investigators. physical access of MAC hdd by taking off it’s back lid is always a challenging task and may lead to it’s warranty issues. as per my experience very few people would like to choose this option. so now tool like ftkimagercommand line for MAC or unix DD command is the only solution.
Till now forensic imaging of MAC OS version 10.6 was doable task using tools ftk command line. but now days due to security features of latest MAC OS version 10.13 High Sierra has made it complicated task . An investigator may end up with error like “Operation Not Permitted” or it may differ.
A) One of the reasons behind this error is forensic tools has not provided support for this version till today.
B) MAC OS 10.13 (High Sierra) has built in “System integrity protection feature” . this feature designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.
In OS X(previous versions of MAC) , the “root” user account previously had no permission restrictions and could access any system folder or application on your Mac. Software gained root-level access when you entered your administrator name and password to install it and could then modify or overwrite any system file or application.
System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.
Ftk Imager For Mac Os X 10 11![]()
To solve this issue we have to follow below steps:
1 .Disable System integrity Protection:
steps to disable are below:
** In few case you may require to take root or Sudo permission for using above commands
2. Run ftkimager command line version:
Use below commands
./ftkimager [source] [dest_file] [options].
a. Source can specify a block device, a supported image file, or ‘-‘ for stdin
b. If dest_file is specified, a proper extension for the image type will be appended. If dest_file is ‘-‘ or not specified, raw data will be written to stdout
for better understanding of this command kindly click on this link
3. Enable System integrity Protection:
This is very crucial step once imaging has been accomplished an investigator is suppose to re-enable integrity protection . if this option remain disable system may become vulnerable.
Ftk Imager Download Windows 10
Note: here we tried our best to give solution of given challenge if still any reader find any possibility to improvement or have any confusion regarding above mentioned steps kindly let us know.
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |