Are Mistaken. Ftk Imager For Mac
Forensics ToolKit Imager. The FTK Imager is a simple but concise tool. It saves an image of a hard disk in one file or in segments that may be later on reconstructed. Home Forum Index Forensic Software FTK Imager and Mac All Forums > Forensic Software Forum Forensic software discussion (commercial and open source/freeware).
Can a Mac hard drive be easily removed for imaging with a forensic hardware imager? It is really a matter of personal opinion, Mac's are an engineering marvel just ask anyone that has had to remove a hard drive from a Mac for forensic imaging and then try to put it back together properly. Depending on the model of the desktop with a set of (Figure 1) in hand, it could be as simple as removing a few screws to open the case to gain access to the hard drive.
However some of the desktops require removing the glass panel with a (Figure 2) then removing the LCD assembly before access can be had to the hard drive. Figure 1Figure 2 Older Mac laptops permitted access to the hard drive by first removing the battery and then a few screws in the battery compartment to gain access to the hard drive.
Today's Unibody laptops like the MacBook and MacBook Pro have a removable rear panel that allows access to both the battery and hard drive. There are several to remove the hard drive from both Mac desktops and laptops available on the Internet. In my practice with most Mac imaging jobs it can be as little as 15 minutes to half an hour to gain access to the hard drive and another 15 minutes to half an hour to get it back together. So yes it can be done as long as you have the tools, are patient, careful, slow and methodical - carefully organizing each screw you remove so they go back in the right place etc. As they can be different specific lengths.
Ftk Imager Software
However there is an easier and in my view perhaps lower risk alternative to opening the case and removing the hard drive on a Mac — use a Firewire write block in Target Mode. Tableau T9 Firewire Write Block I regularly use the Fire write block (Figure 3) for my Mac imaging jobs and either a Windows or Mac host with the respective forensic imaging software to then create the image. When imaging with a Windows machine as the host I use the free (Figure 4) as simply put no other imaging software can match its speed as it is optimized to work with their write block product family. When using a Mac as the host for imaging I use (Figure 5).Figure 3 Figure 4 Figure 5 What is Target Mode?
Ftk Imager Free Download
A Mac booted in Target Mode (holding down the 'T' key on power on) can be attached to the Firewire port of any other host computer (Mac or PC) where it will simply appear as an external FireWire device. The hard drive within the target Mac can be imaged, formatted, partitioned, etc., exactly like any other external FireWire drive. One caveat — only the master drive (no slave drives) will be made available when operating in Target Mode. Posted February 3, 2011 at 2:04 AM Paul Henry Joe; Thanks ' Nothing can match the capability for imaging and mounting found today within the current version of FTK Imager but I have really been impressed with the shear speed of TIM with its support for SMP and its optimization for the block size of the Tableau write blocks the performance it provides vs other imaging software is clearly evident.
When I just need raw speed and simply don't need the features of FTK I go with TIM ' this is not to say TIM is a light weight on features either as it does support both E01 (yes even compressed) and dd, well as handling both HPA and DCO. Posted February 3, 2011 at 1:43 AM Paul Henry Peter Read your post nice work! I have been down the same road with boot CD's on Mac's and while yes I was successful with Raptor I moved to Target mode to both eliminate the 'potential' issue and to take advantage of the speed of firewire vs USB when writing the image. In my practice I try to first go with the process that affords the least chance of altering data then second the method that works fastest. Target mode with a write block like the T9 eliminates the risk of any fat finger issues and works reasonably fast. Posted February 3, 2011 at 1:33 AM Paul Henry Matt; Imaging with a boot CD such as Helix has not always worked for me on Apple products ' it seems to be a roll of the dice.
I have been successful with the Raptor boot CD imaging to a USB drive. That being said, I have not had a single acquisition that I started with Target mode that I could not complete in a reasonable time successfully so for now that is my first choice. BTW ' I also like f-Response when working with products like the Macbook Air as there is no Firewire port available.
Posted February 10, 2011 at 2:38 AM Paul Henry Greg; About midway through the article I do have a paragraph on it ' unfortunately the MacBook Pro in the example is my personal laptop and I run Fusion not BootCamp so no picture of anything BootCamp related was possible for this post ' from the blog post: Using Windows as the host ' Boot Camp considerations If Windows was installed on the Mac in a Bootcamp partition that you will be imaging, when you connect the Windows PC to the Mac it will automatically make changes as it mounts it altering data. Unlike on a Mac there is no Disk Arbitration that can simply be turned off at the command line. A software or hardware Write Block is a necessity if using a Windows PC to image a Mac in Target mode because of the potential issue with Boot Camp Windows partitions.