tag:blogger.com,1999:blog-2456910508235577340.post7750782671053837971..comments2024-03-03T22:38:30.152-07:00Comments on Another Forensics Blog: How to image a Mac using Single User ModeMari DeGraziahttp://www.blogger.com/profile/07035429062451749639noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-2456910508235577340.post-78704218405603441272016-08-01T23:07:10.996-07:002016-08-01T23:07:10.996-07:00Thanks for the great tip! What a great way to to a...Thanks for the great tip! What a great way to to avoid mounting rw.Mari DeGraziahttps://www.blogger.com/profile/07035429062451749639noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-5686049536668859762016-08-01T22:41:20.615-07:002016-08-01T22:41:20.615-07:00These are some comments sent to me by Derrick Donn...These are some comments sent to me by Derrick Donnelly. I wanted to pass them on as they are really helpful!<br /><br />A few things I thought I would pass on about your post:<br /><br />It is always good to boot a Mac first holding down the Option key to make sure the system does not have a Firmware Password before trying to boot into Single User Mode. Boot using Option key, see if there is no Lock Icon, shutdown and reboot from Single User Mode.<br /><br />If a Firmware password is set, I have seen times when it it would bypass single user mode boot up directly the system and change a lot of time stamps at boot time<br /><br />You can also try to boot from the recovery partition then from Single User Mode from the recovery partition. It can be tricky to get it right but there is less chance of the user trying to do something to disable single user mode in the recovery partition.<br /><br />To be more forensically sound, you could avoid doing the mount -uw and instead of imaging to a file, you could image directly to another device (basically clone the internal drive to an external drive because you do not mount anything). The destination device has to be the same size or larger (usually easier to just have a larger drive). You might also want to wipe the destination drive before imaging.<br /><br />When you do the mount -uw you will change the last modified date and time for the volume at a minimum.<br /><br />Suppose you have disk0 (internal drive) and disk2 (external usb drive)<br /><br />When using a disk in Mac OS X as a source or destination, you should always you the rdisk entry for that disk entry (it will make for faster imaging). I know you talked about the raw disk in your blog but I can tell you for sure that the risk will be faster when using dd.<br /><br />dd if=/dev/rdisk0 bs=65536 conv=noerror,sync of=/dev/rdisk2<br /><br />Input = /dev/rdisk0<br />Output = /dev/rdisk1 (going directly to a device instead of a file)<br /><br />I also tend to use a big block size of bs=65536 but if you run into media errors, you can lose more data if you have the media errors.<br /><br />If you do image to a single file, you could use the .dmg extension instead of .dd if you plan to mount it as an image file in Mac OS X using hdiutil later.<br /><br />If you do split the image into segments, you can use this naming convention for Mac OS X hdiutil<br /><br />Mac_rdisk1.dmg<br />Mac_rdisk1.001.dmgpart<br />Mac_rdisk1.002.dmgpart<br />Mac_rdisk1.003.dmgpart<br />Mac_rdisk1.004.dmgpart<br />...<br />...<br />…<br /><br />Mac_rdisk1.xxx.dmgpart<br /><br /><br />Always make sure the image or all the segments are locked before attempting to mount .dmg files.<br /><br />If you image to a device (or clone to it), once the imaging is complete you have to put the clone drive on a Write-Blocker or time stamps again will change. Later you could image from that clone drive to files or a single .dmg file.<br /><br />Hope this helpsMari DeGraziahttps://www.blogger.com/profile/07035429062451749639noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-88850777608902951642016-07-31T10:18:10.280-07:002016-07-31T10:18:10.280-07:00Creating mount point without altering data on syst...Creating mount point without altering data on system disk: This trick can be used on any Linux-like system, including OSX and Android. As /dev/ is a virtual directory you are free to add a directory anywhere under /dev/ for a temporary mount point. This way there is no need to mount / rw or make any changes to the system disk. I use this trick all the time. Keep up your good work Mari!Jarle Thorsenhttps://www.blogger.com/profile/15298840528079664391noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-20379885925448853872016-07-08T01:14:53.641-07:002016-07-08T01:14:53.641-07:00Loved it :) very nice explained. Thank You!
B.Loved it :) very nice explained. Thank You!<br />B.Anonymousnoreply@blogger.com