Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

How To: Forensically Sound Mac Acquisition In Target Mode

Can a Mac hard drive be easily removed for imaging with a forensic hardware imager?

It is really a matter of personal opinion, Mac's are an engineering marvel just ask anyone that has had to remove a hard drive from a Mac for forensic imaging and then try to put it back together properly. Depending on the model of the desktop with a set of Torx screw drivers, scissor clamp and tweezers (Figure 1) in hand, it could be as simple as removing a few screws to open the case to gain access to the hard drive. However some of the desktops require removing the glass panel with a heavy duty suction cup (Figure 2) then removing the LCD assembly before access can be had to the hard drive.

Figure 1


Figure 2


Older Mac laptops permitted access to the hard drive by first removing the battery and then a few screws in the battery compartment to gain access to the hard drive. Today's Unibody laptops like the MacBook and MacBook Pro have a removable rear panel that allows access to both the battery and hard drive. There are several step-by-step guides to remove the hard drive from both Mac desktops and laptops available on the Internet. In my practice with most Mac imaging jobs it can be as little as 15 minutes to half an hour to gain access to the hard drive and another 15 minutes to half an hour to get it back together.

So yes it can be done as long as you have the tools, are patient, careful, slow and methodical - carefully organizing each screw you remove so they go back in the right place etc. as they can be different specific lengths. However there is an easier and in my view perhaps lower risk alternative to opening the case and removing the hard drive on a Mac — use a Firewire write block in Target Mode .

Tableau T9 Firewire Write Block

I regularly use the Tableau T9 Fire write block (Figure 3) for my Mac imaging jobs and either a Windows or Mac host with the respective forensic imaging software to then create the image. When imaging with a Windows machine as the host I use the free Tableau TIM imaging software (Figure 4) as simply put no other imaging software can match its speed as it is optimized to work with their write block product family. When using a Mac as the host for imaging I use Mac OSX Forensic Imager (Figure 5).

Figure 3




Figure 4




Figure 5


What is Target Mode?

A Mac booted in Target Mode (holding down the "T" key on power on) can be attached to the Firewire port of any other host computer (Mac or PC) where it will simply appear as an external FireWire device. The hard drive within the target Mac can be imaged, formatted, partitioned, etc., exactly like any other external FireWire drive. One caveat — only the master drive (no slave drives) will be made available when operating in Target Mode.

Which Mac's support Target Mode:

  • iMac (Slot Loading) with Firmware version 2.4 or later
  • iMac (Summer 2000) and all models introduced after July 2000
  • eMac (all models)
  • Mac mini (all models)
  • Power Mac G4 (AGP Graphics) with ATA drive
  • Power Mac G4 Cube
  • Power Mac G4 (Gigabit Ethernet) and all models introduced after July 2000
  • Power Mac G5 (all models)
  • Mac Pro (all models)
  • iBook (FireWire) and all models introduced after September 2000
  • PowerBook G3 (FireWire)
  • PowerBook G4 (all models)
  • MacBook Pro (all models)
  • MacBook models introduced before October 2008
Firmware Password considerations

Before booting into Target Mode verify that there is no Firmware Password first by booting and holding down the Option key then turning the power on. If you get the Start up Manager (Figure 6) then there is no Firmware Password. If you get the Open Firmware Password dialog (Figure 7) then the Mac is protected with a Firmware Password and it will have to be removed before you can boot in to Target Mode. You can clear the Firmware Password by restarting the Mac while holding down the Command-Option-P-R keys. If there was no Firmware Password required simply turn power back off then hold down the "T" key and turn power back on to boot into Target Mode (Figure 8).

Figure 6




Figure 7




Figure 8


Using a Mac as the host - Mac Disk Arbitration considerations

If you plan to use a Mac to make the acquisition be sure to disable Disk Arbitration first. Mac disk arbitration will automatically mount any disk connected to it. Since there is no write protection inherent to Target Mode if you connect a Mac to a Mac using Target mode without first turning off disk arbitration your host Mac will mount the file system, which can result in the undesired alteration of data. The Mac OSX Forensic Imager has Disk Arbitration control built in - just make sure you enable it before connecting the Firewire cable to the target computer. There is also free Disk Arbitration software called Disk Arbitrator (Figure 9) that you may want to consider if you're not using Mac OSX Forensic Imager.

Figure 9


If you plan to use a Mac to make the acquisition and want to be certain that you will not make changes to the disk simply by mounting it be sure to disable Disk Arbitration first — before you connect to the target (this is what I use on the command line with my OSX 10.6 Mac):

To turn off Disk Arbitration:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist

To verify Disk Arbitration is turned off

ps auxw | grep diskarbitrationd

To turn on Disk Arbitration

sudo launchctl load /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist

Because of the risk ofaccidentallyconnecting in Target Mode before turning off disk arbitration the author highly recommends using a firewire write blocker.

