Re: [sleuthkit-users] Basic methods for imaging OS X hard drive
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Basic methods for imaging OS X hard drive
|
From: RB <ao...@gm...> - 2008-09-24 20:55:26
|
> What is the best way to image the drive on the MacBook? Same as about any drive nowdays - dd or one of its variants. > I do have FileSalvage from SubRosaSoft. I do not have any write- > blocked firewire tool like the Wiebetech device. I want to be able to > defend that I did not change anything on the drive. A hardware write-blocker certainly increases your defensibility, but does not preclude challenges. As long as you use an industry-accepted tool and follow proper procedure, you'll usually have prior art on your side. Do remember 'dd' and its variants are power tools and will just as readily erase your evidence drive as image it. All that said, I see that even in the 3.x beta branch sleuthkit still has its HFS support turned off - unless you manually change the source and re-compile you won't be able to analyze the image. OS X uses case-insensitive HFS+ as its default filesystem. RB |
