Posted on

MacForensicsLab Tips and Tutorials – Part Three

Spread the love

Part One

Part Two

Part Three

Imaging a Drive via Target Disk Mode Tips - Imaging a Drive via Target Disk ModeSometimes an investigator may not have access to a hardware write blocker or may not be able to remove the suspect drive from their Mac (we do not recommend investigators attempt to image a drive without a hardware write blocker but at times situations may necessitate it). In this case the investigator can connect the suspect Mac to their forensic workstation to process the investigation using a process called Target Disk Mode. Target Disk Mode causes the suspect Mac to act like an external drive at which point it can then be connected to a forensic workstation running MacForensicsLab for imaging and examination.

  1. The first and MOST important step in this process is making sure that Disk Arbitration is disabled. You can do this by following the process for disabling Disk Arbitration found here. Make you verify that it is disabled using Disk Utility once you have completed this. This will ensure that the suspect drive stays forensically sound.
  2. Boot the suspect Mac and hold down the “T” key until a diak icon appears on screen. The suspect machine is now in Target Disk Mode.
  3. Connect the suspect machine to your examination workstation. Target Disk Mode supports FireWire, Thunderbolt 2, USB-C, or Thunderbolt 3 (USB-C) ports. Once the suspect drive appears in MacForensicsLab’s Device area, you can proceed with acquiring an image of it (note: the suspect drive will not appear on the desktop as Disk Arbitration is disabled).
  4. Once the image has been created, you can hold down the power button on the suspect machine until it powers itself off. Then disconnect it from the examination machine.
MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.


Starting Points For A Mac OS X Investigation Tips - Starting Points For A Mac OS X InvestigationWhen processing an investigation of a suspect’s Mac OS X hard drive using MacForensicsLab there are several places that you may want to start your search. These folders are present on all versions of Mac OS X and contain a great deal of information that will help the investigator to show intent and may also give them a better idea of where they should look next.

A good place to start forensic discovery on any Mac OS X machine is inside the ~Users/“USERNAME”/ folder. Within this folder you can find sub-folders containing large amounts of user data. Many peer-to-peer applications create folders here and many times there are other user-created folders found here.

The ~/Users/“USERNAME”/Library folder and it’s sub-folders have a vast amount of usable forensic material. Some sub-folders of interest in here are; Caches, Calendars, Cookies, Keychains, Logs, Mail, Preferences, Recent Servers, and Safari. Any of these can be examined with MacForensicsLab’s Analyze function or the Salvage function depending on the kind of data discovery you are after.

The ~/Users/“USERNAME”/Documents is the default save-to folder for many applications and many users use this folder to store everything from text documents to pictures and movies.

The ~/Users/“USERNAME”/Pictures folder if the default storage location for Apple’s iPhoto. Photos loaded into iPhoto are stored here in the iPhoto Library folder in iPhoto version before ’08. In iPhoto ’08 the iPhoto Library folder is replaced by a package with the same title. Many users use this folder to store images from other applications also.

The ~/Users/“USERNAME”/Movies folder is the default storage location for many video editing applications including Apple’s iMovie. Many users use this folder to store video files on their system.

Turning On Software Write Blocking Tips - Turning On Software Write BlockingWhen creating a forensically sound image of a suspect drive, care must be taken to insure that the suspect evidence is not compromised. This is usually done through the use of a hardware write blocker connected to the drive. The write blocker allows information to be read from the suspect drive but will not allow the acquisition computer to write data to the drive, thus preventing the information from being compromised.

MacForensicsLab’s Software Write Blocking function will not work on El Capitan and Sierra. If you are running OS X 10.11 or OS X 10.12, please use a hardware write blocker instead.

If you do not have access to a hardware write blocker and need to image a suspect drive, you can use MacForensicsLab’s Disable Disk Arbitration option to disabled writing to the drive.

The process to use MacForensicsLab to disable Disk Arbitration is as follows.

  1. Turn off Disk Arbitration from File menu. You can verify that it is disabled by attempting to launch Disk Utility. If Disk Arbitration is disabled, Disk Utility will not launch.
  2. Plug drive in/power-up or insert media card.
  3. Go back to File Menu and select “Rescan Bus”.
  4. Drive/media will now be visible within MacForensicsLab.
  5. Image drive with the Acquire function.
  6. Disconnect drive BEFORE turning Disk Arbitration back on the same way you turned it off.

MacForensicsLab highly recommends that a hardware write blocker be used when acquiring an image of a suspect drive.

Why Won’t My Acquired Disk Image Mount on The Desktop Tips - Why Won't My Acquired Disk Image Mount on The DesktopDoes your acquired disk image refuse to mount on the desktop? If you have selected the option to turn off Disk Arbitration when MacForensicsLab launches or disabled Disk Arbitration by selecting the option from the Window menu, Disk Utility will not be able to mount any images until Disk Arbitration is turned back on. This issue can be resolved using either of these options.

Re-enabling Disk Arbitration can be done either by selecting the Disk Arbitration option from the Window menu within MacForensicsLab again and enabling it or by rebooting your Mac. Many times Disk Arbitration can be turned off and forgtten about because of MacForensicsLab’s ability to see drives at the device level. This means you can still work with disk images within MacForensicsLab even without mounting them on the desktop as you normally would. If you’re still having problems mounting disk images after re-enabling Disk Arbitration in MacForensicsLab restart your computer.