Using Windows as the host - Boot Camp considerations

If Windows was installed on the Mac in a Bootcamp partition that you will be imaging, when you connect the Windows PC to the Mac it will automatically make changes as it mounts it altering data. Unlike on a Mac there is no Disk Arbitration that can simply be turned off at the command line. A software or hardware Write Block is a necessity if using a Windows PC to image a Mac in Target mode because of the potential issue with Boot Camp Windows partitions.

Example: Imaging A 500 GB Hard Drive in a Macbook Pro using Target Mode, a T9 and a Windows host

  1. Hold down the option key when powering on the laptop to see if there is a firmware password required (Figure 7). If there is a password then remove it as noted earlier, if the Start Up Manager screen (Figure 6) comes up you have no firmware password so simply power the laptop back off.
  2. Hold down the T Key when powering on the laptop to enter target mode (Figure 8)
  3. With the laptop started in Target mode you can now connect the Tableau T9 to the host computer (Figure 10) and target drive Firewire 800 port on the Mac Laptop (Figure 11) Note: Firewire 400 is also supported and the host can also connect via USB 2.
  4. Power on the Tableau T9 and on the T9 LCD display select the Lun to be imaged on the Mac (Lun 0)
  5. Start the TIM imaging software on the Windows host, right click on the Firewire connected drive (Figure 4) and then enter a destination path for the image, select file format (DD / E01), File size, any format specific options, enter your examiner details, select the required error recovery mode, select hashing (MD5 or SHA1) desired scheduling and select submit (Figure 12). You can monitor the status of imaging within the TIM GUI (Figure 13).

Figure 10




Figure 11




Figure 12




Figure 13




The imaging of the 500 GB hard drive (Figure 14) over Firewire with the T9 write block took exactly 3 hours and 56 minutes. This works out to roughly 2.1 GB/min which in the author's opinion is an acceptable amount of time for the forensically sound imaging of a 500 GB HD on a Mac over Firewire 800. Had I removed the hard drive and used a hardware imager (i.e. TD1 or Voom III) I could have imaged the drive at 4 GB/min or better depending on the underlying speed of the drive itself possibly resulting in a little more then just 2 hours of acquisition time. However you still have to account for the time to remove and then replace the hard drive and the risk that you could possibly break something on the Mac in the process of removing and replacing the hard drive.

Figure 14




The report created imaging the Macbook Pro 500 GB Hard drive in Target Mode over Firewire 800 using the Tableau T9 write block and the Tableau TIM imaging software (Figure 15) provides the typical information you would expect from a forensic imaging solution; start and end time, case ID and notes, source hard drive data including HPA / DCO / ATA status, T9 Write Block information and completed image data including MD5 / SHA1 hashes. For the purposes of validating the integrity of the image, I ran a second acquisition using FTK Imager and validated that the image produced by FTK Imager matched the hash of the image created with TIM (Figure 16).

Figure 15




Figure 16


In Conclusion:

In the author's opinion the trade off for the little time that could perhaps be saved by removing the hard drive and using a hardware imager vs. imaging in Target Mode over Firewire with the Tableau T9 write block is negligible at best and I typically will always go with not removing the hard drive.

  • Yes of course you can image in Target Mode over Firewire using a Linux platform and mounting the drive read only without a hardware write block. However using a hardware write block eliminates the possibility of inadvertently connecting in read / write mode and possibly altering evidence.
  • Yes you can safely image in Target Mode using a Mac if you turn off Disk Arbitration and only then mount the drive read only without a hardware write block. However using a hardware write block eliminates the possibility of inadvertently not disabling Disk Arbitration and also mounting in read / write mode and possibly altering evidence
  • Unfortunately if you're using Windows as the host and the Mac hard drive contains a Boot Camp partition with Windows on it, unless you have some form of write block enabled on the Windows host, you are likely to write to the Windows partition as Windows mounts it when you connect the host to the Target. Again using a hardware write block mitigates the potential for data being written to the disk when Windows tries to mount the Windows Boot Camp partition.
The bottom line for me in my forensics practice is to always try to minimize the risk that evidence will be unintentionally altered. I choose to use a hardware write block device such as the T9 as shown in this example whenever possible to eliminate any question that a mistake may or could have been made with the configuration of Disk Arbitration and Read Only mounting on a Mac host, read-only mounting on a Linux host or when using a Windows host the inevitable risk of the mounting issue under Windows of the Boot Camp partition and write-blocking in Windows while imaging.

Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE, ACE, GCFA, VCPIs a Certified SANS Instructor and teachesFOR408 Computer Forensic Essentials,FOR508 Computer Forensic Investigations and Incident Response, FOR 558 Network Forensics, SEC 553 Metasploit for Penetration Testers,SEC 577 Virtualization Security and SEC540 VoIP Security for SANS (phenry@sans.org) He has spent over 20 years in network security and computer forensics andis the Lead Security & Forensic Analyst at vNet Security, LLC www.vnetsecurity.com Find him on Twitter @phenrycissp

13 Comments

Posted February 02, 2011 at 6:47 PM | Permalink | Reply

Joe Garcia

Paul,
Excellent article. Picked up a few things. After reading this, I'm going to give TIM

Posted February 03, 2011 at 2:04 AM | Permalink | Reply

Paul Henry

Joe;

Thanks - Nothing can match the capability for imaging and mounting found today within the current version of FTK Imager but I have really been impressed with the shear speed of TIM with its support for SMP and its optimization for the block size of the Tableau write blocks the performance it provides vs other imaging software is clearly evident. When I just need raw speed and simply don't need the features of FTK I go with TIM - this is not to say TIM is a light weight on features either as it does support both E01 (yes even compressed) and dd, well as handling both HPA and DCO.

Best;

Paul

Posted February 02, 2011 at 7:43 PM | Permalink | Reply

Peter Theobald

Nice article, thanks! It covers many useful details about imaging Macs. I recently imaged an iMac in a different way; I booted it with a forensic Linux distro and used FTK Imager for Linux to write the image out to an external hard drive. I wrote it up here: http://petertheobald.blogspot.com/2010/10/tricky-forensic-hard-drive-acquisition.html .
I hope you find my notes useful.

Posted February 03, 2011 at 1:43 AM | Permalink | Reply

Paul Henry

Peter

Read your post nice work ! I have been down the same road with boot CD's on Mac's and while yes I was successful with Raptor I moved to Target mode to both eliminate the "potential" issue and to take advantage of the speed of firewire vs USB when writing the image. In my practice I try to first go with the process that affords the least chance of altering data then second the method that works fastest. Target mode with a write block like the T9 eliminates the risk of any fat finger issues and works reasonably fast.

Best;

Paul

Posted February 02, 2011 at 9:51 PM | Permalink | Reply

DekkaR

cmd-opt-P-R in my MB Pro 2006 NOT erase EFI password.

Posted February 03, 2011 at 1:37 AM | Permalink | Reply

Paul Henry

DekkaR

Apple has an alternate procedure when resetting either PRAM or NVRAM will not work that is referred to as resetting the PMU see: http://support.apple.com/kb/HT1431?viewlocale=en_US

Best;

Paul

Posted February 02, 2011 at 10:38 PM | Permalink | Reply

Matt

Do you have an opinion on booting the mac with a live cd such as raptor and imaging to an external drive?

Posted February 03, 2011 at 1:33 AM | Permalink | Reply

Paul Henry

Matt;

Imaging with a boot CD such as Helix has not always worked for me on Apple products - it seems to be a roll of the dice. I have been successful with the Raptor boot CD imaging to a USB drive. That being said, I have not had a single acquisition that I started with Target mode that I could not complete in a reasonable time successfully so for now that is my first choice. BTW - I also like f-Response when working with products like the Macbook Air as there is no Firewire port available.

Best;

Paul

Posted February 08, 2011 at 9:10 AM | Permalink | Reply

Greg M

Paul:

Nice article.

I know you mention it in your "conclusion", but I would add a photo earlier in the article showing what happens if the user's computer is "boot camped", and if so, you must shut down and use a hardware write block.

My two cents.......

Posted February 10, 2011 at 2:38 AM | Permalink | Reply

Paul Henry

Greg;

About midway through the article I do have a paragraph on it - unfortunately the MacBook Pro in the example is my personal laptop and I run Fusion not BootCamp so no picture of anything BootCamp related was possible for this post - from the blog post:

Using Windows as the host - Boot Camp considerations

If Windows was installed on the Mac in a Bootcamp partition that you will be imaging, when you connect the Windows PC to the Mac it will automatically make changes as it mounts it altering data. Unlike on a Mac there is no Disk Arbitration that can simply be turned off at the command line. A software or hardware Write Block is a necessity if using a Windows PC to image a Mac in Target mode because of the potential issue with Boot Camp Windows partitions.

Best;

Paul

Posted February 08, 2011 at 12:09 PM | Permalink | Reply

Marc Flores

Great article, thanks for sharing your insights. I've not tried out TIM, despite frequently using Tableau write blockers. May test it out and compare against other imaging tools.

Posted February 10, 2011 at 2:41 AM | Permalink | Reply

Paul Henry

Marc;

I have seen a measurable performance benefit using TIM in every configuration I have used it in - it would be interesting to see a blog post that provides a comparison of FTK Imager and TIM using USB, Firewire and eSata.

Best;

Paul

Posted February 27, 2011 at 6:29 PM | Permalink | Reply

Hard Drive Recovery

Very, very comprehensive article. I have to say that I've seen a few articles on imaging kicking around, but nothing quite this comprehensive. Great images, as well.

Tableau does remain the imaging winner, as far as we're concerned. Still haven't found a better product.

Maureen

Post a Comment






Captcha

* Indicates a required field.