Read Microsoft PowerPoint - Techno Forensics 20071029 NDonnelly Macintosh Imaging.ppt text version

Macintosh Imaging Tools and Techniques or How to Image Macs Without Macs

Nicole Donnelly Director, EEC-Technology, FTI Consulting October 29, 2007

Target Audience

This presentation was designed for people who need to image Macintosh computers but who have not adopted or do not have access to Macintosh based imaging tools.

Objectives

A very brief overview of Macintosh Hardware and some clues on whether it is Intel or PPC. Provide an overview of Macintosh based forensic imaging tools. (BlackBag, SubRosaSoft) Acknowledged restricted release tools for Macintosh imaging. (SPADA/ MACDA) Provide imaging solutions for practitioners more familiar with tools that operate in a Windows based environment. (EnCase, FTK Imager) The free options- OS installation disks and Helix.

About Me

Currently a Director at FTI Consulting in Electronic Evidence Consulting- Technology group. Working at FTI since May 2005. Previously worked in a contract position at the U.S. Securities and Exchange Commission. Spent one year at Safe Harbor Systems. Employed for 12 years by the Central Intelligence Agency where I began working in computer forensics. 12 years experience in computer forensics. CCE, EnCE, and GCFE certified.

Hardware

Macintosh Laptops and Hard Drive Removal

In some situations, hard drive removal from a Macintosh laptop can require disassembly of the entire laptop and any attempt to physically access the drive will void any warranties. In other situations, Apple has made the hard drive fairly accessible. iBooks have hard drives that are notoriously difficult to access. Newer MacBooks are more straight forward in most cases. Even with some all-in-ones, such as the first iMac, hard drive removal is not recommended due to placement of the monitor power cabling and the possibility of electrical shock even with the system unplugged.

Macintosh Laptops and Hard Drive Removal (cont'd) Resources for documents on hard drive removal: Apple Support- http://apple.com/support iFixIt- http://www.ifixit.com/

Macintosh Hardware Platforms

Two Mac hardware platforms are currently in use-- the PowerPC (PPC) platform and the Intel platform which was introduced January 10, 2006. Both platforms run OS X and use the HFS+ file system. However, there are slight differences in HFS+ based on the hardware platform that impact imaging as will be noted later.

Is it Intel or is it PPC?

For Laptop systems: · MacBooks and MacBook Pros are Intel · iBooks and PowerBooks are PPC Distinguishing Desktops is harder: · For the tower systems, PowerMacs are PPC and MacPros are Intel · MacMinis and iMacs kept the same name, but changed processors

· Their official nomenclature changed (i.e. G4 Mac Mini became the Intel Core Duo Mac Mini) but their popular names did not.

Further Hardware Information

apple-history.com (http://www.apple-history.com/) Web site that catalogs Apple hardware releases. Contains pictures, tech specs, and release year. There is a link to download the site.

Is it Intel or is it PPC? (cont'd)

If you preview the drive, is there a way to distinguish if an OS X system is Intel or PPC absent supporting documentation? Yes! There is a file you can look for on each system. On PPC system it is the supporting file for Open Firmware. On an Intel system it is the supporting file for Extensible Firmware Interface. In the world of Apple, these would be the equivalents of BIOS.

PPC Open Firmware File

/System/Library/CoreServices/BootX

Intel Extensible Firmware Interface File

/System/Library/CoreServices/boot.efi BootX exists here, but boot.efi will not exist on a PPC system.

Is it OS X or something else?

Unfortunately, I was not able to get my hands on an earlier OS to show you. However, OS X is derived from BSD- an UNIX derivative- so will have a directory structure that resembles UNIX.

Macintosh Based Tools

BlackBag Technologies-MacQuisition Boot Disk

BlackBag Technologies (http://www.blackbagtech.com/) is a company owned by Derrick Donnelly (no relation) that specializes in Macintosh forensics. (Derrick is presenting at 11 am Tuesday on Apple File Systems.) MacQuisition is a forensic acquisition tool that allows you to image a Macintosh using the source system. Images are produced using dd. Two versions are available- v1.0 is a CD based release, v2.0 is available on DVD/ Compact Flash

MacQuisition Boot Disk cont'd

MacQuisition provides GUI and command line options for acquisition. MacQuisition provides support for PPC and Intel based Macs. The web site provides a list of all systems MacQuisition has been tested with.

SubRosaSoft- MacForensicsLab

SubRosaSoft's MacForensicsLab (http://www.macforensicslab.com/) is a full forensic suite with an acquisition option. Acquisitions can be performed by using either the bootable DVD on the suspect system or by attaching a drive to a Macintosh system with the software installed. The bootable DVD option supports PPC and Intel systems. Linux and Windows subversions of MacForensicsLab are currently available as public beta versions.

