3
BlackBag Technologies, Inc. FireWire Target Disk Mode Guidelines Copyright © 2008 BlackBag Technologies, Inc. All rights reserved. www.blackbagtech.com Overview This document is a guide for using the FireWire Target Disk Mode (TDM) in a forensically sound manner on Macintosh systems. For clarification purposes, the system we are copying data from is the Suspect System and the system we are copying the data to is the Acquisition System . Please read this entire set of guidelines before beginning. The Suspect System must be started from the powered-off state; if the system you encounter is powered on, make sure you consider the implications of shutting down before completing the operation. When a Suspect System is booted into TDM, the firmware boot parameters are changed to make the internal drive on the Suspect System appear as an external drive to the Acquisition System via a FireWire bus connection. These changes take place at the firmware level before the Suspect System’s operating system starts up. TDM is not a permanent change and will not persist the next time the Suspect System is booted under normal conditions. If the Acquisition System is configured in a forensically sound manner, it will be able to see and read from the Suspect System drive over the FireWire connection without attempting to mount partitions, thus avoiding any writes or changes to the Suspect System. Warning It should be noted that setting up a forensically sound Acquisition System and using TDM does not guarantee that attempts to write to a Suspect System will be stopped, as a physical write- blocking device would do. The user must not attempt any commands that may change data on the Suspect System. By setting up a forensically sound Mac OS X Acquisition System, the automatic behavior of Mac OS X to mount partitions is disabled. Carelessness or confusion about the Systems can result in data changes on the Suspect System. Make sure you understand these distinctions and practice on non-evidence systems before attempting data transfer on a real Suspect System.

BlackBag Technologies, Inc

  • Upload
    sammy17

  • View
    297

  • Download
    1

Tags:

Embed Size (px)

Citation preview

Page 1: BlackBag Technologies, Inc

BlackBag Technologies, Inc.FireWire Target Disk Mode Guidelines

Copyright © 2008 BlackBag Technologies, Inc. All rights reserved.www.blackbagtech.com

Overview

This document is a guide for using the FireWire Target Disk Mode (TDM) in a forensicallysound manner on Macintosh systems. For clarification purposes, the system we are copying datafrom is the Suspect System and the system we are copying the data to is the Acquisition System.Please read this entire set of guidelines before beginning.

The Suspect System must be started from the powered-off state; if the system you encounter ispowered on, make sure you consider the implications of shutting down before completing theoperation. When a Suspect System is booted into TDM, the firmware boot parameters arechanged to make the internal drive on the Suspect System appear as an external drive to theAcquisition System via a FireWire bus connection. These changes take place at the firmwarelevel before the Suspect System’s operating system starts up. TDM is not a permanent changeand will not persist the next time the Suspect System is booted under normal conditions. If theAcquisition System is configured in a forensically sound manner, it will be able to see and readfrom the Suspect System drive over the FireWire connection without attempting to mountpartitions, thus avoiding any writes or changes to the Suspect System.

Warning

It should be noted that setting up a forensically sound Acquisition System and using TDM doesnot guarantee that attempts to write to a Suspect System will be stopped, as a physical write-blocking device would do. The user must not attempt any commands that may change data onthe Suspect System. By setting up a forensically sound Mac OS X Acquisition System, theautomatic behavior of Mac OS X to mount partitions is disabled. Carelessness or confusionabout the Systems can result in data changes on the Suspect System. Make sure you understandthese distinctions and practice on non-evidence systems before attempting data transfer on a realSuspect System.

Page 2: BlackBag Technologies, Inc

BlackBag Technologies, Inc.FireWire Target Disk Mode Guidelines

Copyright © 2008 BlackBag Technologies, Inc. All rights reserved.www.blackbagtech.com

Guideline 11. Confirm the Acquisition system is correctly configured as a forensically sound system.

Indicators of sound configuration:• DiskArbitration is set to “off” (10.3 - Panther)• AutoDiskMounting is set to “off” (10.2 – Jaguar)

1. Confirm you have power connected to both systems, especially if they are Notebooks.

Guideline 21. Boot (power on) Suspect System while holding down the “Option” key. Continue

pressing the “Option” key until you see the drive icon(s). Be patient and continue pressingthe “Option” key until you see either of the following screens:

This screen indicates that a firmware password is NOT enabled.

This screen indicates that a firmware password IS enabled.

1. If a firmware password IS enabled, you will need to consider resetting the password orphysically removing the drive before proceeding.

If you see this screen, you have just written to the suspect drive – power off immediately usingthe actual “power” button.

Page 3: BlackBag Technologies, Inc

BlackBag Technologies, Inc.FireWire Target Disk Mode Guidelines

Copyright © 2008 BlackBag Technologies, Inc. All rights reserved.www.blackbagtech.com

2. Once confirmed that a firmware password is NOT enabled, power off the SuspectSystem using the actual “power” button. Note: you may need to press the button for acouple of seconds.

Guideline 31. Verify there is no open firmware password (see Guideline 2).

2. Use a FireWire cable to connect the Suspect and Acquisition Systems. Note: bothsystems should be “off” (powered down).

3. Boot (power on) the Suspect System while pressing the “T” key. It may take up to, ormore than, 30 seconds to see the blue screen. Be patient and continue pressing the “T” key.

