When creating a forensically sound image of a suspect drive, care must be taken to insure that the suspect evidence is not compromised. This is usually done through the use of a hardware write blocker connected to the drive. The write blocker allows information to be read from the suspect drive but will not allow the acquisition computer to write data to the drive, thus preventing the information from being compromised.
If you do not have access to a hardware write blocker and need to image a suspect drive, you can use MacForensicsLab's Disable Disk Arbitration option to disabled writing to the drive.
The process to use MacForensicsLab to disable Disk Arbitration is as follows.
- Turn off Disk Arbitration from File menu. You can verify that it is disabled by attempting to launch Disk Utility. If Disk Arbitration is disabled, Disk Utility will not launch.
- Plug drive in/power-up or insert media card.
- Go back to File Menu and select "Rescan Bus".
- Drive/media will now be visible within MacForensicsLab.
- Image drive with the Acquire function.
- Disconnect drive BEFORE turning Disk Arbitration back on the same way you turned it off.
MacForensicsLab highly recommends that a hardware write blocker be used when acquiring an image of a suspect drive.