Restricted Release Tools

SPADA(?)/ MACDA

SPADA (System Preview And Data Acquisition) is a live Linux distribution from Peter Kingsley and Darren Freestone. It is my understanding, SPADA is still restricted use (Law Enforcement) based on one of the tools included on the distribution. I do not know what the plans are to add Mac support to SPADA or if it has already been done. One of the SPADA creators has worked on making the CD bootable on Intel based Macintoshes­ MACDA. A distribution of MACDA is available to all attendees of the Macintosh Forensic Survival Course offered by Phoenix Data Group (http://www.phoenixdatagroup.com/index.php)

Windows Based Tools and the Infamous Target Disk Mode

Target Disk Mode (TDM)

From Apple Document 58583: FireWire target disk mode allows a Macintosh computer with a FireWire port (the target computer) to be used as an external hard disk connected to another computer (the host). Once a target computer is started up as a FireWire hard disk and is available to the host computer, you can copy files to or from that volume.

Target Disk Mode (cont'd)

Requirements for Target Disk Mode: · A power-on password cannot be enabled on the target Mac. · The target Mac must be one of the supported models:

· · · · · · · · · · · · · iMac (Slot Loading) with Firmware version 2.4 or later iMac (Summer 2000) and all models introduced after July 2000 eMac (all models) Mac mini (all models) Power Mac G4 (AGP Graphics) with ATA drive Power Mac G4 Cube Power Mac G4 (Gigabit Ethernet) and all models introduced after July 2000 Power Mac G5 (all models) iBook (FireWire) and all models introduced after September 2000 MacBook (all models) PowerBook G3 (FireWire) PowerBook G4 (all models) MacBook Pro (all models)

Why TDM?

TDM is highly useful when working with Macintosh laptops that have hard drives which are difficult to remove. I really do not recommend removing an iBook hard drive if you do not have to.

How to Enable TDM

To enable TDM, boot the Mac and hold down the "T" key while the system boots. Be patient and keep holding it down until a blue screen with the FireWire logo appears.

But! To Be Safe... Always check first to make sure a power-on password is not enabled on the system. In order to do this, hold the "option" key when booting. When the absence of a password is confirmed, power the system down and then boot in target disk mode.

Connecting the Computers

There are several approaches outlined for connecting a Mac in TDM to a Windows system: · Start with both systems off. Connect the systems via a FireWire cable. Boot the Mac to TDM then boot the Windows system. · With the Windows system on, connect the Mac in a powered off state via the FireWire cable, then boot the Mac to TDM. · Boot the Mac to TDM and connect to a powered on Windows system. In my experience, all methods work equally well. If you are having issues, experiment to see if one works better.

What happens now?

The Mac is now connected to the Windows system as an external FireWire hard drive. Natively, the Windows system does not know how to interpret any HFS or HFS+ partitions and they are write protected without additional measures. A third party application is required to work with the TDM drive. As long as the Mac does not has FAT 32 or NTFS partitions or the Windows system is not running a third party application to enable it to write to HFS and HFS+ file systems, the Windows system cannot write to it.

In what situations could Windows write to the drive?

Apple has a program called Boot Camp which allows Intel based Macs to dual boot OS X and Windows XP or Vista. If a user has this setup, there would be partitions Windows could write to on the TDM drive. (This program was a beta release until 10/26/2007. As of the Leopard, it is distributed with the OS and fully supported by Apple.) Additionally, someone could have put a FAT 32 partition on the drive because they wanted to. This is would be a highly atypical setup but is possible.

Working with the TDM Drive

As noted, Windows cannot work with a drive with only HFS and HFS+ partitions. Third party applications are required. What are they? MacDrive is one. It allows HFS and HFS+ drives to be read and written through the Windows Explorer interface. You should avoid installing this to the system you perform acquisitions with to avoid potential problems. EnCase and FTK Imager can both acquire HFS and HFS+ drives attached to a Windows system.

EnCase and TDM Drives

As mentioned earlier, current PPC and Intel Macs can run OS X and both use the HFS+ file system. However, Apple made some slight changes in HFS+ when it introduced the Intel platform. As a result, only EnCase 6 can interpret the file system on Intel based Macs.

EnCase 5

When adding a TDM device to EnCase 5, the label will usually readily identify which device the drive is.

EnCase 5 (cont'd)

EnCase 5 will interpret the HFS+ file system utilized on PPC Macs. By default, the partitioning scheme utilizes 4 partitions. User data will be located on the partition identified as partition 3 unless a user deliberately edits one of the other partitions with special utilities.

EnCase 5 (cont'd)

EnCase 5 cannot interpret the HFS+ file system utilized on the Intel platform due to some changes made in the file system made by Apple when it was implemented. As a result, a Mac Intel drive will only be seen as unallocated space.

EnCase 6

EnCase 6 also identifies drives with the label "AAPL" but unlike EnCase 5 does not label it as a FireWire drive.

EnCase 6 (cont'd)

EnCase 6 recognizes a PPC system the same way Encase 5 does.

EnCase 6 (cont'd)

EnCase 6 recognizes the file system on an Intel platform. The default installation on an Intel system is 2 partitions. The user data will be in the second partition unless extraordinary measures are utilized to place data in the first partition.

FTK Imager

FTK Imager can read the file system on both PPC and Intel Macs and operates as it would against a Windows based file system.

View of FTK Imager Drive Selection where Drive 1 is an Intel Mac in TDM

High level overview of an Intel Mac drive in TDM

Folder Structure of an Intel Mac in TDM

Troubleshooting in Windows

A drive with the "AAPL" notation is recognized, but it is too small to be the hard drive and it does not look like an OS X hard drive. · Check to make sure there are no CDs/ DVDs in the optical drive. If there are, remove them by holding down the eject key (F12). Disconnect the Mac from the Windows machine, restart it in TDM and reconnect it to the Windows machine.

Troubleshooting (cont'd)

What if the drive does not show up? · First, check Disk Management.

· Even though Windows can't interpret the drive, it will recognize the drive in Disk Management.

PPC TDM drive in Disk Management

Intel TDM Drive in Disk Management

Troubleshooting (cont'd)

If the drive is not in Disk Management, you are likely encountering a common issue linked to the registry and will have to edit the registry. · Leave the Mac in TDM. Disconnect the FireWire cable from the Windows system. · Open the registry editor (regedit) and navigate to "My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Enum\1394". This is the location of FireWire devices in the registry.

Troubleshooting (cont'd)

Troubleshooting (cont'd)

Verify that you have correct permission to edit the registry key. · Right click on "1394" and select "Permissions".

Troubleshooting (cont'd)

Change the permissions to allow editing if necessary.

Troubleshooting (cont'd)

Once permissions are correctly set, delete all registry keys listed under "1394".

Troubleshooting (cont'd)

Reconnect the Mac to the Windows system. If the TDM drive is still not visible, attempt the different connection methods outlined earlier.

Free Acquisition Options

OS X Install Disks

While not technically free, you may be able to gain access to these disks for the computer you are acquiring, if appropriate. · Each Mac comes with a set of install disks which actually provides a number of ways to acquire the system (this will also work with a non-system specific OS X disk):

· Since OS X is derived from BSD (Berkeley Software Distribution), a UNIX derivative from University of California, Berkeley, you have access to UNIX commands. · The OS installation disk gives you access to a terminal from the install screen. You can attach an external drive* to the system and it will be accessible when booting from the install disk.

· dd can be used for a physical disk acquisition · cpio, cp, and tar can be used for logical file acquisition

*Macs cannot write to NTFS!

OS X Install Disks (cont'd)

· Macintosh Disk Utility

· Apple has a program called Disk Utility accessible from the install disks. · This program can be used to create Mac specific image files of files, folders, and volumes. · This program does logical acquisition and has some metadata preservation limitations. · Options include creating password protected image files, read/ write image files, compressed image files, and read-only image files.

Live Linux CDs

· Linux distributions exist for PPC Macintoshes

· Yellow Dog Linux is a PPC linux distro that has expanded into Play Station 3 recently · No official Live CD, though with the right knowledge you could possibly create one. · Ubuntu supports the PPC architecture · Live CD development may have been discontinued.

Live Linux CDs (cont'd)

· Any Forensic Live Linux CD (i.e. Helix, etc.)

· Attach a Mac in TDM to an Intel system supported by the distribution you are using. · Boot the Intel system with the Live Linux CD. · Use one of the imaging options on the live disk to image the fire wire device.

OS X Acquisition Considerations

OS X and Encryption

OS X has a built in feature called File Vault which allows users to encrypt their home directories. · In lieu of or in addition to custodian interviews, previewing the drive can verify which users have File Vault enabled. · When File Vault is not enabled, you will see directories and files under the /Users/<name>/ directory. · If File Vault is enabled, /Users/<name> will contain two files: <name>.sparseimage and <name>.sparseimage Resource · The first user with administrator rights to enable File Vault has the ability to set a master File Vault password on a system to override the user set File Vault passwords.

User Directory without File Vault Enabled

User Directory with File Vault Enabled

Questions?

Information

Microsoft PowerPoint - Techno Forensics 20071029 NDonnelly Macintosh Imaging.ppt

61 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

1038553