A blue screen with the yellow FireWire symbol should appear, signaling the system is inFireWire Target Disk Mode (TDM).

Guideline 41. Boot (power on) Acquisition System (DiskArbitration/AutoDiskMounting – OFF per

Guideline 1). Note: if the volumes mount on the desktop, you have just written to theSuspect System. Unmount / Eject the volume(s) that mounted by first selecting the volume,then pressing the “ “ and the “E” keys at the same time. Once the icon disappears,Shutdown via the Menu Bar by selecting the Apple icon, then selecting Shutdown. Returnto Guideline 1.

2. Identify the FireWire Target System.To identify the system:• Launch terminal and enter the following command: ioreg –c “IOMedia”.• Look for FireWire Target Media.• Proceed with imaging/read-only mounting desired volume(s), etc.

Guideline 51. When imaging/mounting is complete, shut down the system in reverse order.

To shut down the system:• Shut down the Acquisition System first (via the Menu Bar - Select the Apple icon,

then select Shutdown).• Turn off (power down) the Suspect System using the actual “power” button.

For more information, refer to the following Apple website: http://docs.info.apple.com/article.html?artnum=58583


TTC Technologies, Inc

TTC Technologies, Inc

Documents
€¦  · Web viewIEF Triage $ 4. BlackBag. MacQuisition $ 5. Vound Software. Intella 100 $ 6. Passware. Passware forensic Kit $ 7. BlackBag. BlackLight $ 8. Guidance. EnCase $ 9

€¦  · Web viewIEF Triage $ 4. BlackBag. MacQuisition $ 5. Vound Software. Intella 100 $ 6. Passware. Passware forensic Kit $ 7. BlackBag. BlackLight $ 8. Guidance. EnCase $ 9

Documents
Biophan Technologies, Inc

Biophan Technologies, Inc

Documents
CD Technologies Inc

CD Technologies Inc

Documents
Quintum Technologies, Inc

Quintum Technologies, Inc

Documents
Carling Technologies, Inc

Carling Technologies, Inc

Documents
Auto Technologies Inc

Auto Technologies Inc

Documents
Mercari Technologies, Inc

Mercari Technologies, Inc

Documents
CaseBank Technologies Inc

CaseBank Technologies Inc

Documents
KEG Technologies, Inc

KEG Technologies, Inc

Documents
TETRA TECHNOLOGIES, INC

TETRA TECHNOLOGIES, INC

Documents
Modern windows hibernation file analysisgolden/Papers/sylvehiber.pdf · Joe T. Sylve a, b, *, Vico Marziale a, Golden G. Richard III b a Blackbag Technologies, Inc, San Jose, CA,

Modern windows hibernation file analysisgolden/Papers/sylvehiber.pdf · Joe T. Sylve a, b, *, Vico Marziale a, Golden G. Richard III b a Blackbag Technologies, Inc, San Jose, CA,

Documents
Encora Technologies Inc

Encora Technologies Inc

Technology
Inspect Technologies Inc

Inspect Technologies Inc

Documents
SMS Technologies, Inc

SMS Technologies, Inc

Documents
ALLJACK TECHNOLOGIES, INC

ALLJACK TECHNOLOGIES, INC

Documents
Qualcomm Technologies, Inc

Qualcomm Technologies, Inc

Documents
RESIDEO TECHNOLOGIES, INC

RESIDEO TECHNOLOGIES, INC

Documents
Information Technologies Inc.,

Information Technologies Inc.,

Documents
FIBA Technologies, Inc

FIBA Technologies, Inc

Documents
Wiscom Technologies, Inc. Wiscom Technologies, Inc

Wiscom Technologies, Inc. Wiscom Technologies, Inc

Technology
TECHNOLOGIES GROUP, INC

TECHNOLOGIES GROUP, INC

Documents
Katpro Technologies Inc

Katpro Technologies Inc

Technology
QUICK START GUIDE - BlackBag Technologies€¦ · QUICKSTART GUIDE BlackLight© is designed with both novice and advanced users in mind. It features a clean interface, easy navigation,

QUICK START GUIDE - BlackBag Technologies€¦ · QUICKSTART GUIDE BlackLight© is designed with both novice and advanced users in mind. It features a clean interface, easy navigation,

Documents
USTAS Technologies, Inc

USTAS Technologies, Inc

Documents
ORMAT TECHNOLOGIES, INC

ORMAT TECHNOLOGIES, INC

Documents
BLACKLIGHT 2019 R1 RELEASE NOTES - Amazon S3 · 2019. 4. 23. · BLACKLIGHT 2019 R1 RELEASE NOTES April 23rd, 2019 Thank you for using BlackBag Technologies products. The Release

BLACKLIGHT 2019 R1 RELEASE NOTES - Amazon S3 · 2019. 4. 23. · BLACKLIGHT 2019 R1 RELEASE NOTES April 23rd, 2019 Thank you for using BlackBag Technologies products. The Release

Documents
CVC TECHNOLOGIES, INC

CVC TECHNOLOGIES, INC

Documents
Diode Technologies Inc. Over View of Diode Technologies Inc

Diode Technologies Inc. Over View of Diode Technologies Inc

Documents
QHR Technologies Inc

QHR Technologies Inc

Documents