- Basic Forensic Methodology
- Before You Begin Investigation
- Acquiring a Forensic Disk Image
- What to Look for and How to Look for It
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Acquiring a Forensic Disk Image
In the vast majority of investigations, you’ll be looking for evidence on a hard drive, which can be the hard drive of a workstation of a server. In both cases, you’ll need to preserve the original drive as evidence if at all possible, so you’ll need to create one or more forensic copies. Several tools exist that enable you to create forensic disk copies (using another physical disk) and disk images.
You need to create your forensic copy without booting the suspect computer or mounting the physical disk on your investigative machine. You should also use an investigative machine that is secured from your network. To be able to copy the disk without mounting it, your forensic Mac has to have disk arbitration disabled. Disk arbitration is the method used in Mac OS X Panther (10.3) and later to mount disks automatically at startup and when they are detected. You can disable it by copying the diskarbitrationd.plist file in the /etc/mach_init.d directory to an alternate location and then deleting the original. After this process is complete, your forensic Mac will only mount its boot disk, although it can recognize other connect disks, and you can mount or work with them manually.
You can then connect the suspect computer’s hard drive by using one of two methods. You can start the computer up by using Target Disk Mode and connecting it to your forensic machine, or you can physically remove the hard drive and use an external enclosure to connect it. If someone has accessed the suspect computer’s Open Firmware settings, the intruder might have established an Open Firmware password, which would prevent Target Disk Mode from operating and result in the computer booting into Mac OS X (which will modify its contents).
You can boot into Open Firmware before attempting to image the machine to determine whether there is a password in place or not. By booting into Open Firmware, you can also identify the system time (typically in GMT) for the computer, which can help to accurately identify time stamps for files on the suspect system (you should ensure that you shut down the system from Open Firmware and do not boot the system from it).
After the forensic Mac has booted and the suspect hard drive is connected but not mounted, you can use the dd command from the terminal or another forensic tool to create a copy or image of the disk (we’ll cover dd along with other tools more in part 2 of this series). You should then disconnect the hard drive and place it in a secure location, in which only a limited number of people will have access to it.
If you are using a disk image, you should take two further actions to ensure that write access is not permitted to it. First, in the Finder’s Get Info window, lock the image for editing. Second, use a non-administrator user account to mount the image during the course of investigation. Both actions will ensure that you have read-only access to the image.
During the course of your investigation, you should limit access to your forensic Mac because the logs of your forensic computer can also become part of your supporting evidence as they provide documentation of your activities. To ensure no data on your forensic drive contaminates your investigation, you should reformat its hard drive prior to use and use one of the secure erase disk functions to ensure that the computer is completely clean. Likewise, you should do a disk-based install of Mac OS X, albeit with only the minimally needed packages installed instead of an existing disk